You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/conditional-access/concept-condition-filters-for-devices.md
+7-7Lines changed: 7 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -22,8 +22,8 @@ When creating Conditional Access policies, administrators have asked for the abi
22
22
There are multiple scenarios that organizations can now enable using filter for devices condition. Below are some core scenarios with examples of how to use this new condition.
23
23
24
24
-**Restrict access to privileged resources**. For this example, lets say you want to allow access to Microsoft Azure Management from a user who is assigned a privilged role Global Admin, has satisfied multifactor authentication and accessing from a device that is [privileged or secure admin workstations](/security/compass/privileged-access-devices) and attested as compliant. For this scenario, organizations would create two Conditional Access policies:
25
-
- Policy 1: All users with the directory role of Global administrator, accessing the Microsoft Azure Management cloud app, and for Access controls, Grant access, but require multifactor authentication and require device to be marked as compliant.
26
-
- Policy 2: All users with the directory role of Global administrator, accessing the Microsoft Azure Management cloud app, excluding a filter for devices using rule expression device.extensionAttribute1 equals SAW and for Access controls, Block. Learn how to [update extensionAttributes on an Azure AD device object](/graph/api/device-update?view=graph-rest-1.0&tabs=http&preserve-view=true).
25
+
- Policy 1: All users with the directory role of Global Administrator, accessing the Microsoft Azure Management cloud app, and for Access controls, Grant access, but require multifactor authentication and require device to be marked as compliant.
26
+
- Policy 2: All users with the directory role of Global Administrator, accessing the Microsoft Azure Management cloud app, excluding a filter for devices using rule expression device.extensionAttribute1 equals SAW and for Access controls, Block. Learn how to [update extensionAttributes on an Azure AD device object](/graph/api/device-update?view=graph-rest-1.0&tabs=http&preserve-view=true).
27
27
-**Block access to organization resources from devices running an unsupported Operating System**. For this example, lets say you want to block access to resources from Windows OS version older than Windows 10. For this scenario, organizations would create the following Conditional Access policy:
28
28
- All users, accessing all cloud apps, excluding a filter for devices using rule expression device.operatingSystem equals Windows and device.operatingSystemVersion startsWith "10.0" and for Access controls, Block.
29
29
-**Do not require multifactor authentication for specific accounts on specific devices**. For this example, lets say you want to not require multifactor authentication when using service accounts on specific devices like Teams phones or Surface Hub devices. For this scenario, organizations would create the following two Conditional Access policies:
@@ -42,14 +42,14 @@ Filter for devices is an option when creating a Conditional Access policy in the
42
42
43
43
The following steps will help create two Conditional Access policies to support the first scenario under [Common scenarios](#common-scenarios).
44
44
45
-
Policy 1: All users with the directory role of Global administrator, accessing the Microsoft Azure Management cloud app, and for Access controls, Grant access, but require multifactor authentication and require device to be marked as compliant.
45
+
Policy 1: All users with the directory role of Global Administrator, accessing the Microsoft Azure Management cloud app, and for Access controls, Grant access, but require multifactor authentication and require device to be marked as compliant.
46
46
47
-
1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.
47
+
1. Sign in to the **Azure portal** as a Global Administrator, Security Administrator, or Conditional Access Administrator.
48
48
1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.
49
49
1. Select **New policy**.
50
50
1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
51
51
1. Under **Assignments**, select **Users or workload identities**..
52
-
1. Under **Include**, select **Directory roles** and choose **Global administrator**.
52
+
1. Under **Include**, select **Directory roles** and choose **Global Administrator**.
53
53
54
54
> [!WARNING]
55
55
> Conditional Access policies support built-in roles. Conditional Access policies are not enforced for other role types including [administrative unit-scoped](../roles/admin-units-assign-roles.md) or [custom roles](../roles/custom-create.md).
@@ -61,12 +61,12 @@ Policy 1: All users with the directory role of Global administrator, accessing t
61
61
1. Confirm your settings and set **Enable policy** to **On**.
62
62
1. Select **Create** to create to enable your policy.
63
63
64
-
Policy 2: All users with the directory role of Global administrator, accessing the Microsoft Azure Management cloud app, excluding a filter for devices using rule expression device.extensionAttribute1 equals SAW and for Access controls, Block.
64
+
Policy 2: All users with the directory role of Global Administrator, accessing the Microsoft Azure Management cloud app, excluding a filter for devices using rule expression device.extensionAttribute1 equals SAW and for Access controls, Block.
65
65
66
66
1. Select **New policy**.
67
67
1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
68
68
1. Under **Assignments**, select **Users or workload identities**..
69
-
1. Under **Include**, select **Directory roles** and choose **Global administrator**.
69
+
1. Under **Include**, select **Directory roles** and choose **Global Administrator**.
70
70
71
71
> [!WARNING]
72
72
> Conditional Access policies support built-in roles. Conditional Access policies are not enforced for other role types including [administrative unit-scoped](../roles/admin-units-assign-roles.md) or [custom roles](../roles/custom-create.md).
