Conditional access and named locations

This week another blog post about a recently introduced feature that can be used in commination with conditional access, named named locations. Within conditional access policies, named locations can be used like trusted IPs. The complication with trusted IPs was that it’s actually a feature configuration of multi-factor authentication. That did not really make a lot of sense. In this post I’ll look at the configuration of named locations and how those configurations can be used within a conditional access policy.

A very good scenario for named locations in a conditional access policy is using Office 365 in a terminal services environment. It enables organizations to make an exclusions for a specific named location. In this post I’ll use an example that will blocks access to SharePoint Online with the exception of the configured named location.

Configuration

Now let’s start with having a look at the configuration of named locations and how those named locations can be used within conditional access policies.

Named location

Named locations is a feature of Azure AD that enables administrators to label trusted IP address ranges in their organizations. In the environment, administrators can use named locations in the context of the detection of risk events to reduce the number of reported false positives for the Impossible travel to atypical locations risk event type. However, since recently named locations are also available for use in Azure AD conditional access policies under preview. To create a named location in Azure AD, use the following 3 steps.

1 Open the Azure portal and navigate to Azure Active Directory > Conditional access > Named locations;
2 On the Named locations blade, click New location to open the New blade;
3

CA_NamedLocationOn the New blade, provide a Name and IP range, and click Create;

Note: Even though the example shows that a private IP range is used, for usage with conditional access policies that doesn’t make sense. Use a public IP range. When a device arrives with Azure AD, for authentication, it provides the public IP address to Azure AD (see also the blocked example in the end-user experience section).

Conditional access policy

Using named locations within conditional access policies, is similar to using trusted IPs in conditional access policies. The biggest difference is the location of the configuration. Trusted IPs is a feature configuration of multi-factor authentication, while named locations is a feature configuration of conditional access. To use the configured named location within a conditional access policy, to block all external access to SharePoint Online, follow the 7 steps below.

1 Open the Azure portal and navigate to Azure Active Directory > Conditional access > Policies;
2 On the Policies blade, click New policy to open the New blade;
3 CA_UsersGroupsOn the New blade, select the Users and groups assignment to open the Users and groups blade. On the Users and groups blade, select All users and click Done;
4 CA_SharePointOnlineOn the New blade, select the Cloud apps assignment to open the Cloud apps blade. On the Cloud apps blade, select Select apps to select Office 365 SharePoint Online and click Done;
5 CA_ExcludeLocationOn the New blade, select the Conditions assignment to open the Conditions blade. On the Conditions blade, select Locations to open the Locations blade. On the Locations blade select Yes with Configure, select All locations on the Include tab, select All trusted IPs in the Exclude tab and click Done. Back in the Conditions blade, click Done;
6

CA_BlockAccessOn the New blade, select the Grant access control to open the Grant blade. On the Grant blade, select Block access and click Select.

Note: This configuration will make sure that all locations are blocked access to SharePoint Online, with the exclusion of the named location. The devices within the named location can now connect to SharePoint Online without any additional requirements.

7 On the New blade, select On with Enable policy and click Save.

End-user experience

As usual, let’s end this post with the end-user experience. Below on the left is an example of a connection to SharePoint Online within the configured named location and below on the right is an example of a connection to SharePoint Online outside of the named location. The blocked example clearly shows the external IP address that’s used to connect to SharePoint Online and that it’s blocked by conditional access.

SP_AllowedAccess SP_BlockedAccess

Note: Yes, the blocked example shows the same IP address, as the named location configuration. To simulate a good test, I simply temporarily adjusted the IP range of the named location. That allowed me to easily test the blocked behavior on my devices.

More information

For more information about conditional access and named locations, please refer to:

Share

Conditional access and app enforced restrictions

This blog post is about a recently introduced feature in conditional access, named Session controls. More specific, the Session control of app enforced restrictions. Session controls enable a limiting experience within a cloud app. The great thing about Session controls is is that those controls are enforced by the cloud apps and that those controls rely on additional information provided by Azure AD to the cloud app, about the session. In other words, these controls can be used to require Azure AD to pass the device information to the cloud app. This enables the cloud app to know if the user is coming from a (non-)compliant device or (non-)domain joined device.

Currently Session controls are only supported with SharePoint Online as the cloud app. In this post I’ll go through the required configuration to get SharePoint Online configured with conditional access and app enforced restrictions. I’ll end this post with the end-user experience with app enforced restrictions.

Configuration

The administrator can block or limit access to SharePoint Online content on devices that are not managed, not compliant and/or not joined to a domain. To block access, the administrator usually configures one conditional access policy. To limit access, the administrator should configure two conditional access policies and configure a setting in the SharePoint Online. In this section I’ll start with a few important notes and follow that by the required steps to make the earlier mentioned configurations.

