Azure Active Directory (AAD) conditional access has taken major step forward during last months. It enables admin to enforce controls on the access to applications based on conditions. With controls you can defined requirements to access to applications and you have possibility to block access if needed.

I tested conditional access with following combination:

  • Made conditional access configurations directly to Microsoft Intune
  • Used iOS for testing (installed Outlook App and Microsoft Company portal beforehand)
  • Review configurations from Azure AD

Azure AD configuration

  1. Define conditional access rules to Azure AD or to Intune where you have most of the settings available. Some of the policies were at Azure AD but not at Intune. Conditional Access to devices are still at preview mode so things might change before GA mode.

4.png

2. After “Conditional Access” policies are defined and you open Outlook app from iOS following information shows up, select “Enroll”.

intune2

3. Follow instructions and enroll your device to Microsoft Intune and install necessary certificate profile to iOS device.

intune1  intune3

4. Device is now enrolled

intune4 

After successful device enrolment you can access to your corporate email account with conditional access. When using conditional access both identity and device are identified before letting user access to corporate data.

01/28/2017 Update – Conditional Access is now at general availability mode

Azure Active Directory conditional access policies are now generally available and let you apply access rules to any Azure Active Directory connected application such as Office 365, Salesforce.com, Box, ServiceNow, and other SaaS and custom or on-premises web applications. More sensitive apps can be assigned stricter policies for all or specific groups of users, such as requiring Multi-Factor Authentication (MFA) or even blocking access outside of the corporate network while less sensitive apps can have more open policies. Conditional access policies are available through Azure Active Directory Premium P1.

Official documentation and instructions for configuring conditional access:

Get started with conditional access

Conditional Access in Azure AD (Azure AD configuration is at preview mode)

Keep in mind following guidelines (found from here)

How are assignments evaluated?

All assignments are logically ANDed. If you have more than one assignment configured, to trigger a policy, all assignments must be satisfied.

What happens if you have policies in the Azure classic portal and Azure portal configured?

Both policies are enforced by Azure Active Directory and the user gets access only when all requirements are met.

What happens if you have policies in the Intune Silverlight portal and the Azure Portal?

Both policies are enforced by Azure Active Directory and the user gets access only when all requirements are met.

What happens if I have multiple policies for the same user configured?

For every sign-in, Azure Active Directory evaluates all policies and ensures that all requirements are met before granted access to the user.