Enterprise Mobility and Security Blog

RSS

Howdy folks,

Today, I am super excited to announce the Preview of device-based policies for Azure AD Conditional Access!

These policies help you stay in control of your organization’s data by restricting access to enterprise managed devices. Policies can be applied on a per-application basis to require that devices be managed by your company and be correctly configured . The new capability supports iOS, Android, Windows 10 Anniversary Update, Windows 7 and Windows 8.1.

This release, in conjunction with the per app MFA and location based rules, offer organizations the a robust and flexible tools for protecting resource, taking into account both the user and their device when an application is accessed.

And one more cool thing! It works with EVERY application that authenticates using Azure AD. That means Office 365, Azure and Microsoft CRM as well as all the apps in our app gallery, including thousands of apps like ServiceNow, Salesforce.com & Concur, plus on-premises applications published through the Azure AD Application Proxy.

Please note: Conditional Access is a feature of Azure AD Premium.

Getting Started

To set these policies is easy. On the Azure Management Portal, select the application you want to protect. Under the ‘configure’ tab you will find the control to enable device base access rules.


When you enable these rules, you can select which users or groups the policy applies to, which devices are covered and which type of client applications are covered (browser and native apps or native apps only).


After creating and saving the policy, any all access attempts from a device that doesn’t meet the policy to an Azure AD protected resource will be denied.

To learn about each of the controls available we have prepared a guide where you can find the details on each of the conditions, here.

Supported devices and applications

You may have a variety of devices in your organization. For devices to be able to participate in device-based conditional access, devices must be registered with Azure AD.

  1. Windows domain joined devices (in on-premises Active Directory) can be easily registered with Azure AD in an automatic manner. This includes both Windows 10 and down-level Windows devices.
  2. iOS and Android devices are registered with Azure AD when they get enrolled into Microsoft Intune, our MDM service.
  3. Windows 10 Azure AD joined devices are registered upon join to Azure AD.
  4. Windows 10 personal devices (BYOD) are registered when the work account is added to Windows.

You can see in detail how to setup automatic registration of domain joined devices in Azure AD here, and how to setup Azure AD for device compliance here.

Conditional access works for browser apps, rich client apps, phone apps and even on-premises apps being accessed using our Azure AD Application Proxy!

Teams across Microsoft have worked together to enable these policies across all the apps and services listed here. Most notably, per-app access can be set on the following services:

  • Microsoft Office 365 Exchange Online
  • Microsoft Office 365 SharePoint Online
  • Dynamics CRM
  • Microsoft Office 365 Yammer
  • All of the 2,600+ SaaS applications from the Azure AD application gallery
  • On-premises apps registered with Azure AD Application Proxy
  • LOB apps registered with Azure AD

Try it out

We’re excited to be making this preview available. Please give it a spin and let us know what you think. You can learn more about conditional access capabilities here.

This is a set of capabilities that I know a LOT of you have been asking for. I hope you’ll find it useful.

And as always, we would love to receive any feedback of suggestions you have.

Best Regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division