You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/conditional-access/concept-conditional-access-grant.md
+5-1Lines changed: 5 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ services: active-directory
6
6
ms.service: active-directory
7
7
ms.subservice: conditional-access
8
8
ms.topic: conceptual
9
-
ms.date: 06/29/2022
9
+
ms.date: 08/05/2022
10
10
11
11
ms.author: joflore
12
12
author: MicrosoftGuyJFlo
@@ -192,6 +192,10 @@ Restrictions when you configure a policy using the password change control.
192
192
193
193
If your organization has created terms of use, other options may be visible under grant controls. These options allow administrators to require acknowledgment of terms of use as a condition of accessing the resources protected by the policy. More information about terms of use can be found in the article, [Azure Active Directory terms of use](terms-of-use.md).
194
194
195
+
### Custom controls (preview)
196
+
197
+
Custom controls is a preview capability of the Azure Active Directory. When using custom controls, your users are redirected to a compatible service to satisfy authentication requirements outside of Azure Active Directory. For more information, check out the [Custom controls](controls.md) article.
Copy file name to clipboardExpand all lines: articles/active-directory/conditional-access/concept-conditional-access-policies.md
+16-11Lines changed: 16 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ services: active-directory
6
6
ms.service: active-directory
7
7
ms.subservice: conditional-access
8
8
ms.topic: conceptual
9
-
ms.date: 01/11/2022
9
+
ms.date: 08/05/2022
10
10
11
11
ms.author: joflore
12
12
author: MicrosoftGuyJFlo
@@ -29,18 +29,21 @@ If a policy where "Require one of the selected controls" is selected, we prompt
29
29
30
30
All policies are enforced in two phases:
31
31
32
-
- Phase 1: Collect session details
32
+
-**Phase 1**: Collect session details
33
33
- Gather session details, like network location and device identity that will be necessary for policy evaluation.
34
34
- Phase 1 of policy evaluation occurs for enabled policies and policies in [report-only mode](concept-conditional-access-report-only.md).
35
-
- Phase 2: Enforcement
35
+
-**Phase 2**: Enforcement
36
36
- Use the session details gathered in phase 1 to identify any requirements that haven't been met.
37
37
- If there's a policy that is configured to block access, with the block grant control, enforcement will stop here and the user will be blocked.
38
38
- The user will be prompted to complete more grant control requirements that weren't satisfied during phase 1 in the following order, until policy is satisfied:
39
-
- Multi-factor authentication
40
-
- Approved client app/app protection policy
41
-
- Managed device (compliant or hybrid Azure AD join)
- Once all grant controls have been satisfied, apply session controls (App Enforced, Microsoft Defender for Cloud Apps, and token Lifetime)
45
48
- Phase 2 of policy evaluation occurs for all enabled policies.
46
49
@@ -76,7 +79,7 @@ Location data is provided by IP geolocation data. Administrators can choose to d
76
79
77
80
#### Client apps
78
81
79
-
By default, all newly created Conditional Access policies will apply to all client app types even if the client apps condition isn't configured.
82
+
The software the user is employing to access the cloud app. For example, 'Browser', and 'Mobile apps and desktop clients'. By default, all newly created Conditional Access policies will apply to all client app types even if the client apps condition isn't configured.
80
83
81
84
The behavior of the client apps condition was updated in August 2020. If you have existing Conditional Access policies, they'll remain unchanged. However, if you select on an existing policy, the configure toggle has been removed and the client apps the policy applies to are selected.
82
85
@@ -104,7 +107,7 @@ Block access does just that, it will block access under the specified assignment
104
107
105
108
The grant control can trigger enforcement of one or more controls.
106
109
107
-
- Require multi-factor authentication (Azure AD Multi-Factor Authentication)
110
+
- Require multi-factor authentication
108
111
- Require device to be marked as compliant (Intune)
109
112
- Require Hybrid Azure AD joined device
110
113
- Require approved client app
@@ -123,7 +126,7 @@ Administrators can choose to require one of the previous controls or all selecte
123
126
124
127
- Use app enforced restrictions
125
128
- Currently works with Exchange Online and SharePoint Online only.
