Conditional access for Skype for Business Online

Microsoft_Skype_for_Business_215x215This week another post about conditional access. This time about conditional access for Skype for Business Online. With this post I want to create more awareness for the availability of this feature and I want to show the currently available configuration options. During this post I’ll go into more detail about the prerequisites, the configuration and the end-users experience. The configurations that I’ll provide, are provided for Microsoft Intune standalone and Microsoft Intune hybrid.

Prerequisites

Before starting with the configuration steps for conditional access for Skype for Business Online, there are a few technical prerequisites that should be in place, or should be known.

  • Modern authentication must be enabled for Skype for Business Online. At this moment modern authentication must be enabled by enrolling into this Microsoft Connect program;
  • The end-user must use Skype for Business Online. Conditional access will not be applied to end-users who are in a Skype for Business on-premises deployment;
  • The end-user must use an Android or an iOS device. At this moment conditional access for Skype for Business Online is only supported for Android and iOS devices.

Configuration

The configuration of conditional access for Skype for Business Online contains two steps. The first step is to configure the Skype for Business Online policy and the second, and also optional, step is to configure the compliance policy.

Step 1: Skype for Business Online policy

Let’s start with the first step, which is the configuration of the Skype for Business Online policy. This policy makes sure that only managed and compliant devices can access Skype for Business Online. This policy will be be stored and targeted in Azure AD. The configuration of the Skype for Business Online policy is the same for Microsoft Intune standalone and Microsoft Intune hybrid. The configuration has to be done through the Microsoft Intune administration console. Keep in mind that after saving the policy, it takes effect immediately

Environment Configuration
Microsoft Intune standalone and Microsoft Intune hybrid

SfBPolicyIn the Microsoft Intune administration console navigate to Policy > Conditional Access > Skype for Business Online Policy;

To enable the Skype for Business Online policy select Enable conditional access policy and select the platforms to apply the conditional access policy to. The options are iOS and Android.

To make sure that the Skype for Business Online policy is targeted to specific users, configure an Azure AD security group as a Targeted Group and, when there are users that need to be exempted, make sure to configure an Azure AD security group as an Exempted Group.

Step 2: Compliance policy

The next step is the configuration of the compliance policy. This policy defines the rules and settings that a device must comply with in order to be considered compliant by conditional access polices. The configuration of the compliance policy differs between Microsoft Intune standalone and Microsoft Intune hybrid. After creating the compliance policy, it can be deployed to users like any other policy. Keep in mind is that it’s not required to configure and deploy a compliance policy. When no compliance policy is configured and deployed, the device will automatically be considered compliant.

Environment Configuration
Microsoft Intune standalone

MSIntuneSA_CPIn the Microsoft Intune administration console navigate to Policy > Conditional Access > Compliance Policies and click Add….

To configure a compliance policy,  choose, based on the requirements, between the applicable Password, Advanced Password Settings, Encryption, Email Profiles, Windows Device Health Attestation, Jailbreak and Operating System Version settings.

Microsoft Intune hybrid

MSIntuneHy_CPIn the Configuration Manager administration console navigate to Assets and Compliance > Overview > Compliance Settings > Compliance Policies and click Create Compliance Policy.

To configure a compliance policy, choose, based on the requirements, during the Create Compliance Policy Wizard the Supported Platforms and choose between the applicable Password, Advanced Password Settings, Encryption, Email Profiles, Windows Device Health Attestation, Jailbreak and Operating System Version Rules.

Note: Compliance policies can be used independently of conditional access. When used independently, the targeted devices are evaluated and reported with their compliance status.

End-user experience

After the configuration of the Skype for Business Online policy and the compliancy policy is completed, it’s time to look at the end-user experience. An enrolled and compliant device will give the end-user the normal experience. A not enrolled device, or a not compliant compliant device, will give the end-user a message based on the status of the device, when the end-user is trying to access Skype for Business Online. Those messages are shown below, using an iOS device as an example.

Not enrolled Not compliant
IMG_0038 IMG_0039

More information

For more information about conditional access, related to the Skype for Business Online Policy and the Compliance Policies, please refer to the following articles:

2 thoughts on “Conditional access for Skype for Business Online”

  1. Hi Peter,
    Thank you for this article. I wonder, is conditional access available in any form for on-premises deployments of Skype for Business, Exchange 2013, and Intune?

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.