Conditional Access: Filter for applications (Preview)

Currently Conditional Access policies can be applied to all apps or to individual apps. Organizations with a large number of apps may find this process difficult to manage across multiple Conditional Access policies.

Application filters are a new feature for Conditional Access that allows organizations to tag service principals with custom attributes. These custom attributes are then added to their Conditional Access policies. Filters for applications are evaluated at token issuance runtime, a common question is if apps are assigned at runtime or configuration time.

In this document, you create a custom attribute set, assign a custom security attribute to your application, and create a Conditional Access policy to secure the application.

Note

Filter for applications is currently in public preview. For more information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.

Assign roles

Custom security attributes are security sensitive and can only be managed by delegated users. Even global administrators don't have default permissions for custom security attributes. One or more of the following roles should be assigned to the users who manage or report on these attributes.

Role name Description
Attribute assignment administrator Assign custom security attribute keys and values to supported Azure AD objects.
Attribute assignment reader Read custom security attribute keys and values for supported Azure AD objects.
Attribute definition administrator Define and manage the definition of custom security attributes.
Attribute definition reader Read the definition of custom security attributes.
  1. Assign the appropriate role to the users who will manage or report on these attributes at the directory scope.

    For detailed steps, see Assign Azure roles using the Azure portal.

Create custom security attributes

Follow the instructions in the article, Add or deactivate custom security attributes in Azure AD (Preview) to add the following Attribute set and New attributes.

  • Create an Attribute set named ConditionalAccessTest.
  • Create New attributes named policyRequirement that Allow multiple values to be assigned and Only allow predefined values to be assigned. We add the following predefined values:
    • legacyAuthAllowed
    • blockGuesUsers
    • requireMFA
    • requireCompliantDevice
    • requireHybridJoinedDevice
    • requireCompliantApp

A screenshot showing custom security attribute and predefined values in Azure AD.

Note

Conditional Access filters for devices only works with custom security attributes of type "string".

Create a Conditional Access policy

A screenshot showing a Conditional Access policy with the edit filter window showing an attribute of require MFA.

  1. Sign in to the Azure portal as a Conditional Access Administrator, Security Administrator, or Global Administrator.
  2. Browse to Azure Active Directory > Security > Conditional Access.
  3. Select New policy.
  4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
  5. Under Assignments, select Users or workload identities.
    1. Under Include, select All users.
    2. Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.
    3. Select Done.
  6. Under Cloud apps or actions, select the following options:
    1. Select what this policy applies to Cloud apps.
    2. Include Select apps.
    3. Select Edit filter.
    4. Set Configure to Yes.
    5. Select the Attribute we created earlier called policyRequirement.
    6. Set Operator to Contains.
    7. Set Value to requireMFA.
    8. Select Done.
  7. Under Access controls > Grant, select Grant access, Require multi-factor authentication, and select Select.
  8. Confirm your settings and set Enable policy to Report-only.
  9. Select Create to create to enable your policy.

After confirming your settings using report-only mode, an administrator can move the Enable policy toggle from Report-only to On.

Configure custom attributes

Step 1: Set up a sample application

If you already have a test application that makes use of a service principal, you can skip this step.

Set up a sample application that, demonstrates how a job or a Windows service can run with an application identity, instead of a user's identity. Follow the instructions in the article Quickstart: Get a token and call the Microsoft Graph API by using a console app's identity to create this application.

Step 2: Assign a custom security attribute to an application

When you don't have a service principal listed in your tenant, it can't be targeted. The Office 365 suite is an example of one such service principal.

  1. Sign in to the Azure portal as a Conditional Access Administrator, Security Administrator, or Global Administrator.
  2. Browse to Azure Active Directory > Enterprise applications.
  3. Select the service principal you want to apply a custom security attribute to.
  4. Under Manage > Custom security attributes (preview), select Add assignment.
  5. Under Attribute set, select ConditionalAccessTest.
  6. Under Attribute name, select policyRequirement.
  7. Under Assigned values, select Add values, select requireMFA from the list, then select Done.
  8. Select Save.

Step 3: Test the policy

Sign in as a user who the policy would apply to and test to see that MFA is required when accessing the application.

Other scenarios

  • Blocking legacy authentication
  • Blocking external access to applications
  • Requiring compliant device or Intune app protection policies
  • Enforcing sign in frequency controls for specific applications
  • Requiring a privileged access workstation for specific applications
  • Require session controls for high risk users and specific applications

Next steps

Conditional Access common policies

Determine impact using Conditional Access report-only mode

Simulate sign in behavior using the Conditional Access What If tool