6.3 Azure Active Directory Conditional Access with Access Manager

Azure Active Directory (AD) Conditional Access provides added security by allowing access to your applications across cloud and on-premises only from trusted and compliant devices. It is a policy-based approach. You can configure a Conditional Access policy with the required conditions to apply the access controls. Conditions can be device type, users’ attributes, operating systems, client application accessed over web or cloud apps, network login location, sign-in risks, and so forth.

A Conditional Access policy works only when modern authentication (ADAL-based) is used with Office 365 resources. You cannot apply a Conditional Access policy to on-premises applications, such as local SharePoint or Exchange.

For more information, see the following Microsoft documentation:

Using Conditional Access policies, you can accomplish the following requirements:

  • Restricting access to protected applications only from managed and trusted devices: corporate devices and BYOD.

  • Restricting access only from compliant devices with appropriate security profile.

  • Securing the enterprise data outside the network boundary.

  • Managing devices:

    • Visibility of the number of devices accessing the application.

    • Visibility of the security strength of devices accessing the application.

    • Assigning and revoking devices.

  • Defining a group of users or devices and applying policies.

Access Manager supports Conditional Access for devices on the following platforms:

  • Windows 10, Windows Server 2016, Windows Server 2019

  • iOS, macOS

  • Android

The Workflow of Azure Active Directory Conditional Access with Access Manager

Microsoft Word app has been used as an example here.

  1. When a user tries to access the Word App, the request is sent to Access Manager for authenticating the user and the device.

    • 1 A: If the device of the user is not registered: The device is registered automatically to Azure AD through Hybrid Azure AD join.

    • 1 B: The device is evaluated to see if it is compliant with the company policies. If the device is compliant, the required properties are set in Azure AD.

  2. Access Manager sends an access token and a refresh token required for accessing Office 365 to the Word app.

  3. The Word app sends the access token to Office 365.

  4. Based on the access token, Office 365 grants the user with access to the content in the Word app.

Prerequisites for Azure AD Conditional Access with Access Manager

You must meet the following requirement to enable Conditional Access:

Configuring the Azure AD Conditional Access Policy

  1. Log in to Microsoft Azure as an administrator.

  2. In the Azure portal, click Azure Active Directory.

  3. Under Security, click Conditional Access.

  4. Click New policy.

  5. Specify a name for the policy. For example, test hybrid azure.

  6. Under Assignment, click Users and groups and perform the following actions:

    1. Click Select users and groups > Users and groups.

    2. Click Select.

    3. Select the user for whom you want to control access.

    4. Click Select > Done.

  7. Click Cloud apps and select apps for which you require to apply this policy.

  8. Click Conditions and then select required conditions, such as Device platforms, Sign-In risk, Locations, Client apps, and Device state (if the device is managed).

  9. Under Access Controls, click Grant and perform the following actions:

    1. Select Grant access > Require Hybrid Azure AD Joined device.

    2. Click Select.

  10. Under Enable policy, click On.

  11. Click Create.

For more information about creating a Conditional Access policy, see Create your Conditional Access policy.

Verifying a Conditional Access Policy

  1. Log in to the Windows machine. Windows is auto-registered to Azure AD through hybrid AD Join.

  2. Ensure that the device is registered.

    1. Log in to the Azure portal.

    2. Click Azure Active Directory > Devices.

    3. Verify that your device is listed and Join Type is Hybrid Azure AD joined.

  3. Open Microsoft Office in a web browser.

  4. You are logged in to Office if the device is hybrid Azure AD joined. If the device is not hybrid Azure AD joined, Office 365 denies the access.

Troubleshooting Conditional Access

  1. Log in to the Azure portal.

  2. Click Azure Active Directory.

  3. Under Monitoring, click Sign-ins.

  4. Select the event, and then click Conditional Access to verify the policy execution status.