MODIFIED docs/external-id/customers/tutorial-third-party-bot-protection-native-api-sign-up.md

Modified by garrodonnell on Mar 23, 2026 11:52 AM
📖 View on learn.microsoft.com

+178 / -0 lines changed

Commit: Fixing pr blocking issues

Changes:

Before

After

---
title: Integrate third-party bot protection with Native API sign-up
description: Learn how to integrate third-party bot protection providers with Native API sign-up flows in Microsoft Entra External ID by using a Web Application Firewall.
ms.topic: tutorial
ms.date: 02/24/2026
ai-usage: ai-assisted
ms.author: godonnell
author: garrodonnell
 
#CustomerIntent: As an IT administrator, I want to integrate third-party bot protection with Native API sign-up flows in Microsoft Entra External ID to protect against automated bot attacks and fake account creation.
---
# Tutorial: Integrate third-party bot protection with Native API sign-up flows
 
[!INCLUDE [applies-to-external-only](../includes/applies-to-external-only.md)]
 
This tutorial guides you through integrating third-party bot protection providers with Native API sign-up flows in Microsoft Entra External ID. By using a Web Application Firewall (WAF) to intercept sign-up requests, you can implement risk-based challenge mechanisms during user registration to protect against automated bot attacks and fake account creation.
 
> [!NOTE]
> This tutorial assumes you manually make raw HTTP requests to execute the sign-up flow. When possible, use a Microsoft-built and supported authentication SDK. See [Tutorial: Prepare your Android mobile app for native authentication](tutorial-native-authentication-prepare-android-app.md) and [Tutorial: Prepare your iOS/macOS mobile app for native authentication](tutorial-native-authentication-prepare-ios-macos-app.md).
 

MODIFIED docs/identity/multi-tenant-organizations/cross-tenant-synchronization-configure-graph.md

Modified by Ken Withee on Mar 23, 2026 4:47 PM
📖 View on learn.microsoft.com

+28 / -28 lines changed

Commit: AI readiness: fix heading hierarchy in cross-tenant-sync and Zscaler coexistence (2 files)

Changes:

Before

After

 
![Icon for the target tenant.](../../media/common/icons/entra-id.png)<br/>**Target tenant**
 
# [PowerShell](#tab/ms-powershell)
 
1. Start PowerShell.
 
    Connect-MgGraph -TenantId $TargetTenantId -Scopes "Policy.Read.All","Policy.ReadWrite.CrossTenantAccess"
    ```
 
# [Microsoft Graph](#tab/ms-graph)
 
These steps describe how to use Microsoft Graph Explorer, but you can also use another REST API client.
 
![Icon for the target tenant.](../../media/common/icons/entra-id.png)<br/>**Target tenant**
 
# [PowerShell](#tab/ms-powershell)
 
1. In the target tenant, use the [New-MgPolicyCrossTenantAccessPolicyPartner](/powershell/module/microsoft.graph.identity.signins/new-mgpolicycrosstenantaccesspolicypartner) command to create a new partner configuration in a cross-tenant access policy between the target tenant and the source tenant. Use the source tenant ID in the request.

 
![Icon for the target tenant.](../../media/common/icons/entra-id.png)<br/>**Target tenant**
 
### [PowerShell](#tab/ms-powershell)
 
1. Start PowerShell.
 
    Connect-MgGraph -TenantId $TargetTenantId -Scopes "Policy.Read.All","Policy.ReadWrite.CrossTenantAccess"
    ```
 
### [Microsoft Graph](#tab/ms-graph)
 
These steps describe how to use Microsoft Graph Explorer, but you can also use another REST API client.
 
![Icon for the target tenant.](../../media/common/icons/entra-id.png)<br/>**Target tenant**
 
### [PowerShell](#tab/ms-powershell)
 
1. In the target tenant, use the [New-MgPolicyCrossTenantAccessPolicyPartner](/powershell/module/microsoft.graph.identity.signins/new-mgpolicycrosstenantaccesspolicypartner) command to create a new partner configuration in a cross-tenant access policy between the target tenant and the source tenant. Use the source tenant ID in the request.

MODIFIED docs/identity/conditional-access/terms-of-use.md

Modified by Ken Withee on Mar 23, 2026 5:18 PM
📖 View on learn.microsoft.com

+17 / -17 lines changed

Commit: Editorial pass: terms-of-use.md (20 fixes)

Changes:

Before

After

 
* Microsoft Entra ID P1 licenses.
* Administrators who need to read terms of use configuration and Conditional Access policies need at least the [Security Reader](~/identity/role-based-access-control/permissions-reference.md#security-reader) role assigned.
* Administrators who need to Create or modify terms of use and Conditional Access policies need at least the [Conditional Access Administrator](~/identity/role-based-access-control/permissions-reference.md#conditional-access-administrator) role assigned.
* A terms of use document in PDF format. The PDF file can be any content you decide to display. To support users on mobile devices, the recommended font size in the PDF is 24 point.
 
### Service limits
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../role-based-access-control/permissions-reference.md#conditional-access-administrator).
1. Browse to **Entra ID** > **Conditional Access** > **Terms of use**.
1. Select, **New terms**.
 
   :::image type="content" source="media/terms-of-use/new-terms-of-use.png" alt-text="A screenshot showing the new terms of use pane to specify your terms of use settings.":::
 
   | **Create Conditional Access policy later** | This terms of use policy appears in the grant control list when creating a Conditional Access policy. |
 
   > [!IMPORTANT]
   > Conditional Access policy controls (including terms of use policies) don't support enforcement on service accounts. We recommend excluding all service accounts from the Conditional Access policy.
 
