Azure AD – You can now use app filtering when configuring conditional access (preview)

As you know, Azure AD (P1 license minimum) allows you to set up conditional access to secure access to your applications and your workloads identities.

Well, when it comes to selecting the applications/workloads to include in the condition you have the choice to apply to all cloud application or explicitly selected ones.

The later obviously introduces a potential gap in the condition as when new cloud applications are added there is a need to also update the condition – which is often being missed and forgotten.

To help ensuring all selected applications (including newly added after the conditional access configuration) are always covered and include in the condition, you can now a custom security attribute (see to tag your applications and use this in the condition.

To start using this new capability, connect to your Azure AD portal ( or Entra portal ( to first tag your applications with the custom security attribute

NOTE you will need either global administrator, attribute definition administrator or attribute assignment administrator role assigned to your account

If you did not have create yet such custom security attribute you will first need to create it – see

Azure Active Directory\Enterprise Applications (AAD) or Applications\Enterprise Applications (Entra)

image  image

Then select the application you want to tag and define your attribute


Once done, access the conditional access configuration blade to create (or edit) your rule to use the security attribute

Azure Active Directory\Security\Conditional Access\Policies (ADD or Protect & secure\Conditional Access\Policies (Entra)

The option to use the security attribute is available in the Cloud apps or action section


Leave a Comment

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.