Entra ID conditional access policies if many condition, how it will be analyzed AND or OR?

Sergio Londono 691 Reputation points
2024-11-13T18:43:11.4066667+00:00

Hello team,

One thing all the documents regarding Conditional Access fail to discuss is if using more than one condition in a policy,

i.e:

Condition location: Location USA

Device platform: Browser

Access control: Block

Are they treated as "AND" or "OR".

Will the policy run if all of the conditions are met, or if just 1 is met.

Meaning,

Option 1: the Conditional access policy will block if connection

from USA

AND

from browser?

Option 2:

Option 1: the Conditional access policy will block if match one condition connection

from China

OR

from browser?

User's image

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,412 questions
0 comments No comments
{count} votes

Accepted answer
  1. Harshitha Eligeti 895 Reputation points Microsoft Vendor
    2024-11-14T20:44:52.0166667+00:00

    Hi @Sergio Londono • 

    Thank you for sharing your issue on Microsoft Q&A.  
    I understand that when you create a Conditional Access policy with multiple conditions, the conditions are treated as "AND" conditions. This means that all of the conditions must be met in order for the policy to be enforced. 

    If you configure a policy with multiple conditions (e.g., location is USA AND device platform is Browser), the policy will only block access if both conditions are satisfied. Thus, for access to be blocked, the connection must originate from the USA and be using a browser.  

    Option 1 (AND Logic): The Conditional Access policy will block access if: 

    The connection is from USA AND 

    The device platform is a Browser.  

    Option 2 (OR Logic): The Conditional Access policy will NOT block access if only one condition is met. For example, if the connection is from China or just using a browser, it will not trigger a block under the AND logic.  

    To enforce an action in a single Conditional Access policy, you must match all specified conditions (Option 1). If any condition is not met, the policy will not apply, and access may not be blocked. 
    Hope this helps. Do let us know if you any further queries.


    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    Best Regards.
    Harshitha Eligeti

     

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Andy David - MVP 150.2K Reputation points MVP
    2024-11-13T18:56:18.46+00:00

    https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview

    Conditional Access policies at their simplest are if-then statements; if a user wants to access a resource, then they must complete an action. For example: If a user wants to access an application or service like Microsoft 365, then they must perform multifactor authentication to gain access.

    So in your example, if the client is Windows it will be blocked unless the network location is excluded.

    Its also important to remember that with multiple policies, the most restrictive is enforced if its applied to the same scope.

    https://learn.microsoft.com/en-us/answers/questions/1004659/how-multiple-conditional-access-policies-are-appli


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.