Enforce Entra ID conditional Access policies based in specific Graph Claim value asked by application
Introduction:
There is an application "App" registered in an external Azure tenant (ExternalTenant) that my users log in using their tenant (InternalTenant) email.
This application allows anyone to log in, but requests Permission consent to "Read email calendar events", to synchronize the user Exchange Calendar with the App internal calendar events.
My users (assuming they have a License that gives them a Mailbox/Calendar) can allow this consent and then use the application normally.
I'm currently playing with EntraID Conditional Access, and I have made a couple of policies to restrict which users can use the App
Inside the policies I have selected the App in Target Resources, and then made some test conditions to filter access by OS.
This has worked great, but my next step is to enforce a more granular permission.
I want that all users can log into the app, but restrict which of them can pass the
Calendars.ReadWrite claim value
Ideally, I would like to enforce MFA when this specific claim is asked, but to allow non-MFA login when this isn't asked.
Is this possible?
Note that: You cannot configure conditional access policy based on the specific graph claim.
- Conditional Access policies primarily focus on controlling access based on factors such as user, device, location, and application, rather than specific claims or permissions requested by the application
- You can create policy in the application level but not possible to enforce a policy with granular permission.
You can select the applications:
And the conditions are like below, you cannot configure the condition based on the claim:
Hence, you cannot configure the policy with the specific claim.
- The API permissions granted are tenant wide and cannot be restricted.
Reference:
Building a Conditional Access policy - Microsoft Entra ID | Microsoft
- Azure C# Cosmos DB: Property "id" is missing when it's actually present
- Azure Permission - needed for creating resource group - RBAC
- Unable to locate executable file: 'bash'. Please verify either the file path exists
- Can the Azure Service Bus be delayed before retrying a message?
- azure documentdb create document duplicates Id property
- JWT validation failure error in azure apim
- Azure App Service and Application Insights where is performance test?
- Is it possible to have a non-interactive code that logs in to Azure and creates users in Microsoft Entra ID?
- Change Default Service Version of Microsoft Azure Blob - PHP
- Microsoft Graph: How to filter users by domain name
- Azure App Service Plan CPU Spikes to 100%
- Unable to Authenticate to DevOps API with Angual MSAL
- Azure Databricks: Not able to parameterize keys option of dlt.apply_changes
- ASP.NET Core 3.1 Azure AD Authentication throws OptionsValidationException
- Attaching a private static ip address to Azure Container Instance
- Azure Synapse severless SQL pool - query execution fails
- How to login via Service Principal having Federated Credentials rather than Client Secrets
- Where can I find the resource id of an Azure function app in the Azure portal?
- How to forward access-control-allow-origin header from a Web App to a Front Door?
- Basic SQL commands in Terraform
- Linux Azure Webjob in nodejs referring to node.exe
- Running Azure functions locally gives "No runtime" error after .NET7 upgrade
- Azure DataSync tables not showing up
- Azure ML: Unable to find workspace
- unable to start 'Docker for windows' on Azure Win 10 VM
- How to enable virtualization in Azure VM
- Configuring AppSettings with ASP.Net Core on Azure Web App for Containers: Whither Colons?
- how to get v2 type token using msal python
- The mock in my pester test keeps calling Connect-AzAccount
- HttpResponseError in Azure Ai search