> For the complete documentation index, see [llms.txt](https://docs.devolutions.net/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.devolutions.net/server/web-interface/administration/configuration/server-settings/security/conditional-access-policies.md).
# Conditional access policies
***Conditional Access Policies*** generally consider various factors to assess whether to allow or deny access to a specific resource or service. By implementing them, organizations can effectively enforce security measures that align with their unique needs and requirements.
{% hint style="info" %}
In a high-availability or load-balancing environment, changes to the conditional access policies may take up to 5 minutes to be fully applied.
{% endhint %}
1. To view Devolutions Server's ***Conditional Access Policies*** in the web interface, go to ***Administration – Configuration– Server Settings***.
2. Click on ***Conditional Access Policies*** under ***Security***.
### Configure Login from the web interface
1. Select ***Login*** in the ***Target*** drop-down menu and click on the plus button (***Add***).
2. Choose a policy name and action from the ***Action when matched*** and ***Action when not matched*** menus.
* ***Continue***: Go to the next policy. Default action is applied if it is the last policy.
* ***Access Denied***: The user access will be denied. Users will receive an error and will not be abled to log in.
* ***Access Allowed***: The user access will be allowed. A 2FA could be needed, depending on the configuration.
3. Click on the plus button (***Add***) in the ***Rules*** section.
4. Choose from the drop-down menu whether the rule applies to:
* ***Authentication type***
* ***Time***
* ***IP Addresses***
* ***Geo IP***
* ***Users***
* ***Users Groups***
* ***Administrator***
5. Click ***Add*** to close the window.
6. Select ***All*** or ***Any*** under ***Rules – Rule validation***.
* ***All:*** All rules must be followed to continue.
* ***Any:*** The user can log in once a rule has been followed.
7. Click ***Is Active*** to enable or disable the policy.
8. Click ***Add*** to save the policy.
### Configure multifactor authentication from the web interface
Select ***MFA*** in the ***Target*** drop-down menu.
1. Choose a ***Default action when no policy matches*** between the following:
* ***MFA Required***: MFA is enforced for all users. A default MFA type is set for all users.
* ***MFA Skipped***: MFA is not enforced.
* ***MFA Optional per User***: MFA is enforced on an individual basis. The administrator chooses who uses MFA and what product or technology they use. Choose this option if not all users are set up for multifactor authentication.
{% hint style="info" %}
When MFA usage is set to ***MFA Optional per User*** , the MFA method must be configured in ***Administration – Users*** for each user. Edit or add a user, then go to the ***Multifactor*** section to configure it. You can also set an MFA type on the user if they are using a product different than the default method. See [Multifactor (Edit User)](https://docs.devolutions.net/server/web-interface/administration/security-management/users/edit-user-two-factor/).
{% endhint %}
2. Back to the ***Multifactor*** section, choose who to send the reset email to between ***Administrator(s)*** or a ***Specific email*** (in which case you must specify the email in the ***Specific email*** field). 
3. Check the boxes next to the supported authenticators that you want to enable. You can choose as many as necessary.
{% hint style="info" %}
The currently supported multifactor authenticators are Authenticator (TOTP), Yubikey, Email, [SMS](https://docs.devolutions.net/server/web-interface/administration/configuration/server-settings/security/two-factor/sms/), Duo, and Radius. You must configure them separately using the instructions next to them. Emails need to be configured beforehand in Devolutions Server for the ***Email*** and ***SMS*** (without Twilio) MFAs.
{% endhint %}
4. Select the ***Default*** MFA between the ones you enabled in the previous step.
5. Select alternate ways to log in between ***Email*** and [***Backup codes***](https://docs.devolutions.net/server/web-interface/administration/configuration/server-settings/security/two-factor/backup-codes/). These options will be offered when users do not have access to their usual method.
6. Click ***Save***.
7. To add a rule to the ***Conditional Access Policies***, go back to ***Administration – Configuration– Server Settings – Security – Conditional Access Policies***.
8. Select ***MFA*** in the ***Target*** drop-down menu and click on the plus button (***Add***).
9. Choose a policy name and action from the ***Action when matched*** and ***Action when not matched*** menus.
* ***Continue***: Go to the next policy. Default action is applied if it is the last policy.
* ***MFA Required***: MFA is enforced for all users. A default MFA type is set for all users.
* ***MFA Skipped***: MFA is not enforced.
* ***MFA Optional per User***: MFA is enforced on an individual basis. The administrator chooses who uses MFA and what product or technology they use. Choose this option if not all users are set up for multifactor authentication.
10. Click on the plus button (***Add***) in the ***Rules*** section.
11. Choose from the drop-down menu whether the rule applies to:
* ***Authentication type***
* ***Time***
* ***IP Addresses***
* ***Geo IP***
* ***Users***
* ***Users Groups***
* ***Administrator***
12. Click ***Add*** to close the window.
13. Select ***All*** or ***Any*** under ***Rules – Rule validation***.
***All:*** All rules must be followed to continue. ***Any:*** The user can log in once a rule has been followed.
14. Click ***Is Active*** to enable or disable the policy.
15. Click ***Add*** to save the policy.
#### See also
* [Devolutions Academy – Enforce MFA for users from Devolutions Server web interface](https://academy.devolutions.net/student/page/2747690-enforce-mfa-for-users-from-devolutions-server-web-interface?curriculum_activity_id=4182448\&path_id=2628397\&sid=bb09373a-649a-4eec-b775-94cdc950983e\&sid_i=0)
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.devolutions.net/server/web-interface/administration/configuration/server-settings/security/conditional-access-policies.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
