Conditional Access

Conditional access (CA) is the process of permitting access to IT resources based on predefined conditions. By creating access policies based on users’ device types, time of access, IP addresses, or geolocation, you can strictly control access to your network and data. CA provides added security and helps prevent attackers from gaining access to IT resources.

ADSelfService Plus provides conditional access to ensure that only authorized users have access to workstations, applications, endpoints, and the various features that are available in ADSelfService Plus.

Understanding how conditional access works in ADSelfService Plus

Conditional access relies on certain criteria, which are put through a logical function to create a condition. Users who meet this condition are given access to ADSelfService Plus under a specific policy, and this is called a CA rule. This rule determines which self-service policy will be applied to a user, which in turn determines the multi-factor authentication (MFA) methods, cloud applications, and self-service features that are enabled for that user.


Criteria are user-related factors, such as device type, IP address, or geolocation. Under this section, you can both define your criteria and then select them to define your condition as needed. You can define and select your criteria based on the following factors:

IP Address: You can choose the kind of IP addresses you are configuring the conditional access rule for: static IPs, proxy server IPs, VPN IPs. You can also define whether the IP addresses you specify are Trusted or Untrusted IPs.

Device: Your criteria can be specific computer objects and/or the platform (Windows, macOS, Linux, mobile web app, or native mobile app) they run on.

Business hours: You can specify both business or non-business hours and choose to use either as a criteria for your condition.

Geolocation: Your criteria can be defined based on where the user is located and accessing ADSelfService Plus from.

Note: Geolocation-based condition relies on IP address of the user to determine the location. Hence, only access from public IP addresses will be evaluated. This criteria will not include users with private IP addresses.


Once you have defined and enabled the criteria based on your requirement, you can combine the enabled criteria using AND, OR, and NOT operators to formulate a condition. This condition will determine how the different criteria are evaluated to determine the access request's result.

For example, assume your users are located all over the world except in some countries. You need to ensure that they access resources only during business hours and from trusted IP addresses alone. In such a case, you need to enable:

  1. IP address criteria (with the trusted IPs).
  2. Business hours criteria (with allowed time).
  3. Geolocation criteria (with the countries where you don’t have users).

Then, you can use a logical function like the one below to formulate your condition:

Condition: 1 AND 2 AND (NOT 3)

Conditional access rule

By associating the conditions and criteria with one or more self-service policies, you create a conditional access rule. A self-service policy allows you to enable the product’s features and configure how it should work for different sets of users based on their OU and group membership.

If you create multiple conditional access rules, you can choose to prioritize them. So, if a user falls under multiple CA rules, the rule with the highest priority will take effect, and subsequently, the self-service policies associated with that rule will be applied to the user. If a user does not fall under any conditional access rule, then the self-service policies will be applied based on the priority set to the policies in the Policy Configuration page.

Configuring conditional access

Rule configuration

  1. Log in in to ADSelfService Plus as an admin.
  2. Navigate to Configuration > Self-Service > Conditional Access > Rule configuration.
  3. Click Configure New Conditional Access (CA) Rule.
  4. Enter a CA Rule Name and Description.
  5. Select the Criteria based on your requirements: IP-address based, device-based, business hours-based, or geolocation-based.
  6. Note: These criteria are the basis for making a decision. You can both define a criteria and enable it under this section.

    • IP address-based
      • Select the types of IP addresses by checking the respective boxes:
        • For users who connect to your network directly through their client computers, you can enable Static IP.
        • If your users connect through a proxy server, you can enable Proxy Server IP.
        • If your users connect through a VPN server, you can enable VPN IP. To ensure that IP-based conditional access works for the VPN MFA feature, refer to this section to make the required changes at the NPS extension.
        • Note: If you have enabled all three types of IPs, the following rule applies: * (Static IP AND Proxy IP) OR VPN IP.

