Microsoft Conditional Access

What is Microsoft Conditional Access (MSCA)

Microsoft Conditional Access is Microsoft’s Zero Trust policy engine that enforces access controls based on device and user signals. In this documentation, we refer to it as MSCA. If your Relution users are synced via Microsoft Entra ID, you can additionally enable Conditional Access to enforce compliance-based restrictions. When a Relution-managed device changes its compliance status (e.g., from compliant to non-compliant), this information is automatically synced with Microsoft. Depending on your Conditional Access policies, it is possible to restrict access to specific applications when a device is marked as non-compliant.

Supported Platforms

  • Android Enterprise
  • iOS
  • macOS
  • Windows
    • Devices must be Entra ID joined or enrolled via Autopilot.

Preconditions

To use Microsoft Conditional Access with Relution, the following requirements must be met:

  • Available from Relution Server 5.33.1
  • Microsoft Entra ID P1 licenses. See more here.
  • Entra ID configured with users sync active, see Linking Entra ID and Relution
  • Broker app for authentification must be available on the device:
    • Android Enterprise & iOS - Microsoft Authenticator - is installed automatically when MSCA is activated
    • macOS - Company Portal App - has to be installed on the device. Can be downloaded here.
  • Entra users can log in to Relution only after OIDC has been configured.
  • To use Microsoft Conditional Access, the Conditional Access configuration must be applied to the affected devices through an appropriate policy.

Limitations

  • Conditional Access as of now can’t be configured per global organization in Relution.
  • Users must have been imported via Entra Sync; users previously synchronized through LDAP, for example, cannot be used.
  • Users imported via Entra Sync must exist in the same organization as their associated devices.
  • Shared iPad has various restrictions with CA configurations, such as Device must be marked as compliant. As a result, Relution shows the message Microsoft Conditional Access is not configured. More information can be found in the Microsoft documentation here.