Skip to main content
All CollectionsMicrosoft 365FAQs SaaS Apps
Support for Azure Active Directory (AD) Conditional Access policies
Support for Azure Active Directory (AD) Conditional Access policies
Updated over a week ago


Druva validates the Conditional Access policies enabled for your Microsoft 365 tenant during the Microsoft 365 app configuration to authenticate and provide conditional access to users. For example, if a conditional access policy grants access to users from a specific location. In that case, the Microsoft 365 app configuration step will validate this requirement to allow or deny access to those resources.

For a list of supported policy settings, see Supported Conditional Access policy settings.

Learn more about Conditional Access policies

Conditional Access policy used by Azure Active Directory (Azure AD) enforces access control to keep an organization’s data secure. Policies enabled for your Microsoft 365 tenant ensure adherence to security policies when configuring a Microsoft 365 app to back up or restore your data.

A policy created on the Microsoft Azure portal includes assignments and access controls. Assignments define the who, what, and where of a policy. Access controls define how to enforce a policy. For more information, see Building a Conditional Access policy.


When you define an Azure AD Conditional Access policy for your Microsoft 365 tenant, only authorized users can access requested resources as per the identity signals set in a policy.
For more information, see Azure AD Conditional Access (Microsoft Documentation).

Support matrix for Conditional Access policy

Review the following table to understand the support for Conditional Access policy assignments and access controls.


Actions, signals, or access enforcement

Additional settings

Admin action required

All cloud apps


User actions

Register security information


Register or join devices

Authentication context (preview)



User risk


risk

Device platforms


Any location, All trusted locations, or selected locations

Client apps

Other clients

Device state (Preview)

Filter for devices

Access controls

Block access

Disable policy if it is blocking access during app configuration

Grant access

Require multi-factor authentication (MFA)

Must meet the MFA requirements

Require the device to be marked as compliant


Require Hybrid Azure AD joined device

Not supported

Require approved client app


Require app protection policy

Require password change

Custom grant type

Not supported


Use app-enforced restrictions


Use Conditional Access App Control

frequency

Persistent browser session

Customize continuous access evaluation

Disable resilience defaults (Preview)

Configure the Microsoft 365 app with Conditional Access policies

The following workflow applies when you configure a Microsoft 365 app for data protection using Conditional Access policies. If you are an existing customer, you must reconfigure your Microsoft 365 app.

  • If you have configured Conditional Access policies for your Microsoft 365 tenant, the app authentication step will adhere to these policies during Microsoft 365 app configuration for data protection.

  • The app authentication step checks if token-based authentication can connect with the Microsoft 365 tenant.

  • If the conditions in the access policies are not satisfied, the token-based authentication fails with the following error message.


Let’s try to understand this workflow with an example.

Scenario: Conditional Access policy using Multi-factor Authentication (MFA)

Consider a scenario wherein you want to implement MFA for specific cloud applications in your organization. If you have defined a policy that requires all users to authenticate using MFA, then the Microsoft 365 app configuration for data protection adheres to this policy using the following workflow.

  1. You have defined a Conditional Access policy with the MFA authentication setting for all users in the Azure admin portal.

  2. Configuration of the Microsoft 365 app for data protection enforces this policy to implement an additional layer of security and authenticate the user using MFA.

  3. The user must authenticate using the requested MFA method.

  4. The user is allowed or denied access to the data protection services as per the MFA success or failure scenarios.

Did this answer your question?