Azure AD Premium Conditional Access and Session Controls
Whether your end users are using Windows, MacOS, Chromebook, iOS/Android, etc. Azure Active Directory Premium conditional access with session control will limit access to data for SharePoint Online.
What are Session controls?
“Session controls enable limiting experience within a cloud app. The session controls are enforced by cloud apps and rely on additional information provided by Azure AD to the app about the session.”
Source: /en-us/azure/active-directory/active-directory-conditional-access-azure-portal#session-controls
Requirements:
- Azure Active Directory Premium
- O365 – SharePoint Online
Getting started
- Navigate to portal.azure.com and sign in with the admin account that associated with O365.
- Find and select Azure Active Directory
- Select Conditional Access
- Select “New policy” to create a new conditional access policy with session controls
Proceed through each item/option in the policy:
User and groups
For my purposes I applied this policy to all users, however in production it’s advisable to start with a pilot group and scale from there.
Cloud apps
Search for and select “SharePoint Online”
Conditions for the policy
Sign-in risk (if available with your current licensing)
This evaluates risk of the account the user is signing in with.
Device platforms
I’ve selected all device platforms; however, you can be selective an apply to individual platforms, including MacOS.
Locations
IP based location targeting, for the purposes of this post I have all locations selected, however in production we’ll want to target those, so users are able to access and download content.
Client Apps
Select the type of apps the policy will affect, for the purposes of session control the Browser should at least be selected.
Access Controls
For access controls there are a few options including require multi-factor auth (MFA), device compliance, domain joined, or approved client app. Some environments may want to only allow devices to access if they’re domain joined, etc. However, for the session control policy I selected MFA.
Session
This is where we turn on session control for SharePoint online.
Once comfortable with the settings, turn on the policy and save.
Configuring SharePoint Online for session control
There’s one more step in SharePoint online that needs to be configured.
Navigate to the SharePoint admin center and select “device access” from the left-hand menu. From here select the appropriate settings to further control access to SharePoint.
For example, a conditional access policy may be configured to challenge users for MFA if they’re out of scope of the defined location (i.e. IP range) and if the device is not compliant or domain joined. In addition when session control is enabled, anyone who signs into SharePoint online who falls into those parameters will have read only access as configured in the settings below.
UPDATE October 2017
There’s an update to the UI in the SharePoint Admin Center to adjust sessions controls.
Previous admin experience
Current Admin Experience
Testing the session control policy
The following images show session control for SharePoint Online in action across Windows, Mac, and Chrombook. To test, make sure the device will fall into the parameters of the conditional access policy, then navigate to yourdomain.sharepoint.com and select a document library. The yellowish bar shown in the images below state what is allowed.
Windows
MacOS
Google Chromebook
To conclude, Azure Active Directory Premium provides many options to secure and control access to corporate resources. Add on Enterprise Mobility + Security and or Microsoft 365 we have a cohesive end-to-end solution to protect, monitor, and control access.