Azure Active Directory conditional access settings reference
You can use Azure Active Directory (Azure AD) conditional access to control how authorized users can access your resources.
This article provides you with support information for the following configuration options in a conditional access policy:
Cloud applications assignments
Device platform condition
Client applications condition
Approved client application requirement
If this is not the information you are looking for, please leave a comment at the end of this article.
Cloud apps assignments
With conditional access policies, you control how your users access your cloud apps. When you configure a conditional access policy, you need to select at least one cloud app.
Microsoft cloud applications
You can assign a conditional access policy to the following cloud apps from Microsoft:
Azure Information Protection - Learn more
Microsoft Dynamics 365
Microsoft Office 365 Yammer
Microsoft Office 365 Exchange Online
Microsoft Office 365 SharePoint Online (includes OneDrive for Business and Project Online)
Microsoft Power BI
Microsoft Visual Studio Team Services
In addition to the Microsoft cloud apps, you can assign a conditional access policy to the following types of cloud apps:
Azure AD-connected applications
Pre-integrated federated software as a service (SaaS) application
Applications that use password single sign-on (SSO)
Applications that use Azure AD Application Proxy
Device platform condition
In a conditional access policy, you can configure the device platform condition to tie the policy to the operating system on a client. Azure AD conditional access supports the following device platforms:
Client apps condition
In your conditional access policy, you can configure the client apps condition to tie the policy to the client app that has initiated an access attempt. Set the client apps condition to grant or block access when an access attempt is made from the following types of client apps:
- Mobile apps and desktop apps
In your conditional access policy, you can select Browsers as client app.
This setting works with all browsers. However, to satisfy a device policy, like a compliant device requirement, the following operating systems and browsers are supported:
|Windows 10||Internet Explorer, Edge, Chrome|
|Windows 8 / 8.1||Internet Explorer, Chrome|
|Windows 7||Internet Explorer, Chrome|
|iOS||Safari, Intune Managed Browser|
|Android||Chrome, Intune Managed Browser|
|Windows Phone||Internet Explorer, Edge|
|Windows Server 2016||Internet Explorer, Edge|
|Windows Server 2016||Chrome||Coming soon|
|Windows Server 2012 R2||Internet Explorer, Chrome|
|Windows Server 2008 R2||Internet Explorer, Chrome|
For Chrome support, you must use Windows 10 Creators Update (version 1703) or later.
You can install this extension.
These browsers support device authentication, allowing the device to be identified and validated against a policy. The device check fails if the browser is running in private mode.
Supported mobile applications and desktop clients
In your conditional access policy, you can select Mobile apps and desktop clients as client app.
This setting has an impact on access attempts made from the following mobile apps and desktop clients:
|Client apps||Target Service||Platform|
|Azure Remote app||Azure Remote App service||Windows 10, Windows 8.1, Windows 7, iOS, Android, and Mac OS X|
|Dynamics CRM app||Dynamics CRM||Windows 10, Windows 8.1, Windows 7, iOS, and Android|
|Mail/Calendar/People app, Outlook 2016, Outlook 2013 (with modern authentication)||Office 365 Exchange Online||Windows 10|
|MFA and location policy for apps. Device based policies are not supported.||Any My Apps app service||Android and iOS|
|Microsoft Teams Services - this controls all services that support Microsoft Teams and all its Client Apps - Windows Desktop, iOS, Android, WP, and web client||Microsoft Teams||Windows 10, Windows 8.1, Windows 7, iOS, Android and macOS|
|Office 2016 apps, Office 2013 (with modern authentication), OneDrive sync client (see notes)||Office 365 SharePoint Online||Windows 8.1, Windows 7|
|Office 2016 apps, Universal Office apps, Office 2013 (with modern authentication), OneDrive sync client (see notes), Office Groups support is planned for the future, SharePoint app support is planned for the future||Office 365 SharePoint Online||Windows 10|
|Office 2016 for macOS (Word, Excel, PowerPoint, OneNote only). OneDrive for Business support planned for the future||Office 365 SharePoint Online||Mac OS X|
|Office mobile apps||Office 365 SharePoint Online||Android, iOS|
|Office Yammer app||Office 365 Yammer||Windows 10, iOS, Android|
|Outlook 2016 (Office for macOS)||Office 365 Exchange Online||Mac OS X|
|Outlook 2016, Outlook 2013 (with modern authentication), Skype for Business (with modern authentication)||Office 365 Exchange Online||Windows 8.1, Windows 7|
|Outlook mobile app||Office 365 Exchange Online||Android, iOS|
|PowerBI app. The Power BI app for Android does not currently support device-based conditional access.||PowerBI service||Windows 10, Windows 8.1, Windows 7, and iOS|
|Skype for Business||Office 365 Exchange Online||Android, IOS|
|Visual Studio Team Services app||Visual Studio Team Services||Windows 10, Windows 8.1, Windows 7, iOS, and Android|
Approved client app requirement
In your conditional access policy, you can require that an access attempt to the selected cloud apps needs to be made from an approved client app.
This setting applies to the following client apps:
- Microsoft Azure Information Protection
- Microsoft Excel
- Microsoft OneDrive
- Microsoft OneNote
- Microsoft Outlook
- Microsoft Planner
- Microsoft PowerPoint
- Microsoft SharePoint
- Microsoft Skype for Business
- Microsoft Teams
- Microsoft Visio
- Microsoft Word
The approved client apps support the Intune mobile application management feature.
The Require approved client app requirement:
- For an overview of conditional access, see conditional access in Azure Active Directory.
- If you are ready to configure conditional access policies in your environment, see the recommended practices for conditional access in Azure Active Directory.