1. (Optional) Click Add Rule to specify conditional access.

    The Authentication Rule window displays.

  2. Click Add Filter on the Authentication Rule window.

  3. Define the filter and condition using the drop-down menus.

    For example, you can create a rule that requires a specific authentication method when users access Privileged Access Service from an IP address that is outside of your corporate IP range. Available filters vary depending on the object they are applied to and features enabled on your tenant. Supported filters are:

    Filter Description

    IP Address

    The authentication factor is the computer’s IP address when the user logs in. This option requires that you have configured the IP address range in Settings, Network, Corporate IP Range.

    Identity Cookie

    The authentication factor is the cookie that is embedded in the current browser by Privileged Access Service after the user has successfully logged in.

    Day of Week

    The authentication factor is the specific days of the week (Sunday through Saturday) when the user logs in.


    The authentication factor is a date before or after which the user logs in that triggers the specified authentication requirement.

    Date Range

    The authentication factor is a specific date range.

    Time Range

    The authentication factor is a specific time range in hours and minutes.

    Device OS

    The authentication factor is the device operating system.


    The authentication factor is the browser used for opening the Privileged Access Service portal.


    The authentication factor is the country based on the IP address of the user computer.

    Certificate Authentication

    The certificate is used for authentication.

    For the Day/Date/Time related conditions, you can choose between the user’s local time and Universal Time Coordinated (UTC) time.

  4. Click the Add button associated with the filter and condition.
  5. Select the profile you want applied if all filters/conditions are met in the Authentication Profile drop-down.

    The authentication profile is where you define the authentication methods. If you have not created the necessary authentication profile, select the Add New Profile option. See Creating authentication profiles.

  6. Click OK.
  7. (Optional) In the Default Profile (used if no conditions matched) drop-down, you can select a default profile to be applied if a user does not match any of the configured conditions.
  8. Note:   If you have no authentication rules configured and you select Not Allowed in the Default Profile drop-down, users will not be able to log in to the service.

  9. (Optional) If you have more than one authentication rule, you can drag and drop the rules to a new position in the list to control the order they are applied.