Implementing Conditional Access with Exchange Online

  • Article

Please see updated post using new Azure Portal - https://blogs.technet.microsoft.com/pauljones/2016/12/27/implementing-con…e-online-updated/

 

In this Blog Post, I will step through the process to enable the different features of Conditional Access for Office 365 Exchange Online.  However, these same steps can be used with other Software as a Service applications in Azure.

Conditional Access will check the following:

     User / Risk

     Application

     Location

     Device / Device State

After checking the appropriate conditions, a decision will be made to either Allow, Block or require Multi-factor Authentication (MFA).

I will go through this process using my Windows 10 Virtual Machine.  However, this will apply to not only Windows, but iOS and Android.

 

 

 

 

Step 1: Accessing Exchange Online

I will now go through the steps to access Exchange Online from a web browser. I go to https://outlook.office.com and authenticate

blog1

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

After authenticating I now have access to my email.

 

blog2

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Step 2: Enable Location Based Rules

In this step, I will check who the User is and Based on the Users Location will require MFA, Allow or Block access to Exchange Online.

I have 3 different options:

  •      Require multi-factor authentication
  •      Require multi-factor authentication when not at work
  •      Block access when not at work

For this step, I will choose Block access when not at work.

Go to https://manage.windowsazure.com and choose your Domain Name then Applications then Office 365 Exchange Online.  Once inside Office 365 Exchange Online, go to Configure and Click ON next to Enable Access Rules under multi-factor authentication and location based access rules.  Then select Block access when not at work.

blog3

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Now when I try to access https://outlook.office.com from outside of work, I will get Blocked from the Access Rule and the following explanation will be posted.

 

 

 

blog4

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Step 3: Enable Device Based Access Rules

Follow the same steps to Configure Exchange Online, a little further down, Select ON for Enable Access Rules under Device Based Access Rules.  Then select either All devices or Only selected devices must be compliant, other devices will be allowed access.

For this demo, I just chose Windows and select Windows devices are compliant when domain joined or marked as compliant. blog5

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Now when I go to https://outlook.office.com I will get the following message stating that the device must be domain joined compliant:

 

 

 

blog6

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Now I have stepped through the process for enabling Conditional Access for Exchange Online.

Conditional Access was given or denied based on the following steps:

  • Who is the User?
  • Where is the User Located?
  • Which Application is the User trying to Access?
  • Which Device is the User using?
  • Is that Device Compliant (domain joined or marked as Compliant via Microsoft Intune)?

 

However, just remember that this can be used for any of the other Azure Applications.  Conditional Access is a feature of Azure Active Directory Premium and utilizes Microsoft Intune for Mobile Device Management.