Enforce Entra ID conditional Access policies based in specific Graph Claim value asked by application
Introduction:
There is an application "App" registered in an external Azure tenant (ExternalTenant) that my users log in using their tenant (InternalTenant) email.
This application allows anyone to log in, but requests Permission consent to "Read email calendar events", to synchronize the user Exchange Calendar with the App internal calendar events.
My users (assuming they have a License that gives them a Mailbox/Calendar) can allow this consent and then use the application normally.
I'm currently playing with EntraID Conditional Access, and I have made a couple of policies to restrict which users can use the App
Inside the policies I have selected the App in Target Resources, and then made some test conditions to filter access by OS.
This has worked great, but my next step is to enforce a more granular permission.
I want that all users can log into the app, but restrict which of them can pass the
Calendars.ReadWrite claim value
Ideally, I would like to enforce MFA when this specific claim is asked, but to allow non-MFA login when this isn't asked.
Is this possible?
Note that: You cannot configure conditional access policy based on the specific graph claim.
- Conditional Access policies primarily focus on controlling access based on factors such as user, device, location, and application, rather than specific claims or permissions requested by the application
- You can create policy in the application level but not possible to enforce a policy with granular permission.
You can select the applications:
And the conditions are like below, you cannot configure the condition based on the claim:
Hence, you cannot configure the policy with the specific claim.
- The API permissions granted are tenant wide and cannot be restricted.
Reference:
Building a Conditional Access policy - Microsoft Entra ID | Microsoft