Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Note to clarify Conditional Access behavior with Require app protection policy grant control #1243

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Note to clarify Conditional Access behavior with Require app protection policy grant control #1243

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions docs/identity/conditional-access/policy-all-users-windows-app-protection.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,9 @@ The following steps help create a Conditional Access policy requiring an app pro
1. Confirm your settings and set **Enable policy** to **Report-only**.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
1. Confirm your settings and set **Enable policy** to **Report-only**.
> [!WARNING]
> Setting this to **Require all the selected controls**, or changing the grant controls might result in devices being blocked unintentionally.
1. Confirm your settings and set **Enable policy** to **Report-only**.

1. Select **Create** to create to enable your policy.

>[!Note]
>If you set to **Require all the selected controls** or just use the **Require app protection policy** control alone, you need to make sure that you only target unmanaged devices or that the devices are not MDM managed. Otherwise, the policy will block access to all applications since it cannot assess whether the application is compliant as per policy.
Comment on lines +65 to +66
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
>[!Note]
>If you set to **Require all the selected controls** or just use the **Require app protection policy** control alone, you need to make sure that you only target unmanaged devices or that the devices are not MDM managed. Otherwise, the policy will block access to all applications since it cannot assess whether the application is compliant as per policy.


After administrators confirm the settings using [report-only mode](howto-conditional-access-insights-reporting.md), they can move the **Enable policy** toggle from **Report-only** to **On**.

> [!TIP]
Expand Down