Note to clarify Conditional Access behavior with Require app protection policy grant control #1243
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…app protection policy" grant control or the "Require all the selected controls" option, where a managed device may be blocked from accessing an application, since it lacks an MAMenrollmentID. See https://msazure.visualstudio.com/One/_wiki/wikis/ESTS-Docs/338098/TrueMAMForWindows for clarification.
|
@pedroabsoares-ms : Thanks for your contribution! The author(s) have been notified to review your proposed change. |
|
Learn Build status updates of commit 2519585: ✅ Validation status: passed
For more details, please refer to the build report. For any questions, please:
|
|
Can you review the proposed changes? Important: When the changes are ready for publication, adding a #label:"aq-pr-triaged" |
| @@ -62,6 +62,9 @@ The following steps help create a Conditional Access policy requiring an app pro | |||
| 1. Confirm your settings and set **Enable policy** to **Report-only**. | |||
There was a problem hiding this comment.
Suggested change
| 1. Confirm your settings and set **Enable policy** to **Report-only**. | |
| > [!WARNING] | |
| > Setting this to **Require all the selected controls**, or changing the grant controls might result in devices being blocked unintentionally. | |
| 1. Confirm your settings and set **Enable policy** to **Report-only**. |
Comment on lines
+65
to
+66
| >[!Note] | ||
| >If you set to **Require all the selected controls** or just use the **Require app protection policy** control alone, you need to make sure that you only target unmanaged devices or that the devices are not MDM managed. Otherwise, the policy will block access to all applications since it cannot assess whether the application is compliant as per policy. |
There was a problem hiding this comment.
Suggested change
| >[!Note] | |
| >If you set to **Require all the selected controls** or just use the **Require app protection policy** control alone, you need to make sure that you only target unmanaged devices or that the devices are not MDM managed. Otherwise, the policy will block access to all applications since it cannot assess whether the application is compliant as per policy. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Added a note to clarify behavior when the there is only the "Require app protection policy" grant control or the "Require all the selected controls" option, where a managed device may be blocked from accessing an application, since it lacks an MAMenrollmentID.