Conditional access behavior desired

Question

Conditional access behavior desired

Sergi Díaz Ruiz 240

Afternoon !

I need answer to my doubts about the behavior of conditional access.

When I configure conditional access based on compliances device for cloud apps.

In targets I select only device's , NOT users. Is correct?

When user log in device with not compliance in Intune for example I configured compliance policy for firewall enabled. The users can join to cloud apps¿?

How works this? Please don't send me the article of Microsoft about conditional access.. I think if we configured the devices on conditional access, the users logged in these device's cant access to cloud apps... But is not working. If I configure the conditional access for devices + users, then yes, it works.

Regards

2 answers

Your answer

Answer 1

Crystal-MSFT 53,981 Microsoft External Staff

@Sergirash rash baix, Thanks for posting in Q&A. For conditional access, it controls if the user can access resource when they sign in. Under assignment, we can only assign it user or user group. We can't assign it to device group.

https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-users-groups

When the user sign in request is sent, it finds the devices needs to be compliant. It will check the compliance status of the device. If it is not compliant, it will block the access. If the device is not enrolled, it will ask to download company portal to do the enrollment.

Hope the above information can help.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Crystal-MSFT 53,981 Reputation points Microsoft External Staff

2023-10-12T06:44:05.8933333+00:00

@Sergirash rash baix, Hope things are going well. I am writing to see if there's anything else we can help. If yes, feel free to let us know.
Sergi Díaz Ruiz 240 Reputation points

2023-10-16T10:16:32.5333333+00:00

Morning! I have conditional access configured with no compliance device. But users keep still access to cloud apps. Then.... How it works ?

Why if device is not compliance I can login to cloud apps?

Regards,
Crystal-MSFT 53,981 Reputation points Microsoft External Staff

2023-10-17T02:45:24.0966667+00:00

@Sergirash rash baix, Thanks for the reply. From your description, it seems the conditional access policy is not applied. To know it better, please get screen shots of the configuration of the conditional access policy we set.
Sergi Díaz Ruiz 240 Reputation points

2023-10-17T07:42:38.6866667+00:00

Morning!
Crystal-MSFT 53,981 Reputation points Microsoft External Staff

2023-10-18T02:32:14.5533333+00:00

@Sergirash rash baix, Thanks for the reply. From the picture you provided, I find we add device group into users and group.

So the conditional access policy is not applied. Please change to a group with user instead to make it work.

If there's any update, feel free to let us know.
Sergi Díaz Ruiz 240 Reputation points

2023-10-18T07:00:12.32+00:00

Morning! This what I said... Can I apply this to devices? Or I should apply to users? If I apply to users it works correctly. Then... I can apply ONLY to users? Then when the user log in to not compliance device they can't log into cloud apps?

Just I want understand the behavior.

Thanks for all!!
Sergi Díaz Ruiz 240 Reputation points

2023-10-18T10:20:48.2066667+00:00

Nice one !!! This is what I want listen jejeje

Then the conditional access is ONLY for users, NOT devices.

Thanks a lot !
Crystal-MSFT 53,981 Reputation points Microsoft External Staff

2023-10-19T05:00:08.7033333+00:00

@Sergirash rash baix, Thanks for the reply. I am glad the information can help. If the answer is helpful, please click "Accept Answer" to help others quickly find the solution. Thanks!

Answer 2

Crystal-MSFT 53,981 Microsoft External Staff

@Sergirash rash baix, Thanks for the reply. conditional access policy can only be applied to user group. If the user logs in to not compliance device, they will receive error which mentioned the access is blocked by your organization.

Share via

Conditional access behavior desired

2 answers

Your answer