Office 365 sign-on rules options
This topic explains conditions and actions available for Office 365 app sign-on rules.
To create sign-on rules for an Office 365 app instance, follow the steps explained in Add an authentication policy rule. In addition to the conditions explained in the topic, you can add the following client-specific conditions to your Office 365 app sign-on policy. These conditions allow you to apply sign-on rules based on whether the user is using a web browser, legacy authentication, or modern authentication.
You can add maximum 100 rules to Office 365 sign on policy, including the Catch-All rule.
If conditions
Client is
Option | What it does |
---|---|
Any client |
Default option. Applies the rule irrespective of the user's client. This option does not support multifactor authentication. Only single-factor password-based authentication will be used to authenticate users. |
One of the following clients |
Applies the rule to specific clients. See the table below for options. |
Client options
Option | What it does |
---|---|
Web browser | Applies the rule to web browsers such as Chrome, Safari, or Internet Explorer. |
Modern Authentication |
Applies the rule to thick client applications configured to leverage Modern Authentication. This includes Office 2013 and 2016 clients with required patches or configuration updates, as detailed in this Microsoft Support documentation: Updated Office 365 modern authentication. Modern Authentication is a configurable setting on an Office 365 tenant for Exchange Online. See Microsoft documentation: Enable or disable modern authentication in Exchange Online and Office 365: Enable Modern Authentication. |
Exchange ActiveSync/ Legacy Authentication |
Applies the rule to native mail clients on iOS or Android devices, as well as older desktop clients on macOS and MS Windows that don't support Modern Authentication.
|
Custom |
Specify a client to allow or deny it access to Office 365. This filter can be used to deny access to untrusted clients or to only allow trusted clients. See Allow or deny custom clients in Office 365 sign-on policy. |