Yeah, I know, I’ve been using similar blog post titles recently. And yes, it might sound cheesy. However, looking specifically at conditional access, it’s easy to say that the current evolution, in the Azure portal, is better than it is in the Azure classic portal, which is better than it is in the Intune Silverlight portal. Based on that, maybe “The evolution of conditional access” would have been a nice title also. In this post I will go through a little bit of history of conditional access, followed by going through the enhanced capabilities of conditional access in the Azure portal.
Little bit of history
Let’s start by looking at a little bit of history of conditional access. No, I won’t put all the evolutions on a timeline, but I will try to show the biggest changes. Conditional access started as a feature in the Intune Silverlight portal only. In that time it was limited to a few Office 365 services. Later on conditional access also became part of the Azure classic portal and the functionalities got expanded to include other cloud apps and published apps. Very recently conditional access also became part of the Azure portal (still in preview) and the functionalities got expanded to include multiple policies and many, many configuration options. Now let’s go through these evolution in a bit more detail.
Note: At this moment all three locations are still available for configuring conditional access. When a conditional access policy is configured at multiple locations, the end-user only gets access when all requirements are met.
Conditional access in the Azure portal
This section is about a preview of the Azure AD management experience in the Azure portal.
Now let’s have a look at the new conditional access experience in the Azure portal and why these changes are really interesting. Let’s do this by going through the different controls and condition statements that are available in the Azure portal.
The first thing that’s important to know, is that there is no limit anymore in creating conditional access policies for specific apps. The configuration in the Azure portal enables the administrator to create multiple conditional access policies. Not just one per cloud app, but it can even be multiple policies per cloud app. Before every sign-in, Azure AD evaluates all applicable policies and ensures that all requirements are met before granting access to the end-user. Now let’s have a look at adding a policy in more detail.
The next thing is to have a look the different assignments that can be part of the condition statement. The assignments can be configured for User and groups, Cloud apps and additional Conditions. When there are multiple assignments configured in the conditional access policy, all assignments are logically ANDed. If there are multiple assignment configured, all assignments must be satisfied.
Let’s end this post by having a look at the different controls. The controls can be used to either block or allow access. And by allowing access the administrator can, and also must, add additional requirements.
Note: Currently, when the control requires multi-factor authentication or a compliant device, the user will be prompted for multi-factor authentication irrespective of the device compliance state.
For more information about conditional access via the Azure portal, the Azure classic portal, or the Intune Silverlight portal, please refer to:
- Conditional access in Azure Active Directory: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access
- Conditional access in Azure Active Directory – preview: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal
- Manage access to services: https://docs.microsoft.com/en-us/sccm/protect/deploy-use/manage-access-to-services
- Protect access to email, Office 365, and other services with Microsoft Intune: https://docs.microsoft.com/en-us/intune/deploy-use/restrict-access-to-email-and-o365-services-with-microsoft-intune