How Do Conditional Access Policies Work?

By
Isaac Ortega
-
0
9
Asked By CleverGoose93 On

I'm trying to wrap my head around some conditional access policies at my company that I didn't set up. There's one that blocks all users from accessing Office 365, except for a Remote group and a couple of specific named locations. However, I can't find any allow rule that directly references that Remote group. So, do members of that group get access by default because they were excluded from the block? If that's the case, are there any conditions like needing MFA or only allowing compliant or hybrid devices for those users?

Also, what happens if there's another policy that allows access to all apps as long as MFA is enforced, alongside a policy that requires both MFA and a hybrid device? If someone tries to log in with a non-hybrid device, are they still allowed access because of the other policy?

Lastly, if a rule blocks all non-US connections, do I need to specify US locations in every allow rule? I'm trying to get a clear understanding of the policies and where they might overlap or have gaps.

3 Answers

Answered By TechSavvyBear On

Conditional access policies don't have an implicit deny. If there are no policies that match, access is granted automatically. You might find some helpful tools to evaluate your setup, like the official Microsoft zero trust assessment tools. Check them out to understand the flow better!

Answered By NetworkNinja87 On

Yeah, conditional access can get really complicated, especially when you don’t create the policies yourself. Just remember, there's no true 'allow' rule when someone is excluded from a block. It just means they’re not blocked, but they can still be affected by requirements from other policies. If you block non-US access, there's no need to specify allow rules for US locations, but make sure your trusted locations settings are correct. The 'What If' feature is super useful for visualizing how everything works!

Answered By CloudExplorer22 On

You can use the 'What If' tool in the Entra portal to test out different scenarios. It helps clarify how the policies would apply, even though it can be a bit tricky to navigate. Just to note, if someone is excluded from a block policy, it doesn't automatically mean they get free access; other policies like MFA can still apply!

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.