Another new capability that’s added, during the August 2015 update, to Microsoft Intune, is conditional access for PCs that run Office desktop applications to access Exchange Online and SharePoint Online. This nice capability enables us to require that PCs must be either domain joined or compliant. In order to be compliant, the PCs must be enrolled in Microsoft Intune and the PCs must comply with the policies.
This capability has more requirements and requires more configurations than the most other Microsoft Intune standalone or Microsoft Intune hybrid capabilities. That’s why I decided to make this another blog series. This blog series will contain three parts:
- Requirements – This part will list all the requirements and the required configurations to start with the different conditional access scenarios;
- SharePoint Online – This part will show the configuration of conditional access for SharePoint Online, including the end-user experience;
- Exchange Online – This part will show the configuration of conditional access for Exchange Online, including the end-user experience.
Requirements
Now let’s start with the requirements for conditional access for PCs. The number of requirements depends on the used scenario. The most complicated scenario, of using on-premises ADFS and using being domain joined as the conditional access check, requires all of the following requirements.
Requirement 1 – Operating System
The first requirement, is the easiest the requirement, as it simply requires a specific operating system level. To use conditional access for PCs, Windows 7.0 or later is required.
Requirement 2 – Enable modern authentication in Office
The second requirement is still not really challenging, but it contains two important requirements. To use conditional access for PCs, the Office installation must meet one of the following requirements:
-
Office 2013 is used, including the March 2015 update or later, and modern authentication is enabled. To enable modern authentication, make sure that the following registry keys are set:
Registry key Type Value HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL REG_DWORD 1 HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version REG_DWORD 1 - Office 2016 is used;
Requirement 3 – Automatically register device in Azure AD
The third requirement is already more challenging, because it contains multiple configurations that need to be in place. To use conditional access for PCs, a domain joined device needs to be automatically registered in Azure AD. This requires the following three configurations.
Configure an additional Azure AD relying part trust claim rule
- Open the AD FS Management console;
- Navigate to AD FS > Trust Relationships
> Relying Part Trusts; - Right-click the Microsoft Office 365 Identity Platform
trust and select Edit Claim Rules…; - Navigate to Issuance Transform Rules and click
Add Rule… to open the Add Transform Claim
Rule Wizard; - On the Choose Rule Type page, select Send Claims
Using a Custom Rule and click Next; - On the Choose Claim Rule page, specify a Claim rule
name, provide the following Claim rule and click
Finish.
c:[Type == “http://schemas.microsoft.com/claims/authnmethodsreferences”]
=> issue(claim = c);
Configure an additional Azure AD relying part trust authentication class
- Open Windows PowerShell and run the following command;
Set-AdfsRelyingPartyTrust ` -TargetName "Microsoft Office 365 Identity Platform" ` -AllowedAuthenticationClassReferences wiaormultiauthn
Configure automatic device registration
- Windows 7 is used and automatic workplace joined is enabled. To enable automatic workplace join, on Windows 7, install the following software package: https://connect.microsoft.com/site1164;
- Windows 8.1 and later is used and automatic workplace join is enabled. To enable automatic workplace join, on Windows 8.1, make sure that a GPO, like the following, is configured and linked:
- Open the Group Policy Management console;
- Navigate to Group Policy Management > Forest:<TheForest> > Domains > <TheDomain>;
- Right-click Group Policy Objects and select New.
- Provide a Name and click OK;
- Right-click the new Group Policy Object and select Edit;
- Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Workplace Join;
- Right-click the Automatically workplace join client computers setting and select Edit;
- Select Enabled and click OK.
Note: There are also required configurations for the ADFS Global Authentication Policy, Internet Explorer and the network connectivity, but those are all considered default.
Requirement 4 – Block non-modern authentication protocols in AD FS
The fourth requirement is the most challenging, at least for me. To use conditional access for PCs, non-modern authentication protocols should be blocked to Office 365. Basically, everything except ActiveSync and browser-based logins should be blocked. A good thing to keep in mind, in this case, is that Outlook uses MAPI/HTTP to connect to Office 365. This can be achieved by making sure that a configuration like the following example is in place (other examples can be found in the linked articles):
- Open the AD FS Management console;
- Navigate to AD FS > Trust Relationships > Relying Part Trusts;
- Right-click the Microsoft Office 365 Identity Platform trust and select
Edit Claim Rules…; - Navigate to Issuance Authorization Rules and click Add Rule… to open the Add Issuance Authorization Claim Rule Wizard;
- On the Choose Rule Type page, select Send Claims Using a Custom Rule and click Next.
- On the Choose Claim Rule page, specify a Claim rule name, provide the following Claim rule and click Finish.
- Verify that this new claim rule is created below the default Permit Access to All Users claim rule.
exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy”])
&& NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”,
Value == “Microsoft.Exchange.Autodiscover”])
&& NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”,
Value == “Microsoft.Exchange.ActiveSync”])
&& NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”,
Value == “Microsoft.Exchange.Mapi”])
&& NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”,
Value == “Microsoft.Exchange.Nspi”])
&& NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path”,
Value == “/adfs/ls/”])
=> issue(Type = “http://schemas.microsoft.com/authorization/claims/deny”, Value = “true”);
Note: This example claim rule blocks all the traffic through the proxy unless the context is auto discover, ActiveSync, Mapi, Nspi or a browser.
