Azure Active Directory conditional access technical reference
You can use Azure Active Directory (Azure AD) conditional access to fine-tune how authorized users can access your resources.
This topic provides support information for the following configuration options for a conditional access policy:
Cloud applications assignments
Device platform condition
Client applications condition
Approved client application requirement
Cloud apps assignments
When you configure a conditional access policy, you need to select the cloud apps that use your policy.
Microsoft cloud applications
You can assign a conditional access policy to the following cloud apps from Microsoft:
Microsoft Dynamics 365
Microsoft Office 365 Yammer
Microsoft Office 365 Exchange Online
Microsoft Office 365 SharePoint Online (includes OneDrive for Business)
Microsoft Power BI
Microsoft Visual Studio Team Services
In addition to the Microsoft cloud apps, you can assign a conditional access policy to the following types of cloud apps:
Azure AD-connected applications
Pre-integrated federated software as a service (SaaS) application
Applications that use password single sign-on (SSO)
Applications that use Azure AD Application Proxy
Device platform condition
In a conditional access policy, you can configure the device platform condition to tie the policy to the operating system on a client.
Azure AD conditional access supports the following device platforms:
Client apps condition
When you configure a conditional access policy, you can select client apps for the client app condition. Set the client apps condition to grant or block access when an access attempt is made from the following types of client apps:
- Mobile apps and desktop apps
Control browser access by using the Browser option in your conditional access policy. Access is granted only when the access attempt is made by a supported browser. When an access attempt is made by an unsupported browser, the attempt is blocked.
In your conditional access policy, the following browsers are supported:
|Windows 10||Internet Explorer, Edge|
|Windows 8 / 8.1||Internet Explorer, Chrome|
|Windows 7||Internet Explorer, Chrome|
|iOS||Safari, Intune Managed Browser|
|Android||Chrome, Intune Managed Browser|
|Windows Phone||Internet Explorer, Edge|
|Windows Server 2016||Internet Explorer, Edge|
|Windows Server 2016||Chrome||Coming soon|
|Windows Server 2012 R2||Internet Explorer, Chrome|
|Windows Server 2008 R2||Internet Explorer, Chrome|
For Chrome support, you muse use Windows 10 Creators Update (version 1703) or later.
You can install this extension.
Supported mobile applications and desktop clients
Control app and client access by using the Mobile apps and desktop clients option in your conditional access policy. Access is granted only when the access attempt is made by a supported mobile app or desktop client. When an access attempt is made by an unsupported app or client, the attempt is blocked.
The following mobile apps and desktop clients support conditional access for Office 365 and other Azure AD-connected service applications:
|Client applications||Target service||Platform|
|Azure Multi-Factor Authentication and location policy for apps (device-based policies are not supported)||Any My Apps app service||Android, iOS|
|Azure RemoteApp||Azure RemoteApp service||Windows 10, Windows 8.1, Windows 7, iOS, Android, macOS|
|Dynamics 365 app||Dynamics 365||Windows 10, Windows 8.1, Windows 7, iOS, Android|
|Microsoft Office 365 Teams (controls all services that support Microsoft Teams and all of its client apps: Windows Desktop, iOS, Android, Windows Phone, web client)||Microsoft Teams||Windows 10, Windows 8.1, Windows 7, iOS, Android|
|Mail/Calendar/People app, Outlook 2016, Outlook 2013 (with modern authentication), Skype for Business (with modern authentication)||Office 365 Exchange Online||Windows 10|
|Outlook 2016, Outlook 2013 (with modern authentication), Skype for Business (with modern authentication)||Office 365 Exchange Online||Windows 8.1, Windows 7|
|Outlook mobile app||Office 365 Exchange Online||iOS|
|Outlook 2016 (Office for macOS)||Office 365 Exchange Online||macOS|
|Office 2016 apps, Universal Office apps, Office 2013 (with modern authentication), OneDrive sync client, future support planned for Office Groups and SharePoint app||Office 365 SharePoint Online||Windows 10|
|Office 2016 apps, Office 2013 (with modern authentication), OneDrive sync client||Office 365 SharePoint Online||Windows 8.1, Windows 7|
|Office mobile apps||Office 365 SharePoint Online||iOS, Android|
|Office 2016 for macOS (support only for Word, Excel, PowerPoint, OneNote), future support planned for OneDrive for Business||Office 365 SharePoint Online||macOS|
|Office Yammer app||Office 365 Yammer||Windows 10, iOS, Android|
|PowerBI app (not currently supported on Android)||PowerBI service||Windows 10, Windows 8.1, Windows 7, and iOS|
|Visual Studio Team Services app||Visual Studio Team Services||Windows 10, Windows 8.1, Windows 7, iOS, Android|
Approved client app requirement
Control client connections by using the Require approved client app option in your conditional access policy. Access is granted only when a connection attempt is made by an approved client app.
The following client apps can be used with the approved client application requirement:
Microsoft Skype for Business
The approved client apps support the Intune mobile application management feature.
The Require approved client app requirement:
- For an overview of conditional access, see conditional access in Azure Active Directory.
- If you are ready to configure conditional access policies in your environment, see the recommended practices for conditional access in Azure Active Directory.