    Custom Conditional Access policies enable granular terms of use policies, down to a specific cloud application or group of users. For more information, see [Quickstart: Require terms of use to be accepted before accessing cloud apps](policy-all-users-require-terms-of-use.md).

 
* Microsoft Entra ID P1 licenses.
* Administrators who need to read terms of use configuration and Conditional Access policies need at least the [Security Reader](~/identity/role-based-access-control/permissions-reference.md#security-reader) role assigned.
* Administrators who need to create or modify terms of use and Conditional Access policies need at least the [Conditional Access Administrator](~/identity/role-based-access-control/permissions-reference.md#conditional-access-administrator) role assigned.
* A terms of use document in PDF format. The PDF file can be any content you decide to display. To support users on mobile devices, the recommended font size in the PDF is 24 point.
 
### Service limits
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../role-based-access-control/permissions-reference.md#conditional-access-administrator).
1. Browse to **Entra ID** > **Conditional Access** > **Terms of use**.
1. Select **New terms**.
 
   :::image type="content" source="media/terms-of-use/new-terms-of-use.png" alt-text="A screenshot showing the new terms of use pane to specify your terms of use settings.":::
 
   | **Create Conditional Access policy later** | This terms of use policy appears in the grant control list when creating a Conditional Access policy. |
 
   > [!IMPORTANT]
   > Conditional Access policy controls (including terms of use policies) don't support enforcement on service accounts. Exclude all service accounts from the Conditional Access policy.
 
    Custom Conditional Access policies enable granular terms of use policies, down to a specific cloud application or group of users. For more information, see [Quickstart: Require terms of use to be accepted before accessing cloud apps](policy-all-users-require-terms-of-use.md).

MODIFIED docs/identity/conditional-access/concept-conditional-access-policies.md

Modified by Ken Withee on Mar 23, 2026 5:33 PM
📖 View on learn.microsoft.com

+10 / -10 lines changed

Commit: Editorial pass: 4 Conditional Access concept and deployment articles (14 fixes)

Changes:

Before

After

---
title: Building Conditional Access policies in Microsoft Entra
description: Understand the phases of Conditional Access policy enforcement in Microsoft Entra and how to apply them to secure user access.
ms.topic: concept-article
ms.date: 07/22/2025
  - ai-seo-date:07/22/2025
  - ai-gen-description
---
# Building a Conditional Access policy
 
As explained in the article [What is Conditional Access](overview.md), a Conditional Access policy is an if-then statement of **Assignments** and **Access controls**. A Conditional Access policy combines signals to make decisions and enforce organizational policies.
 
   - If there's a policy that is configured with the **block** grant control, enforcement stops here and the user is blocked. 
   - The user is prompted to complete more grant control requirements that weren't satisfied during phase 1 in the following order, until policy is satisfied:  
      1. [Multifactor authentication​](concept-conditional-access-grant.md#require-multifactor-authentication)
      2. [Device to be marked as compliant](./concept-conditional-access-grant.md#require-device-to-be-marked-as-compliant)
      3. [Microsoft Entra hybrid joined device](./concept-conditional-access-grant.md#require-hybrid-azure-ad-joined-device)
      4. [Approved client app](./concept-conditional-access-grant.md#require-approved-client-app)
      5. [App protection policy](./concept-conditional-access-grant.md#require-app-protection-policy)
      6. [Password change](./concept-conditional-access-grant.md#require-password-change)

---
title: Build Conditional Access policies in Microsoft Entra
description: Understand the phases of Conditional Access policy enforcement in Microsoft Entra and how to apply them to secure user access.
ms.topic: concept-article
ms.date: 07/22/2025
  - ai-seo-date:07/22/2025
  - ai-gen-description
---
# Build a Conditional Access policy
 
As explained in the article [What is Conditional Access](overview.md), a Conditional Access policy is an if-then statement of **Assignments** and **Access controls**. A Conditional Access policy combines signals to make decisions and enforce organizational policies.
 
   - If there's a policy that is configured with the **block** grant control, enforcement stops here and the user is blocked. 
   - The user is prompted to complete more grant control requirements that weren't satisfied during phase 1 in the following order, until policy is satisfied:  
      1. [Multifactor authentication​](concept-conditional-access-grant.md#require-multifactor-authentication)
      1. [Device to be marked as compliant](./concept-conditional-access-grant.md#require-device-to-be-marked-as-compliant)
      1. [Microsoft Entra hybrid joined device](./concept-conditional-access-grant.md#require-hybrid-azure-ad-joined-device)
      1. [Approved client app](./concept-conditional-access-grant.md#require-approved-client-app)
      1. [App protection policy](./concept-conditional-access-grant.md#require-app-protection-policy)
      1. [Password change](./concept-conditional-access-grant.md#require-password-change)

MODIFIED docs/identity/conditional-access/concept-conditional-access-cloud-apps.md

Modified by Ken Withee on Mar 23, 2026 5:09 PM
📖 View on learn.microsoft.com

+9 / -9 lines changed

Commit: Editorial pass: concept-conditional-access-cloud-apps.md (11 fixes)

Changes:

Before

After

 
Microsoft 365 offers cloud-based productivity and collaboration services like Exchange, SharePoint, and Microsoft Teams. In Conditional Access, the Microsoft 365 suite of applications appears under 'Office 365'. Microsoft 365 cloud services are deeply integrated to ensure smooth and collaborative experiences. This integration might cause confusion when creating policies because some apps, like Microsoft Teams, depend on others, like SharePoint or Exchange.
 