      • Select whether the IPs you've entered are Trusted or Untrusted.
      • For static IPs, enter the range of IP addresses in the IP Range fields. Use the + icon to add more IP ranges. You can also enter individual IPs and use * as the wildcard character for selecting an entire class of IP addresses.
    • Device-based
      • Select the Computers checkbox and then click the + icon.
      • In the Select Client Computer dialog box that opens, select the domain and then the computer objects. Click OK.
      • Select the Platforms checkbox and then use the drop-down to select the platform(s). You can choose from Windows, macOS, Linux, mobile web app, and the native mobile app.
    • Business hours-based
      • Select the Business Hours checkbox.
      • Select whether you want to configure business hours or non-business hours by clicking on the corresponding radio button.
      • From the Day and Time range provided, configure your business or non-business hours.

      Note: The time will be applied based on the time zone you have selected for the setting found in Admin > Personalize > Time Zone.

    • Geolocation-based
      • Select the Geolocation checkbox.
      • Select the applicable Countries from the drop-down.
  7. A Condition is automatically created with the criteria you have enabled. If the created condition matches your requirements, you do not have to make any changes to it. Modify it only if you are sure that it does not satisfy your requirements. You can use AND, OR, and NOT operators to formulate the logic.
  8. Click Configure.

Rule assignment

  1. Login to ADSelfService Plus as an admin.
  2. Go to Configuration > Self-Service > Conditional Access > Rule assignment.
  3. Select the rule that you want to assign from the drop-down.
  4. Select the policy to which you want to assign this rule.
  5. Note: This refers to the self-service policy that you can configure by going to Configuration > Self-Service > Policy Configuration. To learn more, refer to this page.

    It is important to note that the selected policy will be applicable to a user only if:

    • The user satisfies the rule.
    • The user is included in the selected policy.
    Example: Consider three self-service policies, A, B, and C, and two conditional access rules, 1 and 2. Assume a user belongs to policies A and B. Let's say both policies A and C are assigned to rule 1. If a user satisfies rule 1, then only policy A will be assigned to the user as he belongs only to policy A.
  6. Also, allow or block NTLM single sign-on and ADSelfService Plus portal access. These settings will be applicable wherever the selected rule is satisfied.
  7. Note: The option to allow or block NTLM single sign-on will be enabled only if NTLM authentication is configured in logon settings.

Prioritizing the conditional access rules

If you have created multiple conditional access rules, you can set priority for each rule so that the rule with the highest priority is applied to users who fall under multiple rules.

To prioritize the conditional access rules:

  1. In the Conditional Access configuration page, click on the change priority icon at the top right corner (next to the Configure New Conditional Access (CA) Rule button).
  2. Drag the rules and order them based on your requirements. The rule at the top will have the highest priority.

Modifying, copying, disabling, and deleting conditional access rules

A rule can be modified to change the conditions or condition logic, copied to create a new rule, disabled, or deleted.

  1. Go to the Conditional Access configuration page (Configuration > Self-Service > Conditional Access).
  2. You will see a table containing all the conditional access rules that have been created.
  3. Under the Actions column, click on an icon based on the action you want to perform.
  4. Toggle the icon-enable and icon-disable icons to enable or disable a rule. If there is a ☑ icon, it means the rule is enabled, and if there is a ☒ icon, it means the rule is disabled.
  5. Click on the icon to modify the rule.
  6. Click on the icon-copy icon to copy the rule and create a new rule from it.
  7. Click on the icon-delete icon to delete a rule.


Your request has been submitted to the ADSelfService Plus technical support team. Our technical support people will assist you at the earliest.


Need technical assistance?

  • Enter your email ID
  • Talk to experts
  • By clicking 'Talk to experts' you agree to processing of personal data according to the Privacy Policy.

Don't see what you're looking for?


    Visit our community

    Post your questions in the forum.


    Request additional resources

    Send us your requirements.


    Need implementation assistance?

    Try onboarding


Copyright © 2024, ZOHO Corp. All Rights Reserved.