Support Tip: Conditional Access policies for Intune will now be available in Azure Active Directory

We recently posted a Message Center post reminding you about the Conditional Access policies move from v1 to v2 and re-iterated the impact to Intune admins. In this support blog, we share a few frequently asked questions related to CA policies and Intune. We will keep this post updated as we hear more questions from customers like you.


Why will my Conditional Access policies move to Azure AD?

Alex Simmons answers this question in an Enterprise Mobility blog post, which you can read here:


How do I move my policies to Azure AD?

This step-by-step guide built by Azure AD shows how to move existing classic policies to Azure AD, with the help of screen shots.


What are some of the benefits to me?

From our perspective, the new Azure AD console unifies what was several, separate CA policy administration pages. It also provides additional benefits to the CA experience, including the ability to have multiple CA policies for a single cloud app, integration to additional controls (for example, Multi-factor Authentication (MFA), session-based controls, trusted locations), and the ability to use OR logic between controls (compliant device OR MFA, compliant device OR Intune protected app).


Now, as the blog (and documentation) above shares, as an admin there’s a great deal of new conditional access policy work put into v2, which means more control levers for you. You may find as part of this migration that you want to rethink how your CA policies are configured. We have heard from several customers that they were waiting for the new features and have opted to rebuild new policies versus just transfer the existing ones.


How does this impact existing Intune CA policies?

As part of this work, any existing CA policies configured in the Silverlight Intune admin experience or the Intune App Protection (MAM) blade in Azure are now read-only. The policies can be viewed under a new ‘Classic policies’ tab in the CA blade in Azure AD. The policies still exist and can co-exist with any new policies you create. There’s no end user impact to the policies sitting in the “classic policies” tab.  But you will want to create new policies and then disable the old policies.


If you are using Intune standalone, we encourage you to use CA in the Azure portal by clicking on Azure Active Directory >> CA. You should stop configuring CA in the classic Azure AD portal, the Intune Silverlight console or in Intune App Protection in Azure.


How do I get permission to administer CA in Azure AD?

If you do not have an Azure AD role, please ask your Azure AD administrator to assign you the “Conditional Access” role in Azure AD. That way you can continue administering conditional access. Alternatively, work to transition this role to your Azure AD administration team. Again, access to CA is either through the CA blade in Intune or over in Azure AD. They’re one and the same, it just depends on your entry point – either through Intune or Azure AD.


Do I need Azure AD Premium to deploy CA in my organization?

When you use the Intune service in your organization, Intune and Azure AD Premium work seamlessly together to provide multiple layers of control through CA. As a reminder, customers who wish to deploy CA policies for device compliance or Intune protected apps are required to have licenses for both products. Azure AD Premium can be purchased as a standalone service or can be purchased (along with Intune) as part of Enterprise Mobility + Security (EMS). Please connect with your Microsoft account representative to discuss whether you need to acquire the appropriate Azure AD Premium or EMS licenses.


Useful links

Azure portal update for classic portal users

Azure Active Directory conditional access what if tool - preview



1/24/18: Updated to include some additional links


Comments (0)

Skip to main content