Yesterday Microsoft announced one of the most awaited feature for Office 365, “Azure AD Conditional Access Preview” for SharePoint Online and Exchange.
What is Conditional Access and What it is for ?
Security has been one of the key elements in systems for decades but for the present time it needs to be much more comprehensive than ever before with the evolvement of the cloud and mobile era. With the rise of devices used by a person and the ability to access corporate resources from anywhere in the world, there is a massive demand of securing corporate resources. Ultimately the latest strategies of securing corporate resources are defined by the new ways which users are used to accessed them.
Microsoft has taken another big leap of security capabilities with this release today. Azure Active Directory Conditional Access Features Allows you to secure and manage your corporate resources in simple ways in cloud or even on premise. If you want to ensure an stolen user credential or unmanaged device will not harm your corporate resources, Azure AD Conditional Access if made for you.
How is the access Enforced
Generally when a user signs in to a service, Azure Active Directory checks whether the security inputs of this user meets the access requirements you defined. and if the requirements are met, user will be authorized to access the service or application.
The enforcement can be done in two ways. You can define policies to configure the access either way, for users or devices.
-
User based Access (Control who you want to allow access)
User Attributes – User Attributes level can be used to define policies of which users can access organization’s resources.
Group Membership of a User – or either based on the Group/Groups of user which he/she represents in.
Multifactor Authentication (MFA) – Multifactor Authentication can be configured to ensure better security. User has to provide more than one factor (Password) which could be either a PIN or Phone Number. That ensures extra level of security for your organization’s resources.
Sign-in and User Risk – This capability known as “Conditional Access Risk Policies” comes with Azure AD Identity protection. This will allow you to track unusual sign in activities and risk events based on the access trends and implement advance protection. Global and Multi-region companies will benefit a lot with the capability.
-
Device Based Access (Control what you want to allow access)
Enrolled Devices – Using Microsoft Intune, you can use Device Level Access to control only MDM (Mobile Device Management) Enrolled devices are allowed to access resources. Intune is capable to validate if the device is enrolled with MDM. Also device level access will ensure that only the matched devices with the policies (such as force file encryption on a granted device) you have configured are allowed to access. Even you can flush out the content of a device remotely which was stolen or misused using MDM solutions.
The best part is, It’s not just limited to the cloud, you can also use device based access policies to control your on premise resources or even cloud based SaaS or line of business applications.
What does this Preview Brings you?
This release is a much awaited capability for most of the organizations and a huge step on the Access Policy framework. Conditional Access for CRM and Yammer been already there but Specially for SharePoint and exchange, the call has been ringing there for quite long time.
These three conditions are released for SharePoint and Exchange online as preview. Microsoft Recommends to enable these policies alongside risk based conditional access policy available with Azure Identity Protection.
- Always require MFA
- Require MFA when not at work
- Block access when not at work
Conditional Access Policies are supported in Browser based access to Exchange Online, SharePoint Sites and OneDrive and even for Desktop Applications that uses modern authentication mechanisms.
Across the mobile devices, these are the tested desktop and mobile applications connects to Exchange and SharePoint so far by Microsoft.
- For Windows 10, Windows10 Mobile, Windows 8.1, Windows 7 and Mac
- Outlook, Word, Excel and PowerPoint in Office 2016
- Outlook, Word, Excel and PowerPoint in Office 2013 (with modern authentication enabled)
- OneDrive Sync Client (with modern authentication)
For IOS
- Outlook Mobile App
Resources:
Detailed Explanation of Azure Ad Conditional Access
Pingback: Conditional Access Policies have stopped some of our Power Automate flows from working | Ellis Karim's Blog