Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,664 questions
Conditional Access policies changed client app condition setting - we didn't do it
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 76%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
MHDenmark
1
Reputation point
We have x number of conditional access policies. Yesterday we find that all of them have been configured with the 'Client apps (Preview)' condition. The following configurations were made: 'Browser', 'Mobile apps and desktop clients: Modern authentication clients'.
The reason we found out, was because compromised users with a high risk flag still had successful sign-ins, even though they should have been stopped by our conditional policy for high risk users. But because 'Other clients' were not configured, the compromised accounts had free passage with basic auth protocols - in this case authenticated SMTP.
I found the same Client app setting on all of our policies. Not good.
I did some digging around, and found the following article: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-conditions#client-apps. In the Client apps (preview) section I can see that Microsoft - at some point - has decided that it is no longer a toggle on/off for the client app setting, but that the setting would default to Browser and modern auth, BUT not for existing policies - as I read it.
However, my suspicion, since we have not activated this setting for any of our policies, is that other changes we have made, have provoked that activation of the client app setting and set the default values.
Anyone found the same or can provide insight into this?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Marilee Turscak-MSFT 34,306 Reputation points Microsoft Employee2020-08-11T01:19:44.76+00:00 Hi @MHDenmark , you're right that it definitely shouldn't change your existing policies. You didn't see any changes in your logs? If you'd like you can send me an email at AzCommunity@microsoft.com and I can open a support case for this.
Sign in to comment