The Office 365 app grouping in Conditional Access makes it possible to target these services all at once. We recommend using the Microsoft 365 grouping, instead of targeting individual cloud apps to avoid issues with [service dependencies](service-dependencies.md).
 
Targeting this group of applications helps to avoid issues that might arise because of inconsistent policies and dependencies. For example: The Exchange Online app is tied to traditional Exchange Online data like mail, calendar, and contact information. Related metadata might be exposed through different resources like search. To ensure that all metadata is protected by as intended, admins should assign policies to the Microsoft 365 app.
 
Admins can exclude the entire Microsoft 365 suite or specific Microsoft 365 cloud apps from Conditional Access policies.
 
A complete list of all services included can be found in the article [Apps included in Conditional Access Microsoft 365 app suite](reference-office-365-application-contents.md).
 
## Windows Azure Service Management API
 
## Microsoft Admin Portals
 
When a Conditional Access policy targets the Microsoft Admin Portals cloud app, the policy is enforced for tokens issued to specific underlying resource application IDs associated with Microsoft admin portals. The app grouping doesn't include the backend services that those portals might call or depend on. To identify service dependencies of the admin portals, use the [Conditional Access audience reporting in sign-in logs](troubleshoot-conditional-access.md#audience-reporting) 
 
The following applications comprise the Microsoft Admin Portals:

 
Microsoft 365 offers cloud-based productivity and collaboration services like Exchange, SharePoint, and Microsoft Teams. In Conditional Access, the Microsoft 365 suite of applications appears under 'Office 365'. Microsoft 365 cloud services are deeply integrated to ensure smooth and collaborative experiences. This integration might cause confusion when creating policies because some apps, like Microsoft Teams, depend on others, like SharePoint or Exchange.
 
The Office 365 app grouping in Conditional Access makes it possible to target these services all at once. Use the Microsoft 365 grouping, instead of targeting individual cloud apps, to avoid issues with [service dependencies](service-dependencies.md).
 
Targeting this group of applications helps to avoid issues that might arise because of inconsistent policies and dependencies. For example: The Exchange Online app is tied to traditional Exchange Online data like mail, calendar, and contact information. Related metadata might be exposed through different resources like search. To ensure that all metadata is protected as intended, admins should assign policies to the Microsoft 365 app.
 
Admins can exclude the entire Microsoft 365 suite or specific Microsoft 365 cloud apps from Conditional Access policies.
 
For a complete list of all included services, see [Apps included in Conditional Access Microsoft 365 app suite](reference-office-365-application-contents.md).
 
## Windows Azure Service Management API
 
## Microsoft Admin Portals
 
When a Conditional Access policy targets the Microsoft Admin Portals cloud app, the policy is enforced for tokens issued to specific underlying resource application IDs associated with Microsoft admin portals. The app grouping doesn't include the backend services that those portals might call or depend on. To identify service dependencies of the admin portals, use the [Conditional Access audience reporting in sign-in logs](troubleshoot-conditional-access.md#audience-reporting).
 
The following applications comprise the Microsoft Admin Portals:

MODIFIED docs/global-secure-access/how-to-zscaler-coexistence.md

Modified by Ken Withee on Mar 23, 2026 4:47 PM
📖 View on learn.microsoft.com

+10 / -3 lines changed

Commit: AI readiness: fix heading hierarchy in cross-tenant-sync and Zscaler coexistence (2 files)

Changes:

Before

After

 
#### Test traffic flow
 
Test traffic flow:
In the system tray, right-click **Global Secure Access Client** and then select **Advanced Diagnostics**. Select the **Traffic** tab and select **Start collecting**.
Access these websites from the browser: `bing.com`, `salesforce.com`, `Instagram.com`.
In the system tray, right-click **Global Secure Access Client** and select **Advanced Diagnostics** > **Traffic** tab.
Sign in to Microsoft Entra admin center and browse to **Global Secure Access** > **Monitor** > **Traffic logs**. Validate traffic related to these sites is missing from the Global Secure Access traffic logs.
Sign in to Zscaler Internet Access (ZIA) admin portal and browse to **Analytics** > **Web Insights** > **Logs**.
Validate traffic related to these sites is present in Zscaler logs.
Access your private application set up in Zscaler Private Access. For example, open an RDP session to a private server.
Sign in to Microsoft Entra admin center and browse to **Global Secure Access** > **Monitor** > **Traffic logs**.
Validate traffic related to the RDP session **isn’t** in the Global Secure Access traffic logs
Sign in to Zscaler Private Access (ZPA) admin portal and browse to **Analytics** > **Diagnostics** > **Logs**. Validate traffic related to the RDP session is present in the Dashboard or Diagnostic logs.
Access Outlook Online (`outlook.com`, `outlook.office.com`, `outlook.office365.com`), SharePoint Online (`<yourtenantdomain>.sharepoint.com`).  
In the system tray, right-click **Global Secure Access Client** and then select **Advanced Diagnostics**. In the **Traffic** dialog box, select **Stop collecting**.
Scroll to confirm the Global Secure Access client handled only Microsoft 365 traffic.
You can also validate that the traffic is captured in the Global Secure Access traffic logs. In the Microsoft Entra admin center, navigate to **Global Secure Access** > **Monitor** > **Traffic logs**.
 
