This week another post about conditional access. This time about conditional access for Skype for Business Online. With this post I want to create more awareness for the availability of this feature and I want to show the currently available configuration options. During this post I’ll go into more detail about the prerequisites, the configuration and the end-users experience. The configurations that I’ll provide, are provided for Microsoft Intune standalone and Microsoft Intune hybrid.
Prerequisites
Before starting with the configuration steps for conditional access for Skype for Business Online, there are a few technical prerequisites that should be in place, or should be known.
- Modern authentication must be enabled for Skype for Business Online. At this moment modern authentication must be enabled by enrolling into this Microsoft Connect program;
- The end-user must use Skype for Business Online. Conditional access will not be applied to end-users who are in a Skype for Business on-premises deployment;
- The end-user must use an Android or an iOS device. At this moment conditional access for Skype for Business Online is only supported for Android and iOS devices.
Configuration
The configuration of conditional access for Skype for Business Online contains two steps. The first step is to configure the Skype for Business Online policy and the second, and also optional, step is to configure the compliance policy.
Step 1: Skype for Business Online policy
Let’s start with the first step, which is the configuration of the Skype for Business Online policy. This policy makes sure that only managed and compliant devices can access Skype for Business Online. This policy will be be stored and targeted in Azure AD. The configuration of the Skype for Business Online policy is the same for Microsoft Intune standalone and Microsoft Intune hybrid. The configuration has to be done through the Microsoft Intune administration console. Keep in mind that after saving the policy, it takes effect immediately
| Environment | Configuration |
| Microsoft Intune standalone and Microsoft Intune hybrid |
To enable the Skype for Business Online policy select Enable conditional access policy and select the platforms to apply the conditional access policy to. The options are iOS and Android. To make sure that the Skype for Business Online policy is targeted to specific users, configure an Azure AD security group as a Targeted Group and, when there are users that need to be exempted, make sure to configure an Azure AD security group as an Exempted Group. |
Step 2: Compliance policy
The next step is the configuration of the compliance policy. This policy defines the rules and settings that a device must comply with in order to be considered compliant by conditional access polices. The configuration of the compliance policy differs between Microsoft Intune standalone and Microsoft Intune hybrid. After creating the compliance policy, it can be deployed to users like any other policy. Keep in mind is that it’s not required to configure and deploy a compliance policy. When no compliance policy is configured and deployed, the device will automatically be considered compliant.
| Environment | Configuration |
| Microsoft Intune standalone |
To configure a compliance policy, choose, based on the requirements, between the applicable Password, Advanced Password Settings, Encryption, Email Profiles, Windows Device Health Attestation, Jailbreak and Operating System Version settings. |
| Microsoft Intune hybrid |
To configure a compliance policy, choose, based on the requirements, during the Create Compliance Policy Wizard the Supported Platforms and choose between the applicable Password, Advanced Password Settings, Encryption, Email Profiles, Windows Device Health Attestation, Jailbreak and Operating System Version Rules. |
Note: Compliance policies can be used independently of conditional access. When used independently, the targeted devices are evaluated and reported with their compliance status.
End-user experience
After the configuration of the Skype for Business Online policy and the compliancy policy is completed, it’s time to look at the end-user experience. An enrolled and compliant device will give the end-user the normal experience. A not enrolled device, or a not compliant compliant device, will give the end-user a message based on the status of the device, when the end-user is trying to access Skype for Business Online. Those messages are shown below, using an iOS device as an example.
| Not enrolled | Not compliant |
 |
 |
More information
For more information about conditional access, related to the Skype for Business Online Policy and the Compliance Policies, please refer to the following articles:
- Conditional Access for Skype for Business Online: https://technet.microsoft.com/en-us/library/mt712706.aspx
- Restrict access to Skype for Business Online with Microsoft Intune: https://docs.microsoft.com/en-us/intune/deploy-use/restrict-access-to-skype-for-business-online-with-microsoft-intune
- Compliance Policies in Configuration Manager: https://technet.microsoft.com/en-us/library/mt131417.aspx
- Device compliance policies in Microsoft Intune: https://docs.microsoft.com/en-us/intune/deploy-use/introduction-to-device-compliance-policies-in-microsoft-intune
Hi Peter,
Thank you for this article. I wonder, is conditional access available in any form for on-premises deployments of Skype for Business, Exchange 2013, and Intune?
At this moment conditional access is available for Exchange on-premises, but not for Skype for Business on-premises.