You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Multiple Conditional Access policies may apply to an individual user at any time. In this case, all policies that apply must be satisfied. For example, if one policy requires multi-factor authentication (MFA) and another requires a compliant device, you must complete MFA, and use a compliant device. All assignments are logically **ANDed**. If you have more than one assignment configured, all assignments must be satisfied to trigger a policy.
26
+
Multiple Conditional Access policies may apply to an individual user at any time. In this case, all policies that apply must be satisfied. For example, if one policy requires multi-factor authentication (MFA) and another requires a compliant device, you must complete MFA, and use a compliant device. All assignments are logically **ANDed**. If you've more than one assignment configured, all assignments must be satisfied to trigger a policy.
27
+
28
+
If a policy where "Require one of the selected controls" is selected, we prompt in the order defined, as soon as the policy requirements are satisfied, access is granted.
27
29
28
30
All policies are enforced in two phases:
29
31
30
32
- Phase 1: Collect session details
31
33
- Gather session details, like network location and device identity that will be necessary for policy evaluation.
32
34
- Phase 1 of policy evaluation occurs for enabled policies and policies in [report-only mode](concept-conditional-access-report-only.md).
33
35
- Phase 2: Enforcement
34
-
- Use the session details gathered in phase 1 to identify any requirements that have not been met.
35
-
- If there is a policy that is configured to block access, with the block grant control, enforcement will stop here and the user will be blocked.
36
-
- The user will be prompted to complete additional grant control requirements that were not satisfied during phase 1 in the following order, until policy is satisfied:
36
+
- Use the session details gathered in phase 1 to identify any requirements that haven't been met.
37
+
- If there's a policy that is configured to block access, with the block grant control, enforcement will stop here and the user will be blocked.
38
+
- The user will be prompted to complete more grant control requirements that weren't satisfied during phase 1 in the following order, until policy is satisfied:
37
39
- Multi-factor authentication
38
40
- Approved client app/app protection policy
39
41
- Managed device (compliant or hybrid Azure AD join)
@@ -74,9 +76,9 @@ Location data is provided by IP geolocation data. Administrators can choose to d
74
76
75
77
#### Client apps
76
78
77
-
By default, all newly created Conditional Access policies will apply to all client app types even if the client apps condition is not configured.
79
+
By default, all newly created Conditional Access policies will apply to all client app types even if the client apps condition isn't configured.
78
80
79
-
The behavior of the client apps condition was updated in August 2020. If you have existing Conditional Access policies, they will remain unchanged. However, if you click on an existing policy, the configure toggle has been removed and the client apps the policy applies to are selected.
81
+
The behavior of the client apps condition was updated in August 2020. If you have existing Conditional Access policies, they'll remain unchanged. However, if you select on an existing policy, the configure toggle has been removed and the client apps the policy applies to are selected.
0 commit comments