 

 
#### Test traffic flow
 
##### Verify internet traffic routes through Zscaler
 
In the system tray, right-click **Global Secure Access Client** and then select **Advanced Diagnostics**. Select the **Traffic** tab and select **Start collecting**.
Access these websites from the browser: `bing.com`, `salesforce.com`, `Instagram.com`.
In the system tray, right-click **Global Secure Access Client** and select **Advanced Diagnostics** > **Traffic** tab.
Sign in to Microsoft Entra admin center and browse to **Global Secure Access** > **Monitor** > **Traffic logs**. Validate traffic related to these sites is missing from the Global Secure Access traffic logs.
Sign in to Zscaler Internet Access (ZIA) admin portal and browse to **Analytics** > **Web Insights** > **Logs**.
Validate traffic related to these sites is present in Zscaler logs.
 
##### Verify private application traffic routes through Zscaler
 
Access your private application set up in Zscaler Private Access. For example, open an RDP session to a private server.
Sign in to Microsoft Entra admin center and browse to **Global Secure Access** > **Monitor** > **Traffic logs**.
Validate traffic related to the RDP session **isn’t** in the Global Secure Access traffic logs.
Sign in to Zscaler Private Access (ZPA) admin portal and browse to **Analytics** > **Diagnostics** > **Logs**. Validate traffic related to the RDP session is present in the Dashboard or Diagnostic logs.
 
##### Verify Microsoft 365 traffic routes through Global Secure Access

MODIFIED docs/identity/conditional-access/concept-continuous-access-evaluation.md

Modified by Ken Withee on Mar 23, 2026 5:33 PM
📖 View on learn.microsoft.com

+5 / -5 lines changed

Commit: Editorial pass: 4 Conditional Access concept and deployment articles (14 fixes)

Changes:

Before

After

---
# Continuous access evaluation
 
Token expiration and refresh are a standard mechanism in the industry. When a client application like Outlook connects to a service like Exchange Online, the API requests are authorized using OAuth 2.0 access tokens. By default, access tokens are valid for one hour, when they expire the client is redirected to Microsoft Entra to refresh them. That refresh period provides an opportunity to reevaluate policies for user access. For example: we might choose not to refresh the token because of a Conditional Access policy, or because the user is disabled in the directory. 
 
Customers express concerns about the lag between when conditions change for a user, and when policy changes are enforced. Microsoft experimented with the "blunt object" approach of reduced token lifetimes but found they degrade user experiences and reliability without eliminating risks.
 
Timely response to policy violations or security issues really requires a "conversation" between the token issuer Microsoft Entra, and the relying party (enlightened app). This two-way conversation gives us two important capabilities. The relying party can see when properties change, like network location, and tell the token issuer. It also gives the token issuer a way to tell the relying party to stop respecting tokens for a given user because of account compromise, disablement, or other concerns. The mechanism for this conversation is continuous access evaluation (CAE), an industry standard based on [Open ID Continuous Access Evaluation Profile (CAEP)](https://openid.net/specs/openid-caep-specification-1_0-01.html). The goal for critical event evaluation is for response to be near real time, but latency of up to 15 minutes might be observed because of event propagation time; however, IP locations policy enforcement is instant.
 
The initial implementation of continuous access evaluation focuses on Exchange, Teams, and SharePoint Online.
 
### Client-side claim challenge
 
Before continuous access evaluation, clients would replay the access token from its cache as long as it wasn't expired. With CAE, we introduce a new case where a resource provider can reject a token when it isn't expired. To inform clients to bypass their cache even though the cached tokens aren't expired, we introduce a mechanism called **claim challenge** to indicate that the token was rejected and a new access token needs to be issued by Microsoft Entra. CAE requires a client update to understand claim challenge. The latest versions of the following applications support claim challenge:
 
| | Web | Win32 | iOS | Android | Mac |
| :--- | :---: | :---: | :---: | :---: | :---: |
 
If you're sending traffic to non-Microsoft 365 resources through Global Secure Access, resource providers aren't aware of the source IP address of the user as [source IP restoration](../../global-secure-access/how-to-source-ip-restoration.md) isn’t currently supported for these resources. In this case, if the user is in the trusted IP location (as seen by Microsoft Entra), Microsoft Entra issues a one-hour token that suspends IP address checks at the resource until token expiration. Microsoft Entra continues to enforce IP address checks correctly for these resources.

---
# Continuous access evaluation
 
Token expiration and refresh are a standard mechanism in the industry. When a client application like Outlook connects to a service like Exchange Online, the API requests are authorized using OAuth 2.0 access tokens. By default, access tokens are valid for one hour, when they expire the client is redirected to Microsoft Entra to refresh them. That refresh period provides an opportunity to reevaluate policies for user access. For example: the token might not be refreshed because of a Conditional Access policy, or because the user is disabled in the directory.
 
Customers express concerns about the lag between when conditions change for a user, and when policy changes are enforced. Microsoft experimented with the "blunt object" approach of reduced token lifetimes but found they degrade user experiences and reliability without eliminating risks.
 
Timely response to policy violations or security issues really requires a "conversation" between the token issuer Microsoft Entra, and the relying party (enlightened app). This two-way conversation provides two important capabilities. The relying party can see when properties change, like network location, and tell the token issuer. It also gives the token issuer a way to tell the relying party to stop respecting tokens for a given user because of account compromise, disablement, or other concerns. The mechanism for this conversation is continuous access evaluation (CAE), an industry standard based on [Open ID Continuous Access Evaluation Profile (CAEP)](https://openid.net/specs/openid-caep-specification-1_0-01.html). The goal for critical event evaluation is for response to be near real time, but latency of up to 15 minutes might be observed because of event propagation time; however, IP locations policy enforcement is instant.
 
