Update admin-manage-apps.md

alaug · web-flow · commit f0004e271bd0 · 2021-09-10T14:18:42.000-07:00
Adding content for the ability to apply Conditional Access policies to granular apps.
diff --git a/power-platform/admin/admin-manage-apps.md b/power-platform/admin/admin-manage-apps.md
@@ -132,6 +132,54 @@ Set-AppAsUnquarantined -EnvironmentName <EnvironmentName> -AppName <AppName>
 Get-AppQuarantineState -EnvironmentName <EnvironmentName> -AppName <AppName>
 ```
 
+## Conditional Access on granular apps (preview)
+In addition to respecting Conditional Access policies applied to the Power Apps service, it is possible to apply Azure AD Conditional Access policies to granular Power Apps apps. E.g. An admin can apply a Conditional Access policy requiring Multi-factor authentication only on apps containing sensitive data. Power Apps leverages [Azure AD Conditional Access authentication context](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps#authentication-context-preview) as the mechanism to target Conditional Access policies on granular apps. Admins are the persona allowed to add and remove authentication contexts on an app. Makers cannot edit authentication contexts on an app.
+
+> [!NOTE]
+> 1. Authentication contexts set on an app are not moved with apps in solutions and moved across environments. This allows different authentication contexts to be applied to apps in different environments. Also, as an app moves across environments via solutions the authentication context set in an environment is preserved, e.g. if an authentication context is set on an app in a UAT environment, that authentication context is preserved. 
+> 2. Multiple authentication contexts may be set on an app. An end-user must pass the union of Conditional Access policies applied by multiple authentication contexts. 
+
+The following table outlines how Conditional Access enforcement on a specific app impacts the experiences for Admins, Makers and End-users.  
+
+| Persona  | Experience                                                                                                                                                                                                                                                      |
+|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Admin    | Regardless of Conditional Access policies associated with an app, an app is visible to admins in Power Platform Admin Center and PowerShell cmdlets.                                                                                                            |
+| Maker    | Regardless of Conditional Access policies associated with an app, an app is visible in https://make.powerapps.com and can be opened for editing in Power Apps Studio.                                                                                           |
+| End User | Conditional Access policies applied to an app are enforced when end-users launch the app. A user that does not pass the Conditional Access checks is presented a dialog in the authentication experience indicating they’re not allowed to access the resource. |
+
+After admins associate authentication contexts to Conditional Access policies in https://portal.azure.com they may set the authentication context id on an app. The following image illustrates where to get the authentication context id. 
+
+> [!div class="mx-imgBorder"] 
+> ![Azure Portal Authentication Context id.](media/admin-manage-apps/power_apps_authentication_context_id.png "Azure Portal Authentication Context id.")
+
+End-users that do not meet Conditional Access policy requirements will observe the following dialog after signing in to access an app. 
+
+> [!div class="mx-imgBorder"] 
+> ![Conditional Access enforcement experience.](media/admin-manage-apps/power_apps_conditional_access_AAD_dialog.png "Conditional Access enforcement experience" )
+
+The following table reflects conditional access on granular apps support:
+
+| Power Apps type  | Conditional Access on granular apps support |
+|------------------|---------------------------------------------|
+| Canvas app       | Preview availability                        |
+| Model driven app | Not supported                               |
+
+### Add Conditional Access authentication context ids to an app
+```PowerShell
+Set-AdminPowerAppConditionalAccessAuthenticationContextIds –EnvironmentName <EnvironmentName> -AppName <AppName> -AuthenticationContextIds <id1, id2, etc...>
+```
+
+### Get Conditional Access authentication context ids set on an app
+```PowerShell
+$app = Get-AdminPowerApp -EnvironmentName <EnvironmentName> -AppName <AppName>
+$app.Internal.properties.executionRestrictions.conditionalAccessAuthenticationContextIds
+```
+
+### Remove Conditional Access authentication context ids on an app
+```PowerShell
+Remove-AdminPowerAppConditionalAccessAuthenticationContextIds –EnvironmentName <EnvironmentName> -AppName <AppName>
+```
+
 ### See also
 [Power Apps admin PowerShell support](powerapps-powershell.md#power-apps-commands)
 
