You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/conditional-access/concept-conditional-access-grant.md
+11-5Lines changed: 11 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ services: active-directory
6
6
ms.service: active-directory
7
7
ms.subservice: conditional-access
8
8
ms.topic: conceptual
9
-
ms.date: 02/11/2020
9
+
ms.date: 02/21/2020
10
10
11
11
ms.author: joflore
12
12
author: MicrosoftGuyJFlo
@@ -52,13 +52,17 @@ Selecting this checkbox will require users to perform Azure Multi-Factor Authent
52
52
53
53
Organizations who have deployed Microsoft Intune can use the information returned from their devices to identify devices that meet specific compliance requirements. This policy compliance information is forwarded from Intune to Azure AD where Conditional Access can make decisions to grant or block access to resources. For more information about compliance policies, see the article [Set rules on devices to allow access to resources in your organization using Intune](https://docs.microsoft.com/intune/protect/device-compliance-get-started).
54
54
55
+
A device can be marked as compliant by Intune (for any device OS) or by third-party MDM system for Windows 10 devices. Third-party MDM systems for device OS types other than Windows 10 are not supported.
56
+
57
+
Devices must be registered in Azure AD before they can be marked as compliant. More information about device registration can be found in the article, [What is a device identity](../devices/overview.md).
58
+
55
59
### Require hybrid Azure AD joined device
56
60
57
61
Organizations can choose to use the device identity as part of their Conditional Access policy. Organizations can require that devices are hybrid Azure AD joined using this checkbox. For more information about device identities, see the article [What is a device identity?](../devices/overview.md).
58
62
59
63
### Require approved client app
60
64
61
-
Organizations can require that an access attempt to the selected cloud apps needs to be made from an approved client app.
65
+
Organizations can require that an access attempt to the selected cloud apps needs to be made from an approved client app. These approved client aps support [Intune app protection policies](/intune/app-protection-policy) independent of any mobile-device management (MDM) solution.
62
66
63
67
This setting applies to the following client apps:
64
68
@@ -99,9 +103,7 @@ This setting applies to the following client apps:
99
103
100
104
### Require app protection policy
101
105
102
-
In your Conditional Access policy, you can require an app protection policy be present on the client app before access is available to the selected cloud apps.
103
-
104
-
106
+
In your Conditional Access policy, you can require an [Intune app protection policy](/intune/app-protection-policy) be present on the client app before access is available to the selected cloud apps.
105
107
106
108
This setting applies to the following client apps:
107
109
@@ -116,6 +118,10 @@ This setting applies to the following client apps:
116
118
- The **Require app protection policy** requirements:
117
119
- Only supports the iOS and Android for device platform condition.
118
120
121
+
### Terms of use
122
+
123
+
If your organization has created terms of use, additional options may be visible under grant controls. These options allow administrators to require acknowledgment of terms of use as a condition of accessing the resources protected by the policy. More information about terms of use can be found in the article, [Azure Active Directory terms of use](terms-of-use.md).
0 commit comments