The initial implementation of continuous access evaluation focuses on Exchange, Teams, and SharePoint Online.
 
### Client-side claim challenge
 
Before continuous access evaluation, clients would replay the access token from its cache as long as it wasn't expired. With CAE, a resource provider can reject a token when it isn't expired. To inform clients to bypass their cache even though the cached tokens aren't expired, a mechanism called **claim challenge** indicates that the token was rejected and a new access token needs to be issued by Microsoft Entra. CAE requires a client update to understand claim challenge. The latest versions of the following applications support claim challenge:
 
| | Web | Win32 | iOS | Android | Mac |
| :--- | :---: | :---: | :---: | :---: | :---: |
 
If you're sending traffic to non-Microsoft 365 resources through Global Secure Access, resource providers aren't aware of the source IP address of the user as [source IP restoration](../../global-secure-access/how-to-source-ip-restoration.md) isn’t currently supported for these resources. In this case, if the user is in the trusted IP location (as seen by Microsoft Entra), Microsoft Entra issues a one-hour token that suspends IP address checks at the resource until token expiration. Microsoft Entra continues to enforce IP address checks correctly for these resources.

MODIFIED docs/identity/conditional-access/deployment-guide-token-protection-windows.md

Modified by Ken Withee on Mar 23, 2026 5:33 PM
📖 View on learn.microsoft.com

+5 / -5 lines changed

Commit: Editorial pass: 4 Conditional Access concept and deployment articles (14 fixes)

Changes:

Before

After

 
This guide covers the steps required to deploy and enforce Token Protection for sign-in session tokens on Windows platform.
 
For an overview of Token Protection and supported platforms, see [Token Protection in Microsoft Entra Conditional Access](concept-token-protection.md). We recommend reviewing the overview documentation before using this deployment guide.
 
## Prerequisites
 
 
## Create a Conditional Access policy
 
Users who perform specialized roles like those described in [Privileged access security levels](/security/privileged-access-workstations/privileged-access-security-levels#specialized) are possible targets for this functionality. We recommend piloting with a small subset to begin. 
 
The following steps help you create a Conditional Access policy to require token protection for Exchange Online and SharePoint Online on Windows devices.
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../role-based-access-control/permissions-reference.md#conditional-access-administrator).
1. Browse to **Entra ID** > **Conditional Access** > **Policies**.
1. Select **New policy**.
1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
1. Under **Assignments**, select **Users or workload identities**.
   1. Under **Include**, select the users or groups who are testing this policy.

 
This guide covers the steps required to deploy and enforce Token Protection for sign-in session tokens on Windows platform.
 
For an overview of Token Protection and supported platforms, see [Token Protection in Microsoft Entra Conditional Access](concept-token-protection.md). Review the overview documentation before using this deployment guide.
 
## Prerequisites
 
 
## Create a Conditional Access policy
 
Users who perform specialized roles like those described in [Privileged access security levels](/security/privileged-access-workstations/privileged-access-security-levels#specialized) are possible targets for this functionality. Pilot with a small subset to begin.
 
The following steps help you create a Conditional Access policy to require token protection for Exchange Online and SharePoint Online on Windows devices.
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../role-based-access-control/permissions-reference.md#conditional-access-administrator).
1. Browse to **Entra ID** > **Conditional Access** > **Policies**.
1. Select **New policy**.
1. Give your policy a name. Create a meaningful standard for the names of your policies.
1. Under **Assignments**, select **Users or workload identities**.
   1. Under **Include**, select the users or groups who are testing this policy.

MODIFIED docs/identity/conditional-access/concept-condition-filters-for-devices.md

Modified by Ken Withee on Mar 23, 2026 5:46 PM
📖 View on learn.microsoft.com

+4 / -4 lines changed

Commit: Editorial pass: 13 Conditional Access articles (27 fixes)

Changes:

Before

After

 
There are multiple scenarios that organizations can now enable using filter for devices condition. The following scenarios provide examples of how to use this new condition.
 
- **Restrict access to privileged resources**. For this example, lets say you want to allow access to Windows Azure Service Management API from a user who:
   - Is assigned a [privileged role](../role-based-access-control/permissions-reference.md).
   - Completed multifactor authentication.
   - Is on a device that is [privileged or secure admin workstations](/security/compass/privileged-access-devices) and attested as compliant.
   - For this scenario, organizations would create two Conditional Access policies:
      - Policy 1: All users with an administrator role, accessing the Windows Azure Service Management API cloud app, and for Access controls, Grant access, but require multifactor authentication and require device to be marked as compliant.
      - Policy 2: All users with an administrator, accessing the Windows Azure Service Management API cloud app, excluding a filter for devices using rule expression device.extensionAttribute1 equals SAW and for Access controls, Block. Learn how to [update extensionAttributes on a Microsoft Entra device object](/graph/api/device-update?view=graph-rest-1.0&tabs=http&preserve-view=true).
- **Block access to organization resources from devices running an unsupported Operating System**. For this example, lets say you want to block access to resources from Windows OS version older than Windows 10. For this scenario, organizations would create the following Conditional Access policy:
   - All users accessing all resources, excluding those with devices where the rule expression `device.operatingSystem == 'Windows'` and `device.operatingSystemVersion startsWith '10.0'` applies, should be blocked by Access controls.
- **Do not require multifactor authentication for specific accounts on specific devices**. For this example, lets say you want to not require multifactor authentication when using service accounts on specific devices like Teams Phones or Surface Hub devices. For this scenario, organizations would create the following two Conditional Access policies:
   - Policy 1: All users excluding service accounts, accessing all resources, and for Access controls, Grant access, but require multifactor authentication.
   - Policy 2: Select users and groups and include group that contains service accounts only, accessing all resources, excluding a filter for devices using rule expression device.extensionAttribute2 not equals TeamsPhoneDevice and for Access controls, Block.
 
