Azure Active Directory Conditional Access FAQs

Which applications work with Conditional Access policies?

For information about applications that work with Conditional Access policies, see Applications and browsers that use Conditional Access rules in Azure Active Directory.

Are Conditional Access policies enforced for B2B collaboration and guest users?

Policies are enforced for business-to-business (B2B) collaboration users. However, in some cases, a user might not be able to satisfy the policy requirements. For example, a guest user's organization might not support multi-factor authentication.

Does a SharePoint Online policy also apply to OneDrive for Business?

Yes. A SharePoint Online policy also applies to OneDrive for Business. For more information, see the article, Conditional Access service dependencies and consider targeting policies to the Office 365 app instead.

Why can’t I set a policy directly on client apps, like Word or Outlook?

A Conditional Access policy sets requirements for accessing a service. It's enforced when authentication to that service occurs. The policy is not set directly on a client application. Instead, it is applied when a client calls a service. For example, a policy set on SharePoint applies to clients calling SharePoint. A policy set on Exchange applies to Outlook. For more information, see the article, Conditional Access service dependencies and consider targeting policies to the Office 365 app instead.

Does a Conditional Access policy apply to service accounts?

Conditional Access policies apply to all user accounts. This includes user accounts that are used as service accounts. Often, a service account that runs unattended can't satisfy the requirements of a Conditional Access policy. For example, multi-factor authentication might be required. Service accounts can be excluded from a policy by using a user or group exclusion.

What is the default exclusion policy for unsupported device platforms?

Currently, Conditional Access policies are selectively enforced on users of iOS and Android devices. Applications on other device platforms are, by default, not affected by the Conditional Access policy for iOS and Android devices. A tenant admin can choose to override the global policy to disallow access to users on platforms that are not supported.

How do Conditional Access policies work for Microsoft Teams?

Microsoft Teams relies heavily on Exchange Online and SharePoint Online for core productivity scenarios, like meetings, calendars, and file sharing. Conditional Access policies that are set for these cloud apps apply to Microsoft Teams when a user signs directly into Microsoft Teams.

Microsoft Teams also is supported separately as a cloud app in Conditional Access policies. Conditional Access policies that are set for a cloud app apply to Microsoft Teams when a user signs in. However, without the correct policies on other apps like Exchange Online and SharePoint Online users may still be able to access those resources directly.

Microsoft Teams desktop clients for Windows and Mac support modern authentication. Modern authentication brings sign-in based on the Azure Active Directory Authentication Library (ADAL) to Microsoft Office client applications across platforms.

For more information, see the article, Conditional Access service dependencies and consider targeting policies to the Office 365 app instead.

Why are some tabs not working in Microsoft Teams after enabling Conditional Access policies?

After enabling some Conditional Access policies on the tenant in Microsoft Teams, certain tabs may no longer function in the desktop client as expected. However, the affected tabs function when using the Microsoft Teams web client. The tabs affected may include Power BI, Forms, VSTS, PowerApps, and SharePoint List.

To see the affected tabs you must use the Teams web client in Edge, Internet Explorer, or Chrome with the Windows 10 Accounts extension installed. Some tabs depend on web authentication, which doesn't work in the Microsoft Teams desktop client when Conditional Access is enabled. Microsoft is working with partners to enable these scenarios. To date, we have enabled scenrarios involving Planner, OneNote, and Stream.

Next steps