126
-
- Passes device information to allow control of experience granting full or limited access.
129
+
- Passes device information to allow control of experience granting full or limited access.
127
130
- Use Conditional Access App Control
128
131
- Uses signals from Microsoft Defender for Cloud Apps to do things like:
129
132
- Block download, cut, copy, and print of sensitive documents.
@@ -133,6 +136,8 @@ Administrators can choose to require one of the previous controls or all selecte
133
136
- Ability to change the default sign in frequency for modern authentication.
134
137
- Persistent browser session
135
138
- Allows users to remain signed in after closing and reopening their browser window.
Copy file name to clipboardExpand all lines: articles/active-directory/conditional-access/concept-conditional-access-users-groups.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ services: active-directory
6
6
ms.service: active-directory
7
7
ms.subservice: conditional-access
8
8
ms.topic: conceptual
9
-
ms.date: 06/01/2022
9
+
ms.date: 08/05/2022
10
10
11
11
ms.author: joflore
12
12
author: MicrosoftGuyJFlo
@@ -33,9 +33,9 @@ The following options are available to include when creating a Conditional Acces
33
33
- All users that exist in the directory including B2B guests.
34
34
- Select users and groups
35
35
- All guest and external users
36
-
- This selection includes any B2B guests and external users including any user with the `user type` attribute set to `guest`. This selection also applies to any external user signed-in from a different organization like a Cloud Solution Provider (CSP).
36
+
- This selection includes any [B2B guests and external users](../external-identities/external-identities-overview.md) including any user with the `user type` attribute set to `guest`. This selection also applies to any external user signed-in from a different organization like a Cloud Solution Provider (CSP).
37
37
- Directory roles
38
-
- Allows administrators to select specific built-in Azure AD directory roles used to determine policy assignment. For example, organizations may create a more restrictive policy on users assigned the global administrator role. Other role types aren't supported, including administrative unit-scoped roles and custom roles.
38
+
- Allows administrators to select specific [built-in Azure AD directory roles](../roles/permissions-reference.md) used to determine policy assignment. For example, organizations may create a more restrictive policy on users assigned the global administrator role. Other role types aren't supported, including administrative unit-scoped roles and custom roles.
39
39
- Users and groups
40
40
- Allows targeting of specific sets of users. For example, organizations can select a group that contains all members of the HR department when an HR app is selected as the cloud app. A group can be any type of user group in Azure AD, including dynamic or assigned security and distribution groups. Policy will be applied to nested users and groups.
Copy file name to clipboardExpand all lines: articles/active-directory/conditional-access/overview.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ services: active-directory
6
6
ms.service: active-directory
7
7
ms.subservice: conditional-access
8
8
ms.topic: overview
9
-
ms.date: 04/15/2022
9
+
ms.date: 08/05/2022
10
10
11
11
ms.author: joflore
12
12
author: MicrosoftGuyJFlo
@@ -55,8 +55,8 @@ Common signals that Conditional Access can take in to account when making a poli
55
55
- Application
56
56
- Users attempting to access specific applications can trigger different Conditional Access policies.
57
57
- Real-time and calculated risk detection
58
-
- Signals integration with Azure AD Identity Protection allows Conditional Access policies to identify risky sign-in behavior. Policies can then force users to change their password, do multi-factor authentication to reduce their risk level, or block access until an administrator takes manual action.
59
-
- Microsoft Defender for Cloud Apps
58
+
- Signals integration with [Azure AD Identity Protection](../identity-protection/overview-identity-protection.md) allows Conditional Access policies to identify risky sign-in behavior. Policies can then force users to change their password, do multi-factor authentication to reduce their risk level, or block access until an administrator takes manual action.
59
+
-[Microsoft Defender for Cloud Apps](/defender-cloud-apps/what-is-defender-for-cloud-apps)
60
60
- Enables user application access and sessions to be monitored and controlled in real time, increasing visibility and control over access to and activities done within your cloud environment.
0 commit comments