With this blogpost I want to look into Conditional Access and the possibilities we have in combining both Device Conditional Access and App Conditional Access. I’ve seen this requirement at multiple customers when doing EM+S deployments. With Device Based Conditional Access we can enforce the device to be compliant before services can be used. With App Conditional Access we can enforce App restrictions on the applications used for services. Device Based Conditional Access can be done for almost all applications in AzureAD. App Based Conditional Access can be configured for Exchange and SharePoint Online. In this blogpost I will focus on a scenario for Exchange Online.
Updated blogpost on this topic can be found here
What I see at multiple customers is that customers want to combine both Conditional Access technologies. So I created a scenario for this blogpost on the common requirements which I faced during customer deployments. With Conditional Access and Exchange Online we can configure Conditional Access on the following client apps: Browser Based, ActiveSync Connections and for Apps (Modern Authentication). Based on those 3 types I’ve the following scenarios:
- Exchange Online Browser App – Can be used on every device protected by Azure Multi-Factor Authentication;
- Exchange Online ActiveSync – Only allowed on devices compliant to the company Policy;
- Exchange Online Apps – Only MAM capable Apps are supported and can be used on every devices;
Looking to the above scenario we’ve to combine both Device and App Conditional Access. Scenario 1 and 2 can be achieved by Device Conditional Access and for Scenario 3 we need App Conditional Access. So let’s first start with scenario 1, this can be achieved by creating a policy in AzureAD Device Conditional Access:
- Go to the Azure Portal and open the Azure Active Directory section. Go to Conditional Access and click on New Policy
- Give the Policy a Name. In the Users and Groups section select All Users and click on Done
- In the Cloud Apps section select Exchange Online and click on Done
- In the Conditions section select All Device platforms and only the Browser as Client App
- In the Access Controls section just select only Multi-Factor Authentication as control.
- Select Enable Policy -> On and Save the policy
Based on this policy the user will see the following behavior:
Login to portal.office.com and then click on the mail icon:
After clicking the Mail icon the following MFA request is required:
After the MFA request my mailbox is opened:
Conclusion: Scenario 1 is covered! Next is scenario 2, let’s start with configuring the Conditional Access policy:
- Go to the Azure Portal and open the Azure Active Directory section. Go to Conditional Access and click on New Policy
- Give the Policy a Name. In the Users and Groups section select All Users and click on Done
- In the Cloud Apps section select Exchange Online and click on Done:
- In the Client Apps section only select Exchange ActivSync as Client App:
- In the Access Controls section require a compliant device:
- Select Enable Policy -> On and Save the policy.
Now let’s take a look into how this will look like on a mobile Android Device. After my mail profile is configured the following mail arrives:
So Conditional Access is working and enforcing an enrolled device, let’s start the enrollment process:
After enrollment we need to make the device compliant:
And when compliant the device is starting to receive mail:
Conclusion: Scenario 1 and 2 are now covered. Important to know is which client is using which type of connection. Microsoft has this documented on this page: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-supported-apps. As you can see the most of the apps are using modern authentication and not using ActiveSync anymore. Scenario 3 will be