This week I’ll provide an overview about the latest addition to conditional access, which is conditional access for browsers. It’s a feature that many have been waiting for and a feature that is indeed a pretty welcome addition to conditional access. This post will provide the basics about conditional for browses, the configuration of conditional access for browsers and the end-user experience with conditional access for browsers. It will also be the introduction for something much better next week.
Conditional access allows IT organizations to manage access to corporate email, files and other resources based on customizable conditions that ensure security and compliance. The addition of conditional access for browsers addresses the backdoor that still existed for end-users connecting to the Outlook Web App (OWA) and end-users using browser access to SharePoint and OneDrive for Business. It’s now possible to restrict Outlook Web App (OWA) and browser access to SharePoint and OneDrive for Business when accessed from a browser on iOS and Android devices. Access is only allowed from the following supported browsers, on compliant devices, while unsupported browsers are simply blocked:
- Safari (iOS);
- Chrome (Android);
- Managed Browser (iOS and Android).
Note: Keep in mind that this does not block access via the OWA app. More about that in my post next week.
Now let’s have a look at the configuration of conditional access for browsers. The configuration is the same for Microsoft Intune standalone and Microsoft Intune hybrid, as the configuration is part of the conditional access policies. It’s actually nothing more than one simple checkbox that belongs to one specific setting. That specific setting is Block non-compliant devices on the same platform as Outlook in the Exchange Online Policy and Block non-compliant devices on the same platforms as OneDrive for Business in the SharePoint Online Policy. That specific setting can be configured as shown below for Exchange Online and SharePoint Online.
|Exchange Online||SharePoint Online|
Now it’s time to look at the end-user experience, which is the most important part of this feature. Below I’ve got examples for compliant and non-compliant devices and supported and unsupported browsers. In all examples I’m trying to access https://outlook.office.com.
Here is an example on an Android device using the supported Chrome browser and using the unsupported Firefox browser. The left column shows the non-compliant examples and the right column shows the compliant examples. Notice the clear message in the unsupported browser about using supported browsers for access.
Here is an example on an iOS device using the supported Safari browser and using the unsupported Firefox browser. The left column shows the non-compliant examples and the right column shows the compliant examples. I haven’t been able to receive the same clear messages yet, as shown on my Android device, but the access is definitely blocked.
I’ve also managed to successfully test conditional access for browsers on Windows 10, with Internet Explorer and Microsoft Edge, in combination with Microsoft Intune standalone and Microsoft Intune hybrid. Even in combination with Windows 10, fully managed by ConfigMgr. More about those awesome scenario’s once it’s listed as a supported platform with supported browsers.
Fore more information about conditional access for browsers with Exchange Online and SharePoint Online, please refer to:
- New in Intune: Conditional access for browsers, Dynamics CRM Online and Cisco ISE: https://blogs.technet.microsoft.com/enterprisemobility/2016/07/08/new-in-intune-conditional-access-for-browsers-dynamics-crm-online-and-cisco-ise/
- Restrict email access to Exchange Online and new Exchange Online Dedicated with Intune: https://docs.microsoft.com/en-us/intune/deploy-use/restrict-access-to-exchange-online-with-microsoft-intune
- Restrict access to SharePoint Online with Microsoft Intune: https://docs.microsoft.com/en-us/intune/deploy-use/restrict-access-to-sharepoint-online-with-microsoft-intune
- Manage email access in System Center Configuration Manager: https://technet.microsoft.com/en-us/library/mt629504.aspx
- Manage SharePoint Online access in System Center Configuration Manager: https://technet.microsoft.com/en-us/library/mt629505.aspx