When you authenticate with Azure AD, Conditional Access policies let you apply if-then rules for licensees of Azure AD Premium P1 or P2.
The conditions within Conditional Access (CA) are called assignments, but you may also see them referred to as signals, session details, or criteria. They make up the if part of if-then, and the then part is referred to as the access control or enforcement.
For example:
- if the authentication attempt is for an administrative role (assignments / signals / session details / criteria)
- then enforce multi-factor authentication (MFA) (access control / enforcements)
Assignments are broken down into
When the authentication process happens, all assignments must be applicable to the session for the access controls to occur. This means assignments work with AND logic, which you cannot change. Think of it as a bouncer with a checklist at the door: they look you up and down (the user logging in) and suss you out. If you meet everything on his list, they proceed to their separate access control list. However, if you don’t meet everything specified, you are overlooked; it’s as if the Conditional Access policy doesn’t exist.
Access controls are broken down into two further areas: grant controls and session controls.
- Grant controls let you decide: do all controls need to be enforced, or only one of the selection ( OR logic)
- Session controls don’t give you that ability: they are all enforced using AND logic