Important notes

Before configuring the limited access to SharePoint Online, be sure to be familiar with the  following important notes:

  • A subscriptions to Azure AD Premium is required;
  • A subscription to Microsoft Intune is required;
  • (At this moment) First Release must be enabled in Office 365;
  • Limited access will also apply to users on managed devices, if they use one of the following browser and operating system combinations:
    • Chrome, Firefox, or any other browser other than Microsoft Edge or Microsoft Internet Explorer in Windows 10 or Windows Server 2016;
    • Firefox in Windows 8.1, Windows 7, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2.

Block access to mobile apps and desktop clients

The first configuration to limit access to SharePoint Online, is to block access for mobile apps and desktop clients. These apps will not get the limited experience, which means that these apps should be blocked to prevent users from using company data on non-compliant or non-domain joined devices. To create a conditional access policy that will block access for mobile apps and desktop clients to SharePoint Online, follow the 7 steps below.

1 Open the Azure portal and navigate to Azure Active Directory > Conditional access;
2 On the Policies blade, click Add to open the New blade;
3 AP_CA_UsersGroupsOn the New blade, select the Users and groups assignment to open the Users and groups blade. On the Users and groups blade, select All users, or select Select users and groups to specify a specific group, and click Done;
4 AP_CA_CloudAppsOn the New blade, select the Cloud apps assignment to open the Cloud apps blade. On the Cloud apps blade, select Select apps to select Office 365 SharePoint Online and click Done;
5 AP_CA_ClientApp_MobileAppsOn the New blade, select the Conditions assignment to open the Conditions blade. On the Conditions blade, select Client apps to open the Client apps blade. On the Client apps blade select Yes with Configure, select Select client apps and Mobile apps and desktop clients, and click Select. Back in the Conditions blade, click Done;
6 AP_CA_GrantOn the New blade, select the Grant access control to open the Grant blade. On the Grant blade, select Grant access and at least one of the requirements, and click Select.
7 On the New blade, select On with Enable policy and click Save.

Use app enforced restrictions for browsers

The second configuration to limit access to SharePoint Online, is to enforce restrictions to browsers. This will make sure that browsers will get the limited experiences in SharePoint Online, on non-compliant or non-domain joined devices. To create a conditional access policy that will enforce restrictions for browsers to SharePoint Online, follow the 7 steps below.

1 Open the Azure portal and navigate to Azure Active Directory > Conditional access;
2 On the Policies blade, click Add to open the New blade;
3 AP_CA_UsersGroupsOn the New blade, select the Users and groups assignment to open the Users and groups blade. On the Users and groups blade, select All users, or select Select users and groups  to specify a specific group, and click Done;
4 AP_CA_CloudAppsOn the New blade, select the Cloud apps assignment to open the Cloud apps blade. On the Cloud apps blade, select Select apps to select Office 365 SharePoint Online and click Done;
5 AP_CA_ClientApp_BrowserOn the New blade, select the Conditions assignment to open the Conditions blade. On the Conditions blade, select Client apps to open the Client apps blade. On the Client apps blade select Yes with Configure, select Select client apps and Browser, and click Select. Back in the Conditions blade, click Done;
6 AP_CA_SessionOn the New blade, select the Session access control to open the Session blade. On the Session blade, select Use app enforced restrictions and click Select.
7 On the New blade, select On with Enable policy and click Save.

Allow limited access in SharePoint Online

The third configuration to limit access to SharePoint Online, is a configuration within SharePoint Online. The cloud app must be configured to use limited access for devices that aren’t compliant or domain joined. When the administrator configures limited access, users will be able to view but not edit Office files in SharePoint Online. The Download, Print, Sync, Open in desktop app, Embed, Move to, and Copy to buttons won’t appear in the new SharePoint Online experiences. To configure this limited access, follow the 2 steps below.

1 Open the SharePoint admin center and navigate to device access;
2

SPO_ControlAccessOn the Restrict access based on device or network location page, specify the following information and click OK:

  • In the section Control access from devices that aren’t compliant or joined to a domain, select Allow limited access (web-only, without the Download, Print, and Sync commands) with Select the appropriate SharePoint enforced restriction and choose between Allow downloading and Block downloading with For files that can’t be viewed on the web;
  • In the section Control access from apps that don’t use modern authentication, select Block with The setting applies to third party apps and Office 2010 and earlier.

End-user experience

Now let’s end this post with the end-user experience. I’ll do that by showing the limited access experience on Windows 10 (Surface Pro), iOS (iPad) and Android (Samsung Galaxy). Also in that order. Below are examples of of the limited access message in SharePoint Online on the left and the limited access experience in Word Online on the right.

Windows10_SPO Windows10_SPO_Doc
IMG_0102 IMG_0103
Screenshot_20170409-075823 Screenshot_20170409-081417

More information

For more information about conditional access and app enforced restrictions, please refer to:

Share