Skip to main content

HelloID

Add, edit, or remove an application access rule
Add an application access rule
  1. Go to Security > Policies > Application Access Rules.

  2. Click Add Access Rule.

  3. Apply your desired settings on the relevant tabs, which are described below.

  4. Click Save.

The access rule has been added, and if enabled, will be applied according to its priority.

Perform Action
2022-10-21_13-21-20.jpg

This option changes the behavior of the entire access rule—it specifies whether the subsequent conditions should be interpreted as permit or deny conditions.

Permit Access

Uses will be granted access only if they meet all of this rule's conditions.

Deny Access

User will be denied access if they fail to meet any of this rule's conditions.

When Accessing
2022-10-21_13-23-06.jpg

Apply this rule to one or more Identity providers (IdPs).

By People
2022-10-21_13-24-18.jpg

Apply this rule to one or more Groups.

From Locations
2022-10-21_13-25-26.jpg

Apply this rule to one or more countries.

From Network
2022-10-21_13-26-17.jpg

Apply this rule only to certain IP addresses or IP ranges.

In the text field, enter the IP addresses (e.g., 192.168.1.1) or IP address ranges (e.g., 192.168.1.1-192.168.1.254) to which this rule will apply, separated by semicolons.

Do Not Use IP Ranges To Apply This Rule

This rule will apply to all IP addresses (i.e., IP filtering is disabled).

IP Restriction For These IP Ranges

This rule will apply only to the IP ranges you enter in the text field.

Apply This Rule On All IP Ranges Except

This rule will apply to all IP ranges except the ones you enter in the text field.

Use WAN IP Addresses From Active Agents

Dynamically specifies the IP addresses of all HelloID Agents (see Agent) which were active in the last 24 hours. This feature obeys the IP range logic you've configured. Agent IPs are combined with any manually entered IPs using OR logic. This option is useful if your HelloID Agents share a WAN IP address with users in an office. For example, you can use it to create an access rule that bypasses 2FA for on-site users.

Note

Agent IPs included by this setting are not displayed on this screen. To manually check which Agent IP addresses are being used, go to the Agents overview and check the IP column. All IP addresses (for all Agents in all Agent Pools) which were active in the last 24 hours are included.

At Time
2022-10-21_13-26-43.jpg

Apply this rule only to certain daily time frames. For example, you may want to only permit access during regular business hours M-F. Uses the Time Zone setting.

Between Dates
2022-10-21_13-27-33.jpg

Apply this rule only to certain date range(s). For example, you may wish to deny access during holidays or maintenance windows.

Via
2022-10-21_13-28-07.jpg

Apply this rule only to certain browser(s) or device(s).

Two Factor
2022-10-21_13-28-35.jpg

Enforce 2FA for all access attempts matching this rule. This setting is only relevant for Permit Access rules.

Tip

After configuring 2FA in an access rule, enable/disable the specific factor types that will be available to users in Security > 2FA > Management.

Tip

If you're using an Azure AD (OIDC) IdP, you can enable AMR claims in Azure to override redundant 2FA challenges in application access rules.

Fixed vs. dynamic 2FA

In portal access rules and application access rules, there are two 2FA options: 1) fixed vs. 2) dynamic.

2022-10-19_13-12-25.jpg
  1. Fixed: The upper pane (What type of two-factor do you want to enable?) enforces a single factor type chosen by the administrator.

  2. Dynamic: The lower pane (Let the user choose their MFA option) lets each user select their own factor type, from among the types you've enabled in Security > 2FA > Management.

Tip

Unless you have a specific reason to use the fixed 2FA option, we recommend using the dynamic option.

Rule Name
2022-10-21_13-29-09.jpg
Rule Name

The name of the rule shown in the admin dashboard. For example: Login Access Rule - Allow - Local - EveryDay - 0.

Rule Priority

See Rule priorities (portal access rules).

Enable This Rule

Disabled rules are not used.

  1. Go to Security > Policies > Application Access Rules.

  2. For the relevant rule, click Edit.

  3. Continue by following the instructions in Add an application access rule.

  1. Go to Security > Policies > Application Access Rules.

  2. For the relevant rule, click Delete.

  3. To confirm, click Delete.