Creating Conditional access with 2 application?

Yigit Özleyen 1 Reputation point
2020-11-10T09:41:31.333+00:00

Hello Dear Community,

there is a simple policy that I designed in my mind. However, I could not find how to integrate it into the system in the "conditional access" section.

here I will write my way of thinking as in programming. Hope it can be understood.

I have two applications. One of them is "Windows SharePoint" and the other is an external application. Of course, I added it to the system. That's why it appears when I search in the "Conditional Access" section.

so what is my expectation here: (I will specify the name of the external program as AA. SharePoint as SP.)

if user is connected AA
Then grant access to SP

Else
Block access to SP

this is simple code block but as I said, I do not find a solution for that. Because as a company we want from every user to use that (MUST) program otherwise we will block their access to SharePoint or other programs.

Or can we do that over PowerShell. If like that. Unfortunately I have no experience about that part.

Thank you for help and ideas.

Best Regards
Darthy

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,697 questions
{count} votes

2 answers

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,601 Reputation points
    2020-11-10T12:16:29.413+00:00

    Hi @Yigit Özleyen · Welcome to Q&A platform and thank you for reaching out.

    From your question, I understood that "AA" is the client application that you will be using to access SharePoint. In conditional access policy, you can only specify cloud apps and not the client apps. Under client apps blade, you can only select below clients:

    38821-image.png

    List of other clients is available here: https://aka.ms/caclientapps

    There is no option to select the client app that you have registered. It can be added as cloud app but the above If-Else block can't be achieved that way.

    I would suggest you to post this idea at our Feedback Portal which is monitored by the product team.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  2. Yigit Özleyen 1 Reputation point
    2020-11-17T07:59:51.043+00:00

    Hello amanpreetsingh-msft,
    and thank you for your kindly response and sorry for my late answer.

    I will change my question a bit and explain with more details.

    We want to add our Online-VPN-Provider for every user. And we want to force to users that application "Always On" for connecting the Microsoft programs. (Sharepoint or OneDrive are most important one)

    their "Always On" is not working like we want that's why we are searching / trying other options.

    1- Trusted Location => This was the best solution for us and easiest one. But provider has only IP address and I cant use that option. From Microsoft side that has to be an IP-Range

    2- I thought, may be I can add this VPN Provider as a "trusted Application" to connect SharePoint etc. But this is also not possible for a while

    3- and this is my last chance "trusted Device". My questions:

    • How can I add "Trusted Device" to my Azure AD ? like user or is that possible? For example: I will add to the system Serial Number and that device can reach to which documents or applications.
    • there is a possibility at Conditional Access like "Compliant Device". here is also a problem. we have of course guests and some of documents we are giving them to access. If I create a policy and "compliant device" will be on, can our guest users reach to the documents?

    => Actually I really do not want to use that option. Some of devices are not compliant. I do now know why? It writes "Secure Boots" problem. This option of all devices is operational. Also some of them has a Firewall Bug.

    "https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/36815068-intune-device-compliance-evaluation-not-stable-fa"

    thank you for your advice and help

    Best Regards

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.