You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/conditional-access/concept-conditional-access-grant.md
+8-8Lines changed: 8 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -46,17 +46,17 @@ By default, Conditional Access requires all selected controls.
46
46
47
47
### Require Multi-Factor Authentication
48
48
49
-
Selecting this checkbox requires users to perform Azure Active Directory (Azure AD) Multi-factor Authentication. You can find more information about deploying Azure AD Multi-Factor Authentication in [Planning a cloud-based Azure AD Multifactor Authentication deployment](../authentication/howto-mfa-getstarted.md).
49
+
Selecting this checkbox requires users to perform Azure Active Directory (Azure AD) Multi-factor Authentication. You can find more information about deploying Azure AD Multi-Factor Authentication in [Planning a cloud-based Azure AD Multi-Factor Authentication deployment](../authentication/howto-mfa-getstarted.md).
50
50
51
51
[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-overview) satisfies the requirement for Multi-Factor Authentication in Conditional Access policies.
52
52
53
53
### Require device to be marked as compliant
54
54
55
55
Organizations that have deployed Intune can use the information returned from their devices to identify devices that meet specific policy compliance requirements. Intune sends compliance information to Azure AD so Conditional Access can decide to grant or block access to resources. For more information about compliance policies, see [Set rules on devices to allow access to resources in your organization using Intune](/intune/protect/device-compliance-get-started).
56
56
57
-
A device can be marked as compliant by Intune (for any device operating system [OS]) or by a third-party mobile device management system for Windows 10 devices. You can find a list of supported third-party mobile device management systems in [Support third-party device compliance partners in Intune](/mem/intune/protect/device-compliance-partners).
57
+
A device can be marked as compliant by Intune (for any device operating system or by a third-party mobile device management system for Windows 10 devices. You can find a list of supported third-party mobile device management systems in [Support third-party device compliance partners in Intune](/mem/intune/protect/device-compliance-partners).
58
58
59
-
Devices must be registered in Azure AD before they can be marked as compliant. You can find more information about device registration in [What is a device identity](../devices/overview.md).
59
+
Devices must be registered in Azure AD before they can be marked as compliant. You can find more information about device registration in [What is a device identity?](../devices/overview.md).
60
60
61
61
For devices enrolled with third-party mobile device management systems, see [Support third-party device compliance partners in Intune](/mem/intune/protect/device-compliance-partners).
62
62
@@ -74,9 +74,9 @@ You can use the Microsoft Defender for Endpoint app with the approved client app
74
74
75
75
Organizations can choose to use the device identity as part of their Conditional Access policy. Organizations can require that devices are hybrid Azure AD joined by using this checkbox. For more information about device identities, see [What is a device identity?](../devices/overview.md).
76
76
77
-
When you use the [device-code OAuth flow](../develop/v2-oauth2-device-code.md), the grant control required for the managed device or a device state condition isn't supported. This is because the device that is performing authentication can't provide its device state to the device that is providing a code. Also, the device state in the token is locked to the device performing authentication. Use the **require multi-factor authentication grant** control instead.
77
+
When you use the [device-code OAuth flow](../develop/v2-oauth2-device-code.md), the grant control required for the managed device or a device state condition isn't supported. This is because the device that is performing authentication can't provide its device state to the device that is providing a code. Also, the device state in the token is locked to the device performing authentication. Use the **require Multi-Factor Authentication** control instead.
78
78
79
-
The following requirements are part of the **Require hybrid Azure AD joined device**control:
79
+
The control:
80
80
- Only supports domain-joined Windows down-level (pre Windows 10) and Windows-current (Windows 10+) devices.
81
81
- Doesn't consider Microsoft Edge in InPrivate mode as a hybrid Azure-AD-joined device.
82
82
@@ -162,7 +162,7 @@ The following client apps support this setting:
162
162
163
163
Apps for the app protection policy support the Intune mobile application management feature with policy protection.
164
164
165
-
The following requirements are part of the **Require app protection policy**control:
165
+
The control:
166
166
167
167
- Only supports iOS and Android for device platform condition.
168
168
- Requires a broker app to register the device. On iOS, the broker app is Microsoft Authenticator. On Android, the broker app is Intune Company Portal.
@@ -171,7 +171,7 @@ See [Require app protection policy and an approved client app for cloud app acce
171
171
172
172
### Require password change
173
173
174
-
When user risk is detected, administrators can employ the user risk policy conditions to have the user securely change a password with Azure AD self-service password reset. Users can perform a self-service password reset to self-remediate. This process will close the user risk event to prevent unnecessary alerts for administrators.
174
+
When user risk is detected, administrators can employ the user risk policy conditions to have the user securely change a password by using Azure AD self-service password reset. Users can perform a self-service password reset to self-remediate. This process will close the user risk event to prevent unnecessary alerts for administrators.
175
175
176
176
When a user is prompted to change a password, they'll first be required to complete Multi-Factor Authentication. Make sure all users have registered for Multi-Factor Authentication, so they're prepared in case risk is detected for their account.
177
177
@@ -190,7 +190,7 @@ If your organization has created terms of use, other options might be visible un
190
190
191
191
### Custom controls (preview)
192
192
193
-
Custom controls is a preview capability of the Azure Active Directory. When using custom controls, your users are redirected to a compatible service to satisfy authentication requirements outside of Azure Active Directory. For more information, check out the [Custom controls](controls.md) article.
193
+
Custom controls is a preview capability of Azure AD. When using custom controls, your users are redirected to a compatible service to satisfy authentication requirements that are separate from Azure AD. For more information, check out the [Custom controls](controls.md) article.
0 commit comments