Conditional Access Templates (preview) actual policy different from information

Marzel Laning 42 Reputation points
2022-02-15T11:13:28.837+00:00

"CA010: Block access for unknown or unsupported device platform" actual policy is excluding Linux (preview), whilst the description only says : Android,iOS,Windows,macOS. This an actual risk because there are no other (default/template) policies limiting Linux's use.
"CA014: Use application enforced restrictions for unmanaged devices" actual policy does not exclude compliant/managed devices, so applies to all.

"CA001: Require multi-factor authentication for admins" I would argue that any privileged access above User / Guest / External should have MFA
"CA013: Require compliant or hybrid Azure AD joined device or multi-factor authentication for all users" has client apps configurered, but that leaves legacy auth open for use. Better not select any client apps and thus targeting all apps?

How to submit this to Microsoft?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,362 questions
0 comments No comments
{count} votes

Accepted answer
  1. Andrew 156 Reputation points
    2022-02-15T12:31:45.183+00:00

    CA014 requires the use of Conditional Access App Policy. The policy is for unmanaged devices only. Managed devices will be handled by your Intune policy.

    CA001 is for use when on AAD Free/Basic since this license only provides MFA for Admins and is to enforce use of MFA for said Admins.

    CA013 is fine. Blocking legacy auth is provided using a different CAP.

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.