Copy file name to clipboardExpand all lines: articles/active-directory/conditional-access/concept-conditional-access-users-groups.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -35,7 +35,7 @@ The following options are available to include when creating a Conditional Acces
35
35
- All guest and external users
36
36
- This selection includes any [B2B guests and external users](../external-identities/external-identities-overview.md) including any user with the `user type` attribute set to `guest`. This selection also applies to any external user signed-in from a different organization like a Cloud Solution Provider (CSP).
37
37
- Directory roles
38
-
- Allows administrators to select specific [built-in Azure AD directory roles](../roles/permissions-reference.md) used to determine policy assignment. For example, organizations may create a more restrictive policy on users assigned the global administrator role. Other role types aren't supported, including administrative unit-scoped roles and custom roles.
38
+
- Allows administrators to select specific [built-in Azure AD directory roles](../roles/permissions-reference.md) used to determine policy assignment. For example, organizations may create a more restrictive policy on users assigned the Global Administrator role. Other role types aren't supported, including administrative unit-scoped roles and custom roles.
39
39
- Users and groups
40
40
- Allows targeting of specific sets of users. For example, organizations can select a group that contains all members of the HR department when an HR app is selected as the cloud app. A group can be any type of user group in Azure AD, including dynamic or assigned security and distribution groups. Policy will be applied to nested users and groups.
41
41
@@ -60,7 +60,7 @@ The following options are available to exclude when creating a Conditional Acces
60
60
- All guest and external users
61
61
- This selection includes any B2B guests and external users including any user with the `user type` attribute set to `guest`. This selection also applies to any external user signed-in from a different organization like a Cloud Solution Provider (CSP).
62
62
- Directory roles
63
-
- Allows administrators to select specific Azure AD directory roles used to determine assignment. For example, organizations may create a more restrictive policy on users assigned the global administrator role.
63
+
- Allows administrators to select specific Azure AD directory roles used to determine assignment. For example, organizations may create a more restrictive policy on users assigned the Global Administrator role.
64
64
- Users and groups
65
65
- Allows targeting of specific sets of users. For example, organizations can select a group that contains all members of the HR department when an HR app is selected as the cloud app. A group can be any type of group in Azure AD, including dynamic or assigned security and distribution groups. Policy will be applied to nested users and groups.
Copy file name to clipboardExpand all lines: articles/active-directory/conditional-access/concept-continuous-access-evaluation.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -121,7 +121,7 @@ If you aren't using CAE-capable clients, your default access token lifetime will
121
121
122
122
### User condition change flow
123
123
124
-
In the following example, a Conditional Access administrator has configured a location based Conditional Access policy to only allow access from specific IP ranges:
124
+
In the following example, a Conditional Access Administrator has configured a location based Conditional Access policy to only allow access from specific IP ranges:
Copy file name to clipboardExpand all lines: articles/active-directory/conditional-access/howto-conditional-access-policy-azure-management.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -51,7 +51,7 @@ The following steps will help create a Conditional Access policy to require user
51
51
> [!CAUTION]
52
52
> Make sure you understand how Conditional Access works before setting up a policy to manage access to Microsoft Azure Management. Make sure you don't create conditions that could block your own access to the portal.
53
53
54
-
1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.
54
+
1. Sign in to the **Azure portal** as a Global Administrator, Security Administrator, or Conditional Access Administrator.
55
55
1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.
56
56
1. Select **New policy**.
57
57
1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
Copy file name to clipboardExpand all lines: articles/active-directory/conditional-access/howto-conditional-access-policy-block-legacy.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -27,7 +27,7 @@ Organizations can choose to deploy this policy using the steps outlined below or
27
27
28
28
The following steps will help create a Conditional Access policy to block legacy authentication requests. This policy is put in to [Report-only mode](howto-conditional-access-insights-reporting.md) to start so administrators can determine the impact they'll have on existing users. When administrators are comfortable that the policy applies as they intend, they can switch to **On** or stage the deployment by adding specific groups and excluding others.
29
29
30
-
1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.
30
+
1. Sign in to the **Azure portal** as a Global Administrator, Security Administrator, or Conditional Access Administrator.
31
31
1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.
32
32
1. Select **New policy**.
33
33
1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
Copy file name to clipboardExpand all lines: articles/active-directory/conditional-access/howto-conditional-access-policy-compliant-device.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -36,7 +36,7 @@ Organizations can choose to deploy this policy using the steps outlined below or
36
36
37
37
The following steps will help create a Conditional Access policy to require devices accessing resources be marked as compliant with your organization's Intune compliance policies.
38
38
39
-
1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.
39
+
1. Sign in to the **Azure portal** as a Global Administrator, Security Administrator, or Conditional Access Administrator.
40
40
1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.
41
41
1. Select **New policy**.
42
42
1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
0 commit comments