Conditional Access – Page 2 – All about Microsoft Intune

Conditional access and registering or joining devices to Azure AD

May 3, 2021 by Peter van der Woude

This week is all about registering and joining devices to Azure Active Directory (Azure AD). More specifically, about requiring multi-factor authentication (MFA) when registering or joining devices to Azure AD. Starting with March 2021, Azure AD contains a new feature in Conditional Access (CA) that provides more flexibility for requiring MFA when registering or joining devices to Azure AD. That new feature is the Register or join devices user action. This post will start with a short introduction about that new user action, followed with the steps to configure that user action. This post will end with a look at sign-in logs. Important: The Register or join devices user action is also the new recommended method for enforcing MFA when registering or joining a device …

Supporting the unsupported platforms

September 14, 2020 by Peter van der Woude

This week is all about supporting the unsupported platforms. More specifically, working with the limitations of the platforms that are unsupported by (parts of) the Microsoft 365 solution. Those platforms are Chrome OS and the different Linux distributions. Often those platforms are around in an organization during the introduction of a Microsoft 365 solution. In many components of the Microsoft 365 solution, those platforms are currently not supported. Think about Microsoft 365 Apps for Enterprise, Microsoft Intune, Conditional Access and so on. Basically nothing is really working and/or supported on those platforms at this moment. From that perspective Chrome OS is maybe even worse than the different Linux distributions. That doesn’t mean that there is no story at all. In this post, I want to …

Using sensitivity labels to manage access to SharePoint sites on unmanaged devices

June 8, 2020 by Peter van der Woude

This week is a follow-up on my post of a few weeks ago about accessing SharePoint and OneDrive content on unmanaged devices. That post showed how to use the SharePoint admin center to manage the organiztion-wide access control for unmanaged devices and showed how to use PowerShell to manage the site-level access control for unmanaged devices. This post will show something similar to that PowerShell configuration, in a way that this will also provide a method for managing access for unmanaged devices on a site-level. The main difference is that this post will look at a new (currently in public preview) feature that is added to sensitivity labels. That feature enables the administrator to configure Site and group settings for sensitivity labels. Within that configuration …

Accessing SharePoint and OneDrive content on unmanaged devices

May 11, 2020 by Peter van der Woude

This week is all about accessing SharePoint sites and OneDrive accounts on unmanaged devices. More specifically, limiting access to SharePoint and OneDrive content on unmanaged devices. Configuring (limited) access to SharePoint sites and OneDrive accounts starts by using conditional access. For applying conditional access to SharePoint sites and OneDrive accounts, the Office 365 SharePoint Online cloud app, or the recently introduced Office 365 (preview) cloud app can be used. The first cloud app is applicable to all services that depend on SharePoint Online (including OneDrive and Teams). The second cloud app is applicable to all productivity and collaboration services of Office 365. An all-in-one app. However, both of these cloud apps don’t provide really granularity to only apply specific behavior for accessing specific SharePoint sites, …

Report-only mode for conditional access

November 25, 2019November 25, 2019 by Peter van der Woude

This week is, like last week, about a awareness for new feature that is introduced with conditional access. Last week was all about the recently introduced Conditional Access Insights workbook. In that post I already mentioned the Report-only mode for conditional access policies. In this post I want to focus on that Report-only mode. Report-only mode is a new state of a conditional access policy state that allows IT administrators to evaluate the impact of conditional access policies before enabling them in their environment. That enables the IT administrators to anticipate on the number and names of users impacted by common deployment initiatives such as blocking legacy authentication, requiring multi-factor authentication, or implementing sign-in risk policies. A great step forward. In this post I’ll walk through …

Conditional Access Insights

November 18, 2019November 18, 2019 by Peter van der Woude

This week is all about creating awareness for the Conditional Access Insights workbook. This workbook is currently still in preview and is using Azure Monitor workbook functionality. The Conditional Access Insights workbook contains sign-in log queries that can help IT administrators with getting insights on the impact of conditional access policies. That is useful for troubleshooting, for following trends and for testing the latest introduction to conditional access of Report-only policies. Especially the latest category can be easily verified by using the Conditional Access Insights workbook. In this post I’ll walk trough the steps of creating a Log Analytics workspace (to store Azure Monitor log data), followed by the steps to send Azure AD sign-in information to Azure Monitor logs.I’ll end this post by actually …

Conditional access and ipadOS

November 22, 2019October 21, 2019 by Peter van der Woude

Update: Azure AD has taken a change in how they recognize the browsers so conditional access will now work as expected when creating an iPad conditional access policy and browsing to the modern desktop-class browsing experience on iPadOS. For more information see this article. Maybe a little overdue, but this week is all about ipadOS in combination with conditional access. At the end of September, Apple released ipadOS. A new platform for iPad. One of the ideas behind ipadOS is to provide “desktop-class browsing with Safari”. That desktop-class browsing is achieved by making sure that the Safari browser on ipadOS will present itself as a Safari browser on macOS. That change introduces a few challenges in combination with conditional access. I know that a lot …

Android Enterprise fully managed devices and conditional access

June 17, 2019 by Peter van der Woude

This week is all about Android Enterprise fully managed devices. More specifically, the recently introduced functionality to use Android Enterprise fully managed devices in combination with conditional access. To support this functionality Microsoft introduced a new app, named Microsoft Intune app, and a new profile type for device compliancy policies for the Android Enterprise platform. Together these 2 features enable Android Enterprise fully managed devices to be registered as compliant device and to successfully work with conditional access. In this post I’ll provide some information about the Microsoft Intune app and I’ll show how to configure that app, followed by some information about the compliance policy for device owner scenarios and how to configure that policy. I’ll end this post by showing the end-user experience. …

Conditional access and registering security information

May 20, 2019 by Peter van der Woude

Similar like last week, this week is also still about conditional access. This week is about the recently introduced user action of Register security information (Preview). A lot has been posted about that recently and I had my post ready, but I wanted to wait for an official blog post before publishing my version. Just to make sure that I’m using the right reasons for using this feature. Also, it simply fits the line of my recent post. This user action can be used to add conditional action to Azure AD security services that require information of the end-user. In this post I’ll start with a short introduction about this new user action and the behavior that the user action controls. After that I’ll show …

Conditional access and sign-in frequency

May 13, 2019 by Peter van der Woude

Similar like last week, this week is still about conditional access. This week is about the recently introduced session control of Sign-in frequency (preview). It was already possible to configure the token lifetime, as a preview feature, but this new session control (maybe in a way in combination with the session control of last week) will replace that preview feature. In this post I’ll start with a short introduction about this new session control and the behavior that the session control controls. After that I’ll show the configuration steps, followed by the end-user experience. Introduction Now let’s start with a short introduction about the Sign-in frequency (preview) session control. The sign-in frequency defines the time period before a user is asked to sign in again …

S	M	T	W	T	F	S
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31