More information
For more information about the requirements for conditional access for PCs, please refer to the following links:
- Conditional Access in Configuration Manager: https://technet.microsoft.com/en-us/library/dn919655.aspx
- Manage access to email and SharePoint with Microsoft Intune: https://technet.microsoft.com/en-us/library/dn818907.aspx
- Limiting Access to Office 365 Services Based on the Location of the Client: https://technet.microsoft.com/en-us/library/hh526961%28v=ws.10%29.aspx
- Configuring Client Access Policies: https://technet.microsoft.com/en-us/library/dn592182.aspx
- Automatic Device Registration with Azure Active Directory for Windows Domain-Joined Devices: https://msdn.microsoft.com/en-us/library/azure/dn935033.aspx
- Enable Modern Authentication for Office 2013 on Windows devices: https://support.office.com/en-us/article/Enable-Modern-Authentication-for-Office-2013-on-Windows-devices-7dc1c01a-090f-4971-9677-f1b192d6c910
- Continuing Adventures in AD FS Claims Rules: http://www.c7solutions.com/2014/07/continuing-adventures-in-ad-fs-claims-rules
- Office 2013 modern authentication public preview announced: https://blogs.office.com/2015/03/23/office-2013-modern-authentication-public-preview-announced/
Great article as always Peter. Can you tell me which version of ADFS you used in your deployment ? I’m wondering if this setup will work with ADFS 2.0… Couldn’t find any doc clearly stating that.
I’ve used AD FS 3.0 (Server 2012 R2). In the early stages I was told that at least AD FS 3.0 would be required, but, looking at the usage, and the documentation, I would think that AD FS 2.0 would also work. As long as it supports Office modern authentication.
Hello Peter,
Thanks for a good article. Do you know if ADFS is a requirement if I want to block all “non-compliant”/”non-modern” devices from accessing Exchange Online (MAPI)?
I’m looking for solving a managed identity (cloud only) with Microsoft native cloud tools to only allow access using Outlook on trusted devices. A trusted device would be a device with either a specific certificate or Intune enrolled device (or similiar).
Hi Rikard,
ADFS is the road to block that type of traffic at this moment. The coming update to Microsoft Intune will add the ability to create conditional access policies that will work with the health attestation of Windows 10, which could get you a bit closer to easily block unwanted devices.
Regards,
Peter
hi sir
does the conditional access for PC’s and laptop work also for exchange On-premises ?
Yes, in combination with the exchange connector you can also use this for Exchange On-premises.
Hi peter,
can i block MS outlook from non-domained joined machines using Intune ?
in combination with ADFS claim rules and MS intune policies i have blocked default mail client but this is not working for outlook client
exchange is online 2013
Yes, you can use conditional access to block Microsoft Outlook 2013 and later.
Hi There,
If I only want to use “Devices must be compliant” as the level of conditional access as I’m not concerned whether they are domain joined or not do I still need the March 2015 update or later and modern authentication enabled?
Also, by using the wording “March 2015 update” I assume you are referring to the Click-to-run edition of Office 2013 in which case does conditional access work with the MSI based Office 2013?
Cheers
C
Yes, you still need to have that update installed for Office 2013, in general, to enabled modern authentication. The modern authentication part is making sure that you can use conditional access.
For the conditional access testing did you use Windows 10 devices? Did you have to run the Initialize-AdSyncDomainJoinComputerSync command at all to create the SCP record in AD? I’m trying to figure out if this needs to be run even if you have ADFS since the devices don’t know where to go to register in Azure AD.
Yes, you need to run that command, for exactly the reason that you stated about the SCP record.
Hi Peter,
Thank you for a detailed, well written and easy to understand!
Quick question: For disabling NON-MODERN authentication, is it possible in standalone in-tune environment? i.e. NO ADFS?
Basically we’ve enabled modern authentication and set conditional access for Windows Mobile and Windows devices to be compliant, and want to ensure that emails cant be downloaded on older versions of outlook.. 2007 or 2010.
Any guidance on this will be highly appreciated.
Many thanks again for a VERY helpful blog!!
That will be challenging. You can look at using the ActiveSync device access rules for some help, but you can’t filter everything. For some more ideas, please refer to: https://www.petervanderwoude.nl/post/conditional-access-for-exchange-online-to-the-max/
Hi,
I’m searching a way to block authentication with their Azure credential in Office 2016 for Azure RMS authentication of users that are not working on a Domain-Joined pc . Is there a way to do this?
Thank you
Luca
Depends. What service or activity are you trying to block?
Peter
Hi Peter,
I’d like to block the Azure RMS login (that happens when you try to open a RMS protected document with Office2016), and allow it only if it is a Domain joined pc.
Do you know any way to do that?
Thank you for the support
Luca
Hi Luca,
Does the RMS app provide a specific value in the client agent claim? If so, that could be used to filter in ADFS to block that type of requests.
Peter
Hi Peter,
I have questioned regarding IF my users don’t have AD or any license but they have MSO365 Basic – web version license and 4 users has Intune license than also I can set conditional policy for all users ???
Hi Radha,
For a user to actually reach the service that is protected with CA, the user must be licensed.
Regards, Peter