Conditional Access: Filter for applications

Currently Conditional Access policies can be applied to all apps or to individual apps. Organizations with a large number of apps might find this process difficult to manage across multiple Conditional Access policies.

Application filters for Conditional Access allow organizations to tag service principals with custom attributes. These custom attributes are then added to their Conditional Access policies. Filters for applications are evaluated at token issuance runtime, a common question is if apps are assigned at runtime or configuration time.

In this document, you create a custom attribute set, assign a custom security attribute to your application, and create a Conditional Access policy to secure the application.

Assign roles

Custom security attributes are security sensitive and can only be managed by delegated users. Even Global Administrators don't have default permissions for custom security attributes. One or more of the following roles should be assigned to the users who manage or report on these attributes.

Role name Description
Attribute Assignment Administrator Assign custom security attribute keys and values to supported Microsoft Entra objects.
Attribute Assignment Reader Read custom security attribute keys and values for supported Microsoft Entra objects.
Attribute Definition Administrator Define and manage the definition of custom security attributes.
Attribute Definition Reader Read the definition of custom security attributes.

Assign the appropriate role to the users who manage or report on these attributes at the directory scope. For detailed steps, see Assign a role.

Create custom security attributes

Follow the instructions in the article, Add or deactivate custom security attributes in Microsoft Entra ID to add the following Attribute set and New attributes.

  • Create an Attribute set named ConditionalAccessTest.
  • Create New attributes named policyRequirement that Allow multiple values to be assigned and Only allow predefined values to be assigned. We add the following predefined values:
    • legacyAuthAllowed
    • blockGuestUsers
    • requireMFA
    • requireCompliantDevice
    • requireHybridJoinedDevice
    • requireCompliantApp

A screenshot showing custom security attribute and predefined values in Microsoft Entra ID.

Note

Conditional Access filters for devices only works with custom security attributes of type "string". Custom Security Attributes support creation of Boolean data type but Conditional Access Policy only supports "string".

Create a Conditional Access policy

A screenshot showing a Conditional Access policy with the edit filter window showing an attribute of require MFA.

  1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator and Attribute Definition Reader.
  2. Browse to Protection > Conditional Access.
  3. Select New policy.
  4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
  5. Under Assignments, select Users or workload identities.
    1. Under Include, select All users.
    2. Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.
    3. Select Done.
  6. Under Target resources, select the following options:
    1. Select what this policy applies to Cloud apps.
    2. Include Select apps.
    3. Select Edit filter.
    4. Set Configure to Yes.
    5. Select the Attribute we created earlier called policyRequirement.
    6. Set Operator to Contains.
    7. Set Value to requireMFA.
    8. Select Done.
  7. Under Access controls > Grant, select Grant access, Require multifactor authentication, and select Select.
  8. Confirm your settings and set Enable policy to Report-only.
  9. Select Create to create to enable your policy.

After administrators confirm the settings using report-only mode, they can move the Enable policy toggle from Report-only to On.

Configure custom attributes

Step 1: Set up a sample application

If you already have a test application that makes use of a service principal, you can skip this step.

Set up a sample application that, demonstrates how a job or a Windows service can run with an application identity, instead of a user's identity. Follow the instructions in the article Quickstart: Get a token and call the Microsoft Graph API by using a console app's identity to create this application.

Step 2: Assign a custom security attribute to an application

When you don't have a service principal listed in your tenant, it can't be targeted. The Office 365 suite is an example of one such service principal.

  1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator and Attribute Assignment Administrator.
  2. Browse to Identity > Applications > Enterprise applications.
  3. Select the service principal you want to apply a custom security attribute to.
  4. Under Manage > Custom security attributes, select Add assignment.
  5. Under Attribute set, select ConditionalAccessTest.
  6. Under Attribute name, select policyRequirement.
  7. Under Assigned values, select Add values, select requireMFA from the list, then select Done.
  8. Select Save.

Step 3: Test the policy

Sign in as a user who the policy would apply to and test to see that MFA is required when accessing the application.

Other scenarios

  • Blocking legacy authentication
  • Blocking external access to applications
  • Requiring compliant device or Intune app protection policies
  • Enforcing sign in frequency controls for specific applications
  • Requiring a privileged access workstation for specific applications
  • Require session controls for high risk users and specific applications

Conditional Access templates

Determine effect using Conditional Access report-only mode

Use report-only mode for Conditional Access to determine the results of new policy decisions.