Azure Active Directory conditional access settings reference
You can use Azure Active Directory (Azure AD) conditional access to control how authorized users can access your resources.
This article provides you with support information for the following configuration options in a conditional access policy:
Cloud applications assignments
Device platform condition
Client applications condition
Approved client application requirement
If this is not the information you are looking for, please leave a comment at the end of this article.
Cloud apps assignments
With conditional access policies, you control how your users access your cloud apps. When you configure a conditional access policy, you need to select at least one cloud app.
Microsoft cloud applications
You can assign a conditional access policy to the following cloud apps from Microsoft:
Azure Information Protection - Learn more
Azure SQL Database - Learn more
Microsoft Dynamics 365
Microsoft Office 365 Yammer
Microsoft Office 365 Exchange Online
Microsoft Office 365 SharePoint Online (includes OneDrive for Business and Project Online)
Microsoft Power BI
In addition to the Microsoft cloud apps, you can assign a conditional access policy to the following types of cloud apps:
Azure AD-connected applications
Pre-integrated federated software as a service (SaaS) application
Applications that use password single sign-on (SSO)
Applications that use Azure AD Application Proxy
Device platform condition
In a conditional access policy, you can configure the device platform condition to tie the policy to the operating system on a client. Azure AD conditional access supports the following device platforms:
Client apps condition
In your conditional access policy, you can configure the client apps condition to tie the policy to the client app that has initiated an access attempt. Set the client apps condition to grant or block access when an access attempt is made from the following types of client apps:
- Mobile apps and desktop apps
In your conditional access policy, you can select Browsers as client app.
This setting works with all browsers. However, to satisfy a device policy, like a compliant device requirement, the following operating systems and browsers are supported:
|Windows 10||Internet Explorer, Microsoft Edge, Chrome|
|Windows 8 / 8.1||Internet Explorer, Chrome|
|Windows 7||Internet Explorer, Chrome|
|iOS||Safari, Intune Managed Browser|
|Android||Chrome, Intune Managed Browser|
|Windows Phone||Internet Explorer, Microsoft Edge|
|Windows Server 2016||Internet Explorer, Microsoft Edge|
|Windows Server 2016||Chrome||Coming soon|
|Windows Server 2012 R2||Internet Explorer, Chrome|
|Windows Server 2008 R2||Internet Explorer, Chrome|
For Chrome support in Windows 10 Creators Update (version 1703) or later, install this extension.
To automatically deploy this extension to Chrome browsers, create the following registry key:
For Chrome support in Windows 8.1 and 7, create the following registry key:
These browsers support device authentication, allowing the device to be identified and validated against a policy. The device check fails if the browser is running in private mode.
Supported mobile applications and desktop clients
In your conditional access policy, you can select Mobile apps and desktop clients as client app.
This setting has an impact on access attempts made from the following mobile apps and desktop clients:
|Client apps||Target Service||Platform|
|Azure Remote app||Azure Remote App service||Windows 10, Windows 8.1, Windows 7, iOS, Android, and macOS|
|Dynamics CRM app||Dynamics CRM||Windows 10, Windows 8.1, iOS, and Android|
|Mail/Calendar/People app, Outlook 2016, Outlook 2013 (with modern authentication)||Office 365 Exchange Online||Windows 10|
|MFA and location policy for apps. Device based policies are not supported.||Any My Apps app service||Android and iOS|
|Microsoft Teams Services - this controls all services that support Microsoft Teams and all its Client Apps - Windows Desktop, iOS, Android, WP, and web client||Microsoft Teams||Windows 10, Windows 8.1, Windows 7, iOS, Android and macOS|
|Office 2016 apps, Office 2013 (with modern authentication), OneDrive sync client (see notes)||Office 365 SharePoint Online||Windows 8.1, Windows 7|
|Office 2016 apps, Universal Office apps, Office 2013 (with modern authentication), OneDrive sync client (see notes), Office Groups support is planned for the future, SharePoint app support is planned for the future||Office 365 SharePoint Online||Windows 10|
|Office 2016 (Word, Excel, PowerPoint, OneNote only). OneDrive for Business support planned for the future||Office 365 SharePoint Online||macOS|
|Office 2019||Office 365 SharePoint Online||Windows 10, macOS|
|Office mobile apps||Office 365 SharePoint Online||Android, iOS|
|Office Yammer app||Office 365 Yammer||Windows 10, iOS, Android|
|Outlook 2019||Office 365 SharePoint Online||Windows 10, macOS|
|Outlook 2016 (Office for macOS)||Office 365 Exchange Online||macOS|
|Outlook 2016, Outlook 2013 (with modern authentication), Skype for Business (with modern authentication)||Office 365 Exchange Online||Windows 8.1, Windows 7|
|Outlook mobile app||Office 365 Exchange Online||Android, iOS|
|PowerBI app||PowerBI service||Windows 10, Windows 8.1, Windows 7, Android and iOS|
|Skype for Business||Office 365 Exchange Online||Android, IOS|
|Visual Studio Team Services app||Visual Studio Team Services||Windows 10, Windows 8.1, Windows 7, iOS, and Android|
Support for legacy authentication
By selecting Other clients, you can specify a condition that affects apps that use basic authentication with mail protocols like IMAP, MAPI, POP, SMTP, and older Office apps that don't use modern authentication.
For more information, see Client apps.
Approved client app requirement
In your conditional access policy, you can require that an access attempt to the selected cloud apps needs to be made from an approved client app.
This setting applies to the following client apps:
- Microsoft Azure Information Protection
- Microsoft Edge
- Microsoft Excel
- Microsoft Flow
- Microsoft Intune Managed Browser
- Microsoft Invoicing
- Microsoft Kaizala
- Microsoft Launcher
- Microsoft OneDrive
- Microsoft OneNote
- Microsoft Outlook
- Microsoft Planner
- Microsoft PowerApps
- Microsoft PowerBI
- Microsoft PowerPoint
- Microsoft SharePoint
- Microsoft Skype for Business
- Microsoft StaffHub
- Microsoft Stream
- Microsoft Teams
- Microsoft To-Do
- Microsoft Visio
- Microsoft Word
- Microsoft Yammer
The approved client apps support the Intune mobile application management feature.
The Require approved client app requirement:
- Only supports the iOS and Android for device platform condition.
- For an overview of conditional access, see What is conditional access in Azure Active Directory?
- If you are ready to configure conditional access policies in your environment, see the recommended practices for conditional access in Azure Active Directory.
We'd love to hear your thoughts. Choose the type you'd like to provide:
Our feedback system is built on GitHub Issues. Read more on our blog.