You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- Visual Studio subscriptions administrator portal
115
+
When Conditional Access policy is targeted to the Microsoft Azure Management application, within the Conditional Access policy app picker the policy will be enforced for tokens issued to application IDs of a set of services closely bound to the portal.
116
+
117
+
- Azure Resource Manager
118
+
- Azure portal, which also covers the Microsoft Entra admin center
119
+
- Azure Data Lake
120
+
- Application Insights API
121
+
- Log Analytics API
122
+
123
+
Because the policy is applied to the Azure management portal and API, services, or clients with an Azure API service dependency, can indirectly be impacted. For example:
- Visual Studio subscriptions administrator portal
131
136
132
137
> [!NOTE]
133
138
> The Microsoft Azure Management application applies to [Azure PowerShell](/powershell/azure/what-is-azure-powershell), which calls the [Azure Resource Manager API](../../azure-resource-manager/management/overview.md). It does not apply to [Azure AD PowerShell](/powershell/azure/active-directory/overview), which calls the [Microsoft Graph API](/graph/overview).
134
139
135
140
For more information on how to set up a sample policy for Microsoft Azure Management, see [Conditional Access: Require MFA for Azure management](howto-conditional-access-policy-azure-management.md).
136
141
137
-
>[!NOTE]
138
-
>For Azure Government, you should target the Azure Government Cloud Management API application.
142
+
>[!TIP]
143
+
>For Azure Government, you should target the Azure Government Cloud Management API application.
139
144
140
145
### Other applications
141
146
@@ -150,7 +155,23 @@ Administrators can add any Azure AD registered application to Conditional Access
150
155
> [!NOTE]
151
156
> Since Conditional Access policy sets the requirements for accessing a service you are not able to apply it to a client (public/native) application. In other words, the policy is not set directly on a client (public/native) application, but is applied when a client calls a service. For example, a policy set on SharePoint service applies to the clients calling SharePoint. A policy set on Exchange applies to the attempt to access the email using Outlook client. That is why client (public/native) applications are not available for selection in the Cloud Apps picker and Conditional Access option is not available in the application settings for the client (public/native) application registered in your tenant.
152
157
153
-
Some applications don't appear in the picker at all. The only way to include these applications in a Conditional Access policy is to include **All apps**.
158
+
Some applications don't appear in the picker at all. The only way to include these applications in a Conditional Access policy is to include **All cloud apps**.
159
+
160
+
### All cloud apps
161
+
162
+
Applying a Conditional Access policy to **All cloud apps** will result in the policy being enforced for all tokens issued to web sites and services. This option includes applications that aren't individually targetable in Conditional Access policy, such as Azure Active Directory.
163
+
164
+
In some cases, an **All cloud apps** policy could inadvertently block user access. These cases are excluded from policy enforcement and include:
165
+
166
+
- Services required to achieve the desired security posture. For example, device enrollment calls are excluded from compliant device policy targeted to All cloud apps.
167
+
168
+
- Calls to Azure AD Graph and MS Graph, to access user profile, group membership and relationship information that is commonly used by applications excluded from policy. The excluded scopes are listed below. Consent is still required for apps to use these permissions.
169
+
- For native clients:
170
+
- Azure AD Graph: User.read
171
+
- MS Graph: User.read, People.read, and UserProfile.read
172
+
- For confidential / authenticated clients:
173
+
- Azure AD Graph: User.read, User.read.all, and User.readbasic.all
174
+
- MS Graph: User.read,User.read.all, User.read.All People.read, People.read.all, GroupMember.Read.All, Member.Read.Hidden, and UserProfile.read
Copy file name to clipboardExpand all lines: articles/active-directory/conditional-access/concept-conditional-access-grant.md
+2Lines changed: 2 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -69,6 +69,8 @@ Devices must be registered in Azure AD before they can be marked as compliant. M
69
69
> [!NOTE]
70
70
> On Windows 7, iOS, Android, macOS, and some third-party web browsers Azure AD identifies the device using a client certificate that is provisioned when the device is registered with Azure AD. When a user first signs in through the browser the user is prompted to select the certificate. The end user must select this certificate before they can continue to use the browser.
71
71
72
+
You can use the Microsoft Defender for Endpoint app along with the Approved Client app policy in Intune to set device compliance policy Conditional Access policies. There's no exclusion required for the Microsoft Defender for Endpoint app while setting up Conditional Access. Although Microsoft Defender for Endpoint on Android & iOS (App ID - dd47d17a-3194-4d86-bfd5-c6ae6f5651e3) isn't an approved app, it has permission to report device security posture. This permission enables the flow of compliance information to Conditional Access.
73
+
72
74
### Require hybrid Azure AD joined device
73
75
74
76
Organizations can choose to use the device identity as part of their Conditional Access policy. Organizations can require that devices are hybrid Azure AD joined using this checkbox. For more information about device identities, see the article [What is a device identity?](../devices/overview.md).
0 commit comments