Conditional Access is policy-based Azure Active Directory process to decide when and when not to grant a user access to a resource. in Entra ID enables policy-based decisions regarding access to resources. Each Condition Access policy consists of one or more assignments and access controls.
Assignments
The assignments of a policy include resources and conditions. The resources can be users, groups, directory roles, applications or service principals defined in Entra ID. The conditions can limit the policy to only apply when requests originate from specific networks or geographic locations or from specific client applications or devices.
Access Controls
The access controls of a policy include grant controls and session controls. The grant controls can grant or block access to resources. The session controls can modify session behavior such as limiting session duration.
Applied policies
The following policies are applied to the utexas tenant in Azure Active Directory.
Expand | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Exceptions
Microsoft Surface Hub devices are not compatible with Conditional Access Policies and are unable to authenticate unless they are manually excluded from every policy per https://docs.microsoft.com/en-us/surface-hub/create-and-test-a-device-account-surface-hub.
Exclusion Group: 99a683be-a6a4-45d0-9bff-555a0f6d319c / Surface.Hub.Conditional.Access.Bypass.Group@austin.utexas.edu.
Reference
https://docslearn.microsoft.com/en-us/azureentra/active-directoryidentity/conditional-access/overview