How Multiple Conditional Access Policies Are Applied

Friday morning and I’m on the train heading for our beautiful capitol of Sweden. Last workday before a well deserved weekend I think.

In my last post I presented my Conditional Access Policy Design Baseline which demonstrates a good approach and a starting point when building a Conditional Access implementation.

https://danielchronlund.com/2018/11/21/azure-ad-conditional-access-policy-design-baseline/

I get a lot of questions on how Conditional Access policies are applied and what happens when multiple policies overlap and conflict with each other. So here we go…

Conditions vs Grant Controls

First of all, it’s important to understand the difference between Conditions and Grant Controls.

The Conditions are the ones checked when the authentication occurs and if the conditions are true the policy will match. Grant Controls are the required things that must be true or performed by the user and the device after the policy is matched and before the user is let in to the cloud app.

I sometimes see people trying to use a Grant Control like Require Compliant Device as a Condition but it’s not the same thing. It doesn’t work like that.

Conditions:

CA3

Grant Controls:

CA4

In What Order Are Conditional Access Policies Applied?

CA policies aren’t actually applied in any particular order. All matching policys apply and will be merged!

Grant vs Block

If both grant and block policies match, block will always win. No exceptions!

How Multiple Grant Controls Are Handled

If multiple grant policies match and they have different Grant Controls like Require MFA, Require Compliant Device or Require Azure AD Joined the requirements will actually be merged and all the grant controls from all matching policies have to be fulfilled.

The same is true for Session Controls from different policies.

We use the Conditional Access What If-tool in the following examples to demonstrate what happens.

In the first example we connect from an Azure AD joined Windows device. We also connects from the users office which is a trusted location and because of that we match two of our defined CA policies. The first policy has two Grant Controls which requires us to use an approved client app and to accept the terms of use. The second policy requires us to use a domain joined device. When all Grant Controls from both policies are met the user will be let in.

CA5

In this second example we connects from the Internet instead (an untrusted IP address). Because of that a third policy matches according to our design. This third policy requires the user to authenticate with MFA if untrusted location is true.

CA6

In reality all three of these policies will be merged into one when it comes to Grant Controls and the user have to use an approved client app, accept the terms of use, use a domain joined device and authenticate with MFA. All of them!

Because we configure our policies to match in different scenarios like this we can simplify our Conditional Access design by leveraging the merging process that occurs when multiple policies match.

I hope this clear things up a bit and please follow me here, on Twitter and on LinkedIn.

@DanielChronlund

2 thoughts on “How Multiple Conditional Access Policies Are Applied

  1. You have Other Clients and EAS checked and blocked to block unsupported clients. I thought MS did not support combining EAS with any other apps or conditions. Please clarify.

  2. Hi Carolyn and thanks for the comment! The block unsupported clients policy is just blocking the unsupported protocols when authenticating to Azure AD. You can run it through the What-If tool in CA as a proof of concept. I’m not sure why this design would be unsupported by Microsoft. Please share the source for this if there is one.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s