Please see updated post using new Azure Portal –
In this Blog Post, I will step through the process to enable the different features of Conditional Access for Office 365 Exchange Online. However, these same steps can be used with other Software as a Service applications in Azure.
Conditional Access will check the following:
User / Risk
Device / Device State
After checking the appropriate conditions, a decision will be made to either Allow, Block or require Multi-factor Authentication (MFA).
I will go through this process using my Windows 10 Virtual Machine. However, this will apply to not only Windows, but iOS and Android.
Step 1: Accessing Exchange Online
I will now go through the steps to access Exchange Online from a web browser. I go to https://outlook.office.com and authenticate
After authenticating I now have access to my email.
Step 2: Enable Location Based Rules
In this step, I will check who the User is and Based on the Users Location will require MFA, Allow or Block access to Exchange Online.
I have 3 different options:
- Require multi-factor authentication
- Require multi-factor authentication when not at work
- Block access when not at work
For this step, I will choose Block access when not at work.
Go to https://manage.windowsazure.com and choose your Domain Name then Applications then Office 365 Exchange Online. Once inside Office 365 Exchange Online, go to Configure and Click ON next to Enable Access Rules under multi-factor authentication and location based access rules. Then select Block access when not at work.
Now when I try to access https://outlook.office.com from outside of work, I will get Blocked from the Access Rule and the following explanation will be posted.
Step 3: Enable Device Based Access Rules
Follow the same steps to Configure Exchange Online, a little further down, Select ON for Enable Access Rules under Device Based Access Rules. Then select either All devices or Only selected devices must be compliant, other devices will be allowed access.
For this demo, I just chose Windows and select Windows devices are compliant when domain joined or marked as compliant.
Now when I go to https://outlook.office.com I will get the following message stating that the device must be domain joined compliant:
Now I have stepped through the process for enabling Conditional Access for Exchange Online.
Conditional Access was given or denied based on the following steps:
- Who is the User?
- Where is the User Located?
- Which Application is the User trying to Access?
- Which Device is the User using?
- Is that Device Compliant (domain joined or marked as Compliant via Microsoft Intune)?
However, just remember that this can be used for any of the other Azure Applications. Conditional Access is a feature of Azure Active Directory Premium and utilizes Microsoft Intune for Mobile Device Management.