The following device attributes can be used with the filter for devices condition in Conditional Access.
 
> [!IMPORTANT]
> Microsoft recommends using atleast one system defined or admin configurable device property when using Filter for devices condition in Conditional Access.

 
There are multiple scenarios that organizations can now enable using filter for devices condition. The following scenarios provide examples of how to use this new condition.
 
- **Restrict access to privileged resources**. For this example, let's say you want to allow access to Windows Azure Service Management API from a user who:
   - Is assigned a [privileged role](../role-based-access-control/permissions-reference.md).
   - Completed multifactor authentication.
   - Is on a device that is [privileged or secure admin workstations](/security/compass/privileged-access-devices) and attested as compliant.
   - For this scenario, organizations would create two Conditional Access policies:
      - Policy 1: All users with an administrator role, accessing the Windows Azure Service Management API cloud app, and for Access controls, Grant access, but require multifactor authentication and require device to be marked as compliant.
      - Policy 2: All users with an administrator, accessing the Windows Azure Service Management API cloud app, excluding a filter for devices using rule expression device.extensionAttribute1 equals SAW and for Access controls, Block. Learn how to [update extensionAttributes on a Microsoft Entra device object](/graph/api/device-update?view=graph-rest-1.0&tabs=http&preserve-view=true).
- **Block access to organization resources from devices running an unsupported Operating System**. For this example, let's say you want to block access to resources from Windows OS version older than Windows 10. For this scenario, organizations would create the following Conditional Access policy:
   - All users accessing all resources, excluding those with devices where the rule expression `device.operatingSystem == 'Windows'` and `device.operatingSystemVersion startsWith '10.0'` applies, should be blocked by Access controls.
- **Do not require multifactor authentication for specific accounts on specific devices**. For this example, let's say you want to not require multifactor authentication when using service accounts on specific devices like Teams Phones or Surface Hub devices. For this scenario, organizations would create the following two Conditional Access policies:
   - Policy 1: All users excluding service accounts, accessing all resources, and for Access controls, Grant access, but require multifactor authentication.
   - Policy 2: Select users and groups and include group that contains service accounts only, accessing all resources, excluding a filter for devices using rule expression device.extensionAttribute2 not equals TeamsPhoneDevice and for Access controls, Block.
 
The following device attributes can be used with the filter for devices condition in Conditional Access.
 
> [!IMPORTANT]
> Microsoft recommends using at least one system defined or admin configurable device property when using Filter for devices condition in Conditional Access.

MODIFIED docs/identity/conditional-access/policy-all-users-windows-app-protection.md

Modified by Ken Withee on Mar 23, 2026 5:46 PM
📖 View on learn.microsoft.com

+4 / -4 lines changed

Commit: Editorial pass: 13 Conditional Access articles (27 fixes)

Changes:

Before

After

 
## Prerequisites
 
- We support applying policy to the Microsoft Edge browser on devices running Windows 11 and Windows 10 version 20H2 and higher with KB5031445.
- Set up an app protection policy targeting Windows devices. For details, see [Configured app protection policy targeting Windows devices](/mem/intune/apps/app-protection-policy-settings-windows).
- Sovereign clouds aren't supported.
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../role-based-access-control/permissions-reference.md#conditional-access-administrator).
1. Browse to **Entra ID** > **Conditional Access** > **Policies**.
1. Select **New policy**.
1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
1. Under **Assignments**, select **Users or workload identities**.
   1. Under **Include**, select **All users**.
   1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts.
 
When users attempt to sign in to a site that is protected by an app protection policy for the first time, they're prompted: To access your service, app, or website, you might need to sign in to Microsoft Edge using `username@domain.com` or register your device with `organization` if you're already signed in.
 
Clicking on **Switch Edge profile** opens a window listing their Work or school account along with an option to **Sign in to sync data**.
 
   :::image type="content" source="./media/policy-all-users-windows-app-protection/browser-sign-in-continue-with-work-or-school-account.png" alt-text="Screenshot showing the popup in Microsoft Edge asking user to sign in.":::

 
## Prerequisites
 
- Policy can be applied to the Microsoft Edge browser on devices running Windows 11 and Windows 10 version 20H2 and higher with KB5031445.
- Set up an app protection policy targeting Windows devices. For details, see [Configured app protection policy targeting Windows devices](/mem/intune/apps/app-protection-policy-settings-windows).
- Sovereign clouds aren't supported.
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../role-based-access-control/permissions-reference.md#conditional-access-administrator).
1. Browse to **Entra ID** > **Conditional Access** > **Policies**.
1. Select **New policy**.
1. Give your policy a name. Create a meaningful standard for the names of your policies.
1. Under **Assignments**, select **Users or workload identities**.
   1. Under **Include**, select **All users**.
   1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts.
 
