This week another post about the world of conditional access in Azure AD. Last week I started with looking at conditional access for Yammer. This week I’ll add-on to that idea by publishing a custom application, in this case my ConfigMgr reports, and apply conditional access to that configuration. To make it even better, it even allows a single sign-on configuration. In other words, I can use pre-authentication on Azure AD and use that token for the single sign-on experience of the end-user in the published application. Really nice!
Prerequisites
Before starting with the configuration, it’s important to know that his post does require two important prerequisites to be in place, which are not part of this post.
- Azure AD Application Proxy: This component is used for publishing an on-premises application. The steps to enable the Azure AD Application proxy are documented here;
- Windows Authentication: This is required to be able to use single sign-on in combination reporting services. The steps to configure Windows authentication on the report server are documented here.
Configuration
The configuration of conditional access, with single sign-on, for ConfigMgr reporting services contains four steps. The first step is to add the application, the second step is to configure the application, the third step is to enable device access rules and the fourth step is to configure the compliance policy.
Step 1: Add an application
Let’s start with the first step, which is publishing an application that will be accessible outside my network. This requires that the Azure AD Application Proxy is enabled and installed. The publishing of the application can be done via the Azure portal and the Azure Management portal. At this point I’m still using the Azure Management portal, as I can’t do every required configuration via the Azure portal, yet.
| Environment | Configuration |
| Microsoft Intune standalone and Microsoft Intune hybrid |
In the Azure Management portal navigate to Active Directory > [Organization] > APPLICATIONS and click ADD; To publish the ConfigMgr Web Portal, select Publish an application that will be accessible from outside your network and provide the following information.
|
Step 2: Configure the application
The second step is to configure the application with a single sign-on experience for the end-user. As I’m using pre-authentication on Azure AD, to enable the option for conditional access, I don’t want to require the end-user to provide the credentials again. That’s why I want to configure single sign-on for the published application.
| Environment | Configuration |
| Microsoft Intune standalone and Microsoft Intune hybrid |
In the Azure Management portal navigate to Active Directory > [Organization] > APPLICATIONS > [New application] > CONFIGURE; To enable single sign-on for the ConfigMgr Web Portal, provide at least the following information.
|
Step 3: Enable device access rules
The third step is to configure the application with a conditional access experience for the end-user. As the application is now configured with pre-authentication on Azure AD, it’s a small step to enable a device access rule, which is enabling conditional access. That will make sure that all access attempts, from a device that doesn’t meet the configuration, will be denied.
| Environment | Configuration |
| Microsoft Intune standalone and Microsoft Intune hybrid |
In the Azure Management portal navigate to Active Directory > [Organization] > APPLICATIONS > [New application] > CONFIGURE; To enable conditional access for the ConfigMgr Web Portal, switch ENABLE ACCESS RULES to ON and select with APPLY TO the users which the rules should apply.
Note: With custom applications this configuration will be enforced for browsers and native applications. |
Step 4: Configure compliance policy
The fourth and last step, an optional step, is to configure a compliance policy in Microsoft Intune standalone and Microsoft Intune hybrid. This configuration part hasn’t changed and is still the right addition to require additional settings on a device. A compliance policy defines the rules and settings that a device must comply with in order to be considered compliant. The configuration of the compliance policy differs between Microsoft Intune standalone and Microsoft Intune hybrid. After creating the compliance policy, it can be deployed to users like any other policy. It’s not required to configure and deploy a compliance policy. When no compliance policy is configured and deployed, the device will automatically be considered compliant.
| Environment | Configuration |
| Microsoft Intune standalone |
To configure a compliance policy, choose, based on the requirements, between the applicable available Password, Advanced Password Settings, Encryption, Email Profiles, Windows Device Health Attestation, Device Security Settings, Jailbreak and Operating System Version settings. |
| Microsoft Intune hybrid |
In the Configuration Manager administration console navigate to Assets and Compliance > Overview > Compliance Settings > Compliance Policies and click Create Compliance Policy.
|
Note: Compliance policies can be used independently of conditional access. When used independently, the targeted devices are evaluated and reported with their compliance status.
End-user experience
After the configurations of adding the application, enabling the device access rules and configuring the compliance policy, it’s time to look at the end-user experience. This time I’ll go through all the common scenario’s that the end-user can end up with. Starting with the initial configuration of the application in Azure AD. Once the application is created in Azure AD and the end-user tries to access them without being licensed, or without being assigned to the application, the end-user can expect the messages shown below.
| Not licensed | Not assigned |
 |
 |
Once the end-user is licensed and is assigned to the application, the end-user reaches the conditional access checks of Azure AD. When the device of the end-user is not enrolled, or not compliant, the end-user can expect the messages shown below.
| Not enrolled | Not compliant |
 |
 |
Once the end-user has the device enrolled and compliant, the end-user reaches the published application. In this case the ConfigMgr reports. When the end-user has no permissions within the ConfigMgr reports, the end-user will still be able to sign-in. However, the end-user will receive a message, as shown below, about missing the necessary permissions. When the end-user has the required permissions, the end-user will be able to browse through the reports as shown below.
| No permissions | All requirements met |
 |
 |
Note: During my tests I’ve upgraded from SQL Server 2014 to SQL Server 2016. Even though SQL Server 2016 looks much better, my mobile devices like to display the reports from SQL Server 2014 much more. In other words, I could simply display my reports when using SQL Server 2014 and my reports wouldn’t display information when using SQL Server 2016. The permission setup works in both configurations.
More information
For more information about conditional access, applications in Azure, compliance policies in Microsoft Intune and Windows authentication for reporting services, please refer to:
- Configure Windows Authentication on the report server: https://msdn.microsoft.com/en-us/library/cc281253.aspx
- Conditional access support for applications: https://azure.microsoft.com/en-us/documentation/articles/active-directory-conditional-access-supported-apps/
- Enable Application Proxy in the Azure portal: https://azure.microsoft.com/en-us/documentation/articles/active-directory-application-proxy-enable/
- Publish applications using Azure AD Application Proxy: https://azure.microsoft.com/en-us/documentation/articles/active-directory-application-proxy-publish/
- Single sign-on with Application Proxy: https://azure.microsoft.com/en-us/documentation/articles/active-directory-application-proxy-sso-using-kcd/
- Manage device compliance policies in System Center Configuration Manager: https://technet.microsoft.com/en-us/library/mt629503.aspx
- Manage device compliance policies for Microsoft Intune: https://technet.microsoft.com/en-us/library/dn705843.aspx