We’re happy to announce an update to the conditional access preview. This update expands conditional access rules to over 2,400 new apps as well as adding the ability to restrict access to only users coming from a corporate network.
Conditional access allows you to set access rules for individual apps based on conditions such as a user’s group membership and location. App specific policies also give a targeted impact on the overall user experience when additional security, like multi-factor authentication, is required.
Specifically we’ve added:
Conditional access for Password Single Sign-On applications
A conditional access rule to block users that aren’t on the corporate network
Conditional access Visual Studio and Azure RemoteApp
Password single sign-on apps
In the Azure AD application gallery we have over 2,400 pre-integrated applications that use password single sign-on (SSO). You can now require users to satisfy additional conditions before accessing the username and password for an app that has been integrated with Azure AD. Any of the conditional access rules can be applied to these apps and you continue to have this control on a per-app basis.
Let’s use a company’s Twitter account as an example. The Twitter account is used to communicate with your customers letting them know about the great work you’ve been doing and upcoming events. As an important communication channel with your customers it can really pay off to keep access to secure access to the account.
Since several people in your company need to be able to tweet from the account. Instead of sharing the account username and password with each of the users you can set up Azure AD password SSO for Twitter, and assign which users have access to the account without you needing to tell them account information. With our new work in conditional access, you can now also add additional security protection by requiring multi-factor authentication prior to a user signing into the Twitter account.
Blocking external access
In other cases only users on the corporate network may be allowed to access a SaaS application. This rule can help prevent data leakage and in some cases can help you meet regulatory requirements.
When an app is on-premises you would have easily been able enforce this policy at your network boundary. With the app in the cloud this becomes more challenging.
We’ve helped address by adding the block access when not at work rule. This rule can be applied to any of your Azure AD applications that support conditional access.
The page below shows the option on the same Twitter configure tab as above.
When you choose this option only users coming from an IP address that falls within an IP range you have identified will be allowed access to the application.
Visual Studio Online and Azure RemoteApp
We’re also very excited to announce that conditional access now works with Visual Studio Online and Azure RemoteApp. Both can be found in the Azure AD application gallery.
Setting up conditional access for Visual Studio Online
Customers commonly want to restrict access to Visual Studio Online to only users coming from their corporate network. All extranet users are blocked. This is one way to help reduce the risk of source code leaks.
To configure this with conditional access, you can use your existing Visual Studio Online subscription or sign up for a free trial at http://visualstudioonline.com.
After signing up will see the Visual Studio Online application on the application tab of the Azure AD portal. You can then go to the application’s configure tab and set access rules, just like you would for other applications. (Like the Twitter example above.)
Setting up conditional access for Azure RemoteApp
Setting up conditional access on Azure RemoteApp follows the same steps that are used for other applications.
Before configuring conditional access for Azure RemoteApp you will need to setup a RemoteApp collection. If you haven’t done this, you can go directly to the Azure RemoteApp section in the Azure portal. From there you can create a new collection.
It may take up to an hour for the collection to be created. Once done go to the user access tab in the collection and assign a user from your Azure AD directory. This step is important since user assignment causes the RemoteApp application to appear in your directory’s applications tab.
The screenshot below shows assigning a user to the collection. In the text string above the users list you can also find the name of the default directory.
To configure the rules, find the Microsoft Azure RemoteApp on your directories applications tab. Then go to the application’s configure tab and apply conditional access rules as you would for other applications.
We are continuing to work on adding more Microsoft applications, with more updates coming. Please check out what we have and give us your feedback.
Also, just a reminder, conditional access policies require Azure AD Premium. You can try this and other Azure AD Premium features with a free trial.
Hope this is helpful and keeps your users safer!
David Howell (Twitter: @David_A_Howell)
Partner Group Program Manager, Microsoft Identity and Security Services Division