When users attempt to sign in to a site that is protected by an app protection policy for the first time, they're prompted: To access your service, app, or website, you might need to sign in to Microsoft Edge using `username@domain.com` or register your device with `organization` if you're already signed in.
 
Selecting **Switch Edge profile** opens a window listing their Work or school account along with an option to **Sign in to sync data**.
 
   :::image type="content" source="./media/policy-all-users-windows-app-protection/browser-sign-in-continue-with-work-or-school-account.png" alt-text="Screenshot showing the popup in Microsoft Edge asking user to sign in.":::

MODIFIED docs/identity/conditional-access/concept-filter-for-applications.md

Modified by Ken Withee on Mar 23, 2026 5:46 PM
📖 View on learn.microsoft.com

+3 / -3 lines changed

Commit: Editorial pass: 13 Conditional Access articles (27 fixes)

Changes:

Before

After

Follow the instructions in the article, [Add or deactivate custom security attributes in Microsoft Entra ID](~/fundamentals/custom-security-attributes-add.md) to add the following **Attribute set** and **New attributes**.
 
- Create an **Attribute set** named *ConditionalAccessTest*.
- Create **New attributes** named *policyRequirement* that **Allow multiple values to be assigned** and **Only allow predefined values to be assigned**. We add the following predefined values:
   - legacyAuthAllowed
   - blockGuestUsers
   - requireMFA
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../role-based-access-control/permissions-reference.md#conditional-access-administrator) and [Attribute Definition Reader](../role-based-access-control/permissions-reference.md#attribute-definition-reader).
1. Browse to **Entra ID** > **Conditional Access**.
1. Select **New policy**.
1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
1. Under **Assignments**, select **Users or workload identities**.
   1. Under **Include**, select **All users**.
   1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts.
   1. Include **Select resources**.
   1. Select **Edit filter**.
   1. Set **Configure** to **Yes**.
   1. Select the **Attribute** we created earlier called *policyRequirement*.
   1. Set **Operator** to **Contains**.
   1. Set **Value** to **requireMFA**.

Follow the instructions in the article, [Add or deactivate custom security attributes in Microsoft Entra ID](~/fundamentals/custom-security-attributes-add.md) to add the following **Attribute set** and **New attributes**.
 
- Create an **Attribute set** named *ConditionalAccessTest*.
- Create **New attributes** named *policyRequirement* that **Allow multiple values to be assigned** and **Only allow predefined values to be assigned**. Add the following predefined values:
   - legacyAuthAllowed
   - blockGuestUsers
   - requireMFA
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../role-based-access-control/permissions-reference.md#conditional-access-administrator) and [Attribute Definition Reader](../role-based-access-control/permissions-reference.md#attribute-definition-reader).
1. Browse to **Entra ID** > **Conditional Access**.
1. Select **New policy**.
1. Give your policy a name. Create a meaningful standard for the names of your policies.
1. Under **Assignments**, select **Users or workload identities**.
   1. Under **Include**, select **All users**.
   1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts.
   1. Include **Select resources**.
   1. Select **Edit filter**.
   1. Set **Configure** to **Yes**.
   1. Select the **Attribute** created earlier called *policyRequirement*.
   1. Set **Operator** to **Contains**.
   1. Set **Value** to **requireMFA**.

MODIFIED docs/identity/conditional-access/policy-block-by-location.md

Modified by Ken Withee on Mar 23, 2026 6:36 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: Editorial pass: 24 Conditional Access light articles (29 fixes)

Changes:

Before

After

Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](~/identity/role-based-access-control/permissions-reference.md#conditional-access-administrator).
Browse to **Entra ID** > **Conditional Access** > **Policies**.
Select **New policy**.
Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
Under **Assignments**, select **Users or workload identities**.
Under **Include**, select **All users**.
Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts. 
Set **Configure** to **Yes**
Under **Include**, select **Selected networks and locations**
Select the blocked location you created for your organization.
Click **Select**.
Under **Access controls** > **Grant**, select **Block access**, then select **Select**.
Confirm your settings and set **Enable policy** to **Report-only**.
Select **Create** to enable your policy.

Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](~/identity/role-based-access-control/permissions-reference.md#conditional-access-administrator).
Browse to **Entra ID** > **Conditional Access** > **Policies**.
Select **New policy**.
Give your policy a name. Create a meaningful standard for the names of your policies.
Under **Assignments**, select **Users or workload identities**.
Under **Include**, select **All users**.
Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts. 
Set **Configure** to **Yes**
Under **Include**, select **Selected networks and locations**
Select the blocked location you created for your organization.
Select **Select**.
Under **Access controls** > **Grant**, select **Block access**, then select **Select**.
Confirm your settings and set **Enable policy** to **Report-only**.
Select **Create** to enable your policy.

MODIFIED docs/identity/conditional-access/policy-block-example.md

Modified by Ken Withee on Mar 23, 2026 6:36 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: Editorial pass: 24 Conditional Access light articles (29 fixes)

Changes:

Before

After

Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../role-based-access-control/permissions-reference.md#conditional-access-administrator).
Browse to **Entra ID** > **Conditional Access** > **Policies**.
Select **New policy**.
Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
Under **Assignments**, select **Users or workload identities**.
Under **Include**, select **All users**.
Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts. 
The following policy is created to require multifactor authentication or a compliant device for users of Microsoft 365.
 
Select **Create new policy**.
Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
Under **Assignments**, select **Users or workload identities**.
Under **Include**, select **All users**.
Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts. 

Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../role-based-access-control/permissions-reference.md#conditional-access-administrator).
Browse to **Entra ID** > **Conditional Access** > **Policies**.
Select **New policy**.
Give your policy a name. Create a meaningful standard for the names of your policies.
Under **Assignments**, select **Users or workload identities**.
Under **Include**, select **All users**.
Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts. 
The following policy is created to require multifactor authentication or a compliant device for users of Microsoft 365.
 
Select **Create new policy**.
Give your policy a name. Create a meaningful standard for the names of your policies.
Under **Assignments**, select **Users or workload identities**.
Under **Include**, select **All users**.
Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts. 

MODIFIED docs/identity/conditional-access/policy-block-legacy-authentication.md

Modified by Ken Withee on Mar 23, 2026 6:36 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: Editorial pass: 24 Conditional Access light articles (29 fixes)

Changes:

Before

After

Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../role-based-access-control/permissions-reference.md#conditional-access-administrator).
Browse to **Entra ID** > **Conditional Access** > **Policies**.
Select **New policy**.
Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
Under **Assignments**, select **Users or workload identities**.
Under **Include**, select **All users**.
Under **Exclude**, select **Users and groups** and choose any accounts that must maintain the ability to use legacy authentication. Microsoft recommends you exclude at least one account to prevent yourself from being locked out due to misconfiguration.
 
Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Reports Reader](../role-based-access-control/permissions-reference.md#reports-reader).
Browse to **Entra ID** > **Monitoring & health** > **Sign-in logs**.
Add the **Client App** column if it isn't shown by clicking on **Columns** > **Client App**.
Select **Add filters** > **Client App** > choose all of the legacy authentication protocols and select **Apply**.
Also perform these steps on the **User sign-ins (non-interactive)** tab.
 

Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../role-based-access-control/permissions-reference.md#conditional-access-administrator).
Browse to **Entra ID** > **Conditional Access** > **Policies**.
Select **New policy**.
Give your policy a name. Create a meaningful standard for the names of your policies.
Under **Assignments**, select **Users or workload identities**.
Under **Include**, select **All users**.
Under **Exclude**, select **Users and groups** and choose any accounts that must maintain the ability to use legacy authentication. Microsoft recommends you exclude at least one account to prevent yourself from being locked out due to misconfiguration.
 
Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Reports Reader](../role-based-access-control/permissions-reference.md#reports-reader).
Browse to **Entra ID** > **Monitoring & health** > **Sign-in logs**.
Add the **Client App** column if it isn't shown by selecting **Columns** > **Client App**.
Select **Add filters** > **Client App** > choose all of the legacy authentication protocols and select **Apply**.
Also perform these steps on the **User sign-ins (non-interactive)** tab.
 

MODIFIED docs/identity/conditional-access/troubleshoot-conditional-access.md

Modified by Ken Withee on Mar 23, 2026 6:36 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: Editorial pass: 24 Conditional Access light articles (29 fixes)

Changes:

Before

After

 
To get detailed information about the sign-in interruption, review the Microsoft Entra sign-in events to see which Conditional Access policy or policies applied and why.
 
More information can be found about the problem by clicking **More Details** in the initial error page. Clicking **More Details** reveals troubleshooting information that is helpful when searching the Microsoft Entra sign-in events for the specific failure event the user saw or when opening a support incident with Microsoft.
 
![Screenshot showing more details from a Conditional Access interrupted web browser sign-in.](./media/troubleshoot-conditional-access/image2.png)
 
1. After finding the sign-in event that corresponds to the user's sign-in failure, select the **Conditional Access** tab. The Conditional Access tab shows the specific policy or policies that resulted in the sign-in interruption.
   1. Information in the **Troubleshooting and support** tab might provide a clear reason as to why a sign-in failed such as a device that didn't meet compliance requirements.
   1. To investigate further, drill down into the configuration of the policies by clicking on the **Policy Name**. Clicking the **Policy Name** shows the policy configuration user interface for the selected policy for review and editing.
   1. The **client user** and **device details** that were used for the Conditional Access policy assessment are also available in the **Basic Info**, **Location**, **Device Info**, **Authentication Details**, and **Additional Details** tabs of the sign-in event.
 
### Policy not working as intended

 
To get detailed information about the sign-in interruption, review the Microsoft Entra sign-in events to see which Conditional Access policy or policies applied and why.
 
More information can be found about the problem by selecting **More Details** in the initial error page. Selecting **More Details** reveals troubleshooting information that is helpful when searching the Microsoft Entra sign-in events for the specific failure event the user saw or when opening a support incident with Microsoft.
 
![Screenshot showing more details from a Conditional Access interrupted web browser sign-in.](./media/troubleshoot-conditional-access/image2.png)
 
1. After finding the sign-in event that corresponds to the user's sign-in failure, select the **Conditional Access** tab. The Conditional Access tab shows the specific policy or policies that resulted in the sign-in interruption.
   1. Information in the **Troubleshooting and support** tab might provide a clear reason as to why a sign-in failed such as a device that didn't meet compliance requirements.
   1. To investigate further, drill down into the configuration of the policies by selecting the **Policy Name**. Selecting the **Policy Name** shows the policy configuration user interface for the selected policy for review and editing.
   1. The **client user** and **device details** that were used for the Conditional Access policy assessment are also available in the **Basic Info**, **Location**, **Device Info**, **Authentication Details**, and **Additional Details** tabs of the sign-in event.
 
### Policy not working as intended

📋 Microsoft Entra Documentation Changes

📊 Summary

📝 Modified Documentation Files