Conditional Access for PCs – Part I: Requirements

Another new capability that’s added, during the August 2015 update, to Microsoft Intune, is conditional access for PCs that run Office desktop applications to access Exchange Online and SharePoint Online. This nice capability enables us to require that PCs must be either domain joined or compliant. In order to be compliant, the PCs must be enrolled in Microsoft Intune and the PCs must comply with the policies.

This capability has more requirements and requires more configurations than the most other Microsoft Intune standalone or Microsoft Intune hybrid capabilities. That’s why I decided to make this another blog series. This blog series will contain three parts:

  1. Requirements – This part will list all the requirements and the required configurations to start with the different conditional access scenarios;
  2. SharePoint Online – This part will show the configuration of conditional access for SharePoint Online, including the end-user experience;
  3. Exchange Online – This part will show the configuration of conditional access for Exchange Online, including the end-user experience.

Requirements

Now let’s start with the requirements for conditional access for PCs. The number of requirements depends on the used scenario. The most complicated scenario, of using on-premises ADFS and using being domain joined as the conditional access check, requires all of the following requirements.

Requirement 1 – Operating System

The first requirement, is the easiest the requirement, as it simply requires a specific operating system level. To use conditional access for PCs, Windows 7.0 or later is required.

Requirement 2 – Enable modern authentication in Office

The second requirement is still not really challenging, but it contains two important requirements. To use conditional access for PCs, the Office installation must meet one of the following requirements:

  • Office 2013 is used, including the March 2015 update or later, and modern authentication is enabled. To enable modern authentication, make sure that the following registry keys are set:

    Registry key Type Value
    HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL REG_DWORD 1
    HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version REG_DWORD 1
  • Office 2016 is used;

Requirement 3 – Automatically register device in Azure AD

The third requirement is already more challenging, because it contains multiple configurations that need to be in place. To use conditional access for PCs, a domain joined device needs to be automatically registered in Azure AD. This requires the following three configurations.

Configure an additional Azure AD relying part trust claim rule

  • Open the AD FS Management console;
  • Navigate to AD FS > Trust Relationships
    > Relying Part Trusts;
  • Right-click the Microsoft Office 365 Identity Platform
    trust and select Edit Claim Rules…;
  • Navigate to Issuance Transform Rules and click
    Add Rule… to open the Add Transform Claim
    Rule Wizard
    ;
  • On the Choose Rule Type page, select Send Claims
    Using a Custom Rule
    and click Next;
  • On the Choose Claim Rule page, specify a Claim rule
    name
    , provide the following Claim rule and click
    Finish.
  • c:[Type == “http://schemas.microsoft.com/claims/authnmethodsreferences”]
    => issue(claim = c);

Configure an additional Azure AD relying part trust authentication class

  • Open Windows PowerShell and run the following command;
    Set-AdfsRelyingPartyTrust ` -TargetName "Microsoft Office 365 Identity Platform" ` -AllowedAuthenticationClassReferences wiaormultiauthn

Configure automatic device registration

  • Windows 7 is used and automatic workplace joined is enabled. To enable automatic workplace join, on Windows 7, install the following software package: https://connect.microsoft.com/site1164;
  • Windows 8.1 and later is used and automatic workplace join is enabled. To enable automatic workplace join, on Windows 8.1, make sure that a GPO, like the following, is configured and linked:
    • Open the Group Policy Management console;
    • Navigate to Group Policy Management > Forest:<TheForest> > Domains > <TheDomain>;
    • Right-click Group Policy Objects and select New.
    • Provide a Name and click OK;
    • Right-click the new Group Policy Object and select Edit;
    • Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Workplace Join;
    • Right-click the Automatically workplace join client computers setting and select Edit;
    • Select Enabled and click OK.

Note: There are also required configurations for the ADFS Global Authentication Policy, Internet Explorer and the network connectivity, but those are all considered default.

Requirement 4 – Block non-modern authentication protocols in AD FS

The fourth requirement is the most challenging, at least for me. To use conditional access for PCs, non-modern authentication protocols should be blocked to Office 365. Basically, everything except ActiveSync and browser-based logins should be blocked. A good thing to keep in mind, in this case, is that Outlook uses MAPI/HTTP to connect to Office 365. This can be achieved by making sure that a configuration like the following example is in place (other examples can be found in the linked articles):

  • Open the AD FS Management console;
  • Navigate to AD FS > Trust Relationships > Relying Part Trusts;
  • Right-click the Microsoft Office 365 Identity Platform trust and select
    Edit Claim Rules…;
  • Navigate to Issuance Authorization Rules and click Add Rule… to open the Add Issuance Authorization Claim Rule Wizard;
  • On the Choose Rule Type page, select Send Claims Using a Custom Rule and click Next.
  • On the Choose Claim Rule page, specify a Claim rule name, provide the following Claim rule and click Finish.
  • exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy”])
    && NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”,
    Value == “Microsoft.Exchange.Autodiscover”])
    && NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”,
    Value == “Microsoft.Exchange.ActiveSync”])
    && NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”,
    Value == “Microsoft.Exchange.Mapi”])
    && NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”,
    Value == “Microsoft.Exchange.Nspi”])
    && NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path”,
    Value == “/adfs/ls/”])
    => issue(Type = “http://schemas.microsoft.com/authorization/claims/deny”, Value = “true”);

  • Verify that this new claim rule is created below the default Permit Access to All Users claim rule.

Note: This example claim rule blocks all the traffic through the proxy unless the context is auto discover, ActiveSync, Mapi, Nspi or a browser.

More information

For more information about the requirements for conditional access for PCs, please refer to the following links:

24 thoughts on “Conditional Access for PCs – Part I: Requirements”

  1. Great article as always Peter. Can you tell me which version of ADFS you used in your deployment ? I’m wondering if this setup will work with ADFS 2.0… Couldn’t find any doc clearly stating that.

    Reply
    • I’ve used AD FS 3.0 (Server 2012 R2). In the early stages I was told that at least AD FS 3.0 would be required, but, looking at the usage, and the documentation, I would think that AD FS 2.0 would also work. As long as it supports Office modern authentication.

      Reply
  2. Hello Peter,

    Thanks for a good article. Do you know if ADFS is a requirement if I want to block all “non-compliant”/”non-modern” devices from accessing Exchange Online (MAPI)?

    I’m looking for solving a managed identity (cloud only) with Microsoft native cloud tools to only allow access using Outlook on trusted devices. A trusted device would be a device with either a specific certificate or Intune enrolled device (or similiar).

    Reply
    • Hi Rikard,

      ADFS is the road to block that type of traffic at this moment. The coming update to Microsoft Intune will add the ability to create conditional access policies that will work with the health attestation of Windows 10, which could get you a bit closer to easily block unwanted devices.

      Regards,
      Peter

      Reply
  3. Hi peter,
    can i block MS outlook from non-domained joined machines using Intune ?
    in combination with ADFS claim rules and MS intune policies i have blocked default mail client but this is not working for outlook client
    exchange is online 2013

    Reply
  4. Hi There,

    If I only want to use “Devices must be compliant” as the level of conditional access as I’m not concerned whether they are domain joined or not do I still need the March 2015 update or later and modern authentication enabled?

    Also, by using the wording “March 2015 update” I assume you are referring to the Click-to-run edition of Office 2013 in which case does conditional access work with the MSI based Office 2013?

    Cheers
    C

    Reply
    • Yes, you still need to have that update installed for Office 2013, in general, to enabled modern authentication. The modern authentication part is making sure that you can use conditional access.

      Reply
  5. For the conditional access testing did you use Windows 10 devices? Did you have to run the Initialize-AdSyncDomainJoinComputerSync command at all to create the SCP record in AD? I’m trying to figure out if this needs to be run even if you have ADFS since the devices don’t know where to go to register in Azure AD.

    Reply
  6. Hi Peter,

    Thank you for a detailed, well written and easy to understand!

    Quick question: For disabling NON-MODERN authentication, is it possible in standalone in-tune environment? i.e. NO ADFS?

    Basically we’ve enabled modern authentication and set conditional access for Windows Mobile and Windows devices to be compliant, and want to ensure that emails cant be downloaded on older versions of outlook.. 2007 or 2010.

    Any guidance on this will be highly appreciated.

    Many thanks again for a VERY helpful blog!!

    Reply
  7. Hi,
    I’m searching a way to block authentication with their Azure credential in Office 2016 for Azure RMS authentication of users that are not working on a Domain-Joined pc . Is there a way to do this?

    Thank you

    Luca

    Reply
  8. Hi Peter,

    I have questioned regarding IF my users don’t have AD or any license but they have MSO365 Basic – web version license and 4 users has Intune license than also I can set conditional policy for all users ???

    Reply

Leave a Reply to Nripinder kaul Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.