Enterprise Mobility and Security Blog

RSS

The digital transformation that’s affecting every organization brings new challenges for IT, as they strive to empower their users to be productive while keeping corporate data secure in an increasingly complex technology landscape. Microsoft Enterprise Mobility + Security (EMS) provides a unique identity-driven security approach to address these new challenges at multiple layers and to provide you with a more holistic and innovative approach to security –one that can protect, detect, and respond to threats on-premises as well as in the cloud.

Risk-based conditional access is a critical part of our identity-driven security story.  It ensures that only the right users, on the right devices, under the right circumstances have access to your sensitive corporate data. Conditional access allows you to define policies that provide contextual controls at the user, location, device, and app levels, and it also takes risk information into consideration (powered by the vast data in Microsoft’s Intelligent Security Graph). As conditions change, natural user prompts ensure only the right users on compliant devices can access sensitive data, providing you the control and protection you need to keep your corporate data secure while allowing your people to do their best work from any device.

This is an area where we are constantly innovating to bring you the most secure and easy-to-use solution, and today we’re announcing several improvements to Conditional Access in EMS:

  1. Risk-based access policies per application. Leverage machine learning on a massive scale to provide real-time detection and automated protection. Now you can use this data to build risk-based policies per application.
  2. Greater flexibility to protect applications. Set multiple policies per application or set and easily roll out global rules to protect all your applications with a single policy.
  3. All these capabilities are now available in a unified administrative experience on the Azure portal. This makes it even easier to create and manage holistic conditional access policies to all your applications.

These new conditional access capabilities provide more flexible and powerful policies to enable productivity while ensuring security.  Additionally, the new admin experience unifies conditional access workloads across Intune and Azure AD.

If you are an Intune customer using the existing browser-based console or the Configuration Manager console, or an Azure AD customer using the classic Azure portal, you can now preview the new Conditional Access policy interface in the Azure portal.

Get started with these Conditional Access capabilities or read on to learn a bit more about Conditional Access with EMS.

Overview

A Conditional Access policy is simply a statement about
When the policy should apply (called Conditions), and
What the action or requirement should be (called Controls).

Conditional access policy

Conditions (When the policy should apply)

Conditions are the things about a login that don’t change during the login, and are used to decide which policies should apply. Azure AD supports the following Conditions:

  1. Users/Groups are the users/groups in the directory that the policy applies to.
  2. Cloud apps are the services the user accesses that you want to secure.
  3. Client app is the software the user is employing to access cloud app.
  4. Device platform is the platform the user is signing in from.
  5. Location is the IP-address based location the user is signing in from.
  6. Sign-in risk is the likelihood that the sign-in is coming from someone other than the user.

Conditions preview

Our documentation provides further details on how to set the conditions.

Controls (What the action or requirement should be)

Controls are the additional enforcements that are put in place by the policy (such as “do a Multi-factor authentication” challenge) that will be inserted into the login flow. Azure AD supports the following controls:

  1. Block access
  2. Multi-factor authentication
  3. Compliant device
  4. Domain Join

You can select individual controls or all of them.

Controls preview

To learn more about how to get started with controls, you can read a detailed documentation article.

We’re really excited about the wide range of scenarios that this new experiences lights up and hope you find it useful. As always, we’re looking forward to your feedback.