Specifying additional authentication control
On the Policy page, can specify additional authentication controls for an application by defining rules and the order in which the rules are applied.
You can also include JavaScript to identify specific circumstances (log ins from outside corporate IP ranges) when you want to block an application or you want to require additional authentication methods. For details, see Application access policies with JavaScript.

-
Click Policy in Admin Portal.
-
(Optional) Click Add Rule to specify conditional access.
The Authentication Rule window displays.
-
Click Add Filter on the Authentication Rule window.
-
Define the filter and condition using the drop-down menus.
For example, you can create a rule that requires a specific authentication method when users access Privileged Access Service from an IP address that is outside of your corporate IP range. Available filters vary depending on the object they are applied to and features enabled on your tenant. Supported filters are:
Filter Description IP Address
The authentication factor is the computer’s IP address when the user logs in. This option requires that you have configured the IP address range in Settings, Network, Corporate IP Range.
Identity Cookie The authentication factor is the cookie that is embedded in the current browser by Privileged Access Service after the user has successfully logged in.
Day of Week
The authentication factor is the specific days of the week (Sunday through Saturday) when the user logs in.
Date
The authentication factor is a date before or after which the user logs in that triggers the specified authentication requirement.
Date Range
The authentication factor is a specific date range.
Time Range
The authentication factor is a specific time range in hours and minutes.
Device OS
The authentication factor is the device operating system.
Browser
The authentication factor is the browser used for opening the Privileged Access Service portal.
Country
The authentication factor is the country based on the IP address of the user computer.
Certificate Authentication
The certificate is used for authentication.
For the Day/Date/Time related conditions, you can choose between the user’s local time and Universal Time Coordinated (UTC) time.
- Click the Add button associated with the filter and condition.
-
Select the profile you want applied if all filters/conditions are met in the Authentication Profile drop-down.
The authentication profile is where you define the authentication methods. If you have not created the necessary authentication profile, select the Add New Profile option. See Creating authentication profiles.
- Click OK.
- (Optional) In the Default Profile (used if no conditions matched) drop-down, you can select a default profile to be applied if a user does not match any of the configured conditions.
- (Optional) If you have more than one authentication rule, you can drag and drop the rules to a new position in the list to control the order they are applied.
- Click Save.
Note: If you have no authentication rules configured and you select Not Allowed in the Default Profile drop-down, users will not be able to log in to the service.