question

testuser7-8288 avatar image
0 Votes"
testuser7-8288 asked testuser7-8288 commented

conditional policy relaxation for a client-app

My OAuth client app is sending /authorize call to AAD with openid in the SCOPE

I have a conditional policy that says that access to any and ALL cloud-resource MUST be from COMPLIANT DEVICE.

I want to relax this policy only for this one and only client-application so that client-app (web-app) can be hit from my personal device browser.

Can I do that ?


Thanks.

azure-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered testuser7-8288 commented

Hi @testuser7-8288 · Thank you for reaching out.

There is no such condition available in Conditional Access policy to exclude browser session from a specific device. Best you can do is, create a named location (Azure AD > Security > Named locations) with your public IP address (with /32 CIDR) and exclude the location from your conditional access policy.

109836-image.png


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


image.png (48.0 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks @amanpreetsingh-msft

I agree. It is NOT simple as whole CA-policy is around cloud-resource.

Not sure how Named Location can help.
Every user is using his personal device from home and sending /authorize call to AAD with openid in the SCOPE
Every user will get public IP from the ISV (like at&t)


Users are not in the corporate office where I can have a fix set of public IP addresses.

Am I correct in understanding the "Named Location" ?

0 Votes 0 ·

@testuser7-8288 · Yes, your understanding is correct.

0 Votes 0 ·

thanks @amanpreetsingh-msft

I am actually thinking some innovative idea using the recently introduced device-filter.
Will keep you posted once I validate it.

I have one other interesting point to confirm.
Let me open a new thread. Appreciate if you look into it.

Thanks.

0 Votes 0 ·