MicrosoftDocs
AND OR Order of operation or grouping.
On this page something that needs clarification, I have asked 3 engineers in tickets now and have got 3 different responses.
So I wrong a conditional access policy to block teams sign in from non compliant and no azure ad joined and non azure ad registered devices. I do understand all the expressions it is combining expressions that is not clear
So the AND/OR of the Expression How does this actually work. The First engineer I worked with had me exclude IsCompliant AND Trust Type Is Azure AD Joined AND Trust Type is Azure AD Registered In that order
This Actually locked everyone everywhere out of teams. Why Because a device can not be all 3 of those conditions at once. It is not possible. So the AND in all those worked as intended but was not the functionality I wanted.
So Next I put : Trust Type Is Azure AD joined OR Trust Type is Azure AD registered AND IsCompliant
This worked but when I asked the engineer How is this read or was evaluating the expressions. We couldn't determine. Also I still have not got an answer
Does it read like this ( Is Azure AD joined OR is Azure AD registered ) AND Is Compliant
Or this
Is Azure AD joined OR ( is Azure AD registered AND Is Compliant )
Where exactly is that AND applied?
If it is the second scenario
( Is Azure AD joined AND Is Marked Compliant ) OR ( is Azure AD registered AND Is Marked Compliant )
Would creating a rules like that work as shows with the grouping.
Anyway, hopefully this is valuable feedback, I always find Microsoft Documentation great. This is just once scenario on these specific rules that I can find no clear answer to anywhere. There may be conditional access policies that are not configured correctly out there because this is not really clear in how this functions or if this is found somewhere else, I can not find it, but maybe a reference to it on this page. There is a Small Note on how the AND may work differently on some device condition but nothing like what I explained above.
For me being also an advance C# programmer the AND. and OR and precedence really matter I would guess they matter very much here as well. However I can not find the documentation for how they work.
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
- ID: fcc79933-58e1-66d1-81ae-f43802d41223
- Version Independent ID: 5be1fefc-356e-d1eb-ab97-8cbe5654ff43
- Content: Filter for devices as a condition in Conditional Access policy - Microsoft Entra
- Content Source: articles/active-directory/conditional-access/concept-condition-filters-for-devices.md
- Service: active-directory
- Sub-service: conditional-access
- GitHub Login: @MicrosoftGuyJFlo
- Microsoft Alias: joflore
@JeffsRealm Thanks for your feedback! We will investigate and update as appropriate.
I read through the page and I am still not seeing an answer to my question. How is the grouping or combining of multiple AND / OR determined.
@JeffsRealm Got feedback from the product team AND take precedence
"true or true and false evaluates to true"
"So it looks like and does take precedence: true or (true and false) => true or false => true"