to introduces priorities for Azure AD Conditional Access policies
can you please introduce the possibility to set priorities for Conditional Access policies.
In complex environments (with different CA policies for different use cases) it's very hard to create CA polices without any open doors. Therefore it would be fantastic if you can create a catch all CA policy and allow selective one service after another (like on a firewall).
We’re continuing design work in this area.
Stephan G commented
I also vote for precedence.
It makes building complex rules much easier and a "block all" rule at the end would fix the missing policies.
Just like for firewall policies. Is there a timeframe when this will come?
Currently requests to access an Azure / 365 resource are assessed against all CA policies configured in the Tenant. Any rule which is matched which has a block action configured results in the request being blocked (as block always beats allow). This makes it difficult to design complex CA policy rulesets as a designer has to consider the effect of every single CA policy when adding a new rule.
An alternative would be to introduce the concept of precedence to CA policy processing (in a manor similar to a firewall ruleset). This would simplify creating new policies and allow for a greater combination of scenarios / access use cases.
With precedence, CA policies would be processed top to bottom with any rule matching the access condition being triggered, i.e. if a user is trying to access SharePoint Online and there is a rule allowing access at the top of the ruleset then the user would be granted access regardless if there is a rule lower down that denies access. Granular CA policies could then be layered into the tenant with minimal effort and predictable results.