Share via

Conditional Access template CA13 is inconsistent with documentation

Marzel Laning 42 Reputation points
2022-05-16T08:39:49.64+00:00

The conditional access policy templates are great, but template CA13 is bit strange.
The intent is supposed to be that there are requirements for windows and Mac devices to be either intune compliant or Hybrid Azure domain joined, so the devices is managed by your organisation. This is described in : https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-compliant-device The template however says "CA013: Require compliant or hybrid Azure AD joined device or multi-factor authentication for all users" and implies that a device can perform actions in your tenant when only MFA is required. MFA is an identity action whilst the compliant/join requirement is for a device context. Should the template CA13 be adapted?

Microsoft Security Microsoft Entra Microsoft Entra ID
0 comments
Accepted answer
  1. AmanpreetSingh-MSFT 56,866 Reputation points Moderator
    2022-05-31T13:32:34.843+00:00

    Hi @Anonymous • Yes, I totally agree with you on this.

    In the CA013 template there is OR operator between the selected controls i.e., MFA or Compliant Device or Hybrid Joined Device. In this case, a user can perform MFA to get access to the protected cloud apps from a non-compliant Windows Device.

    As this template is under the Devices template category and the primary purpose of the templates in this category is to gain visibility into devices accessing the network and to ensure compliance and health status before granting access, there should not be a control available that allows access to the protected cloud apps if a user performs 2nd-factor authentication from a non-compliant device which actually defeats the purpose of having this template under devices category.

    I have raised a request for the product team to update the template from CA013: Require compliant or hybrid Azure AD joined device or multi-factor authentication for all users to CA013: Require compliant or hybrid Azure AD joined device for all users with the MFA control removed and having only Compliant Device or Hybrid Joined Device control.

    Feel free to tag me in your reply if you have any further questions or concerns regarding this issue.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator
    2022-05-17T02:43:58.847+00:00

    Hello @Anonymous , thanks for your comments. The refered documentation is applicable to CA009: Require compliant or hybrid Azure AD joined device for admins. Currently there's no documentation for CA013.

    CA013 offers an MFA optional requirement as an auxiliary measure intended for scenarios where a complaint or Hybrid Azure AD MacOS or Windows device is not available. If a pure device targeted CA policy is required you can remove the MFA optional requirement but keep in mind non MacOS or Windows devices won't pass.

    Let us know if this answer was helpful to you or if you need additional assistance. If it was helpful, please remember to accept it so that others in the community with similar questions can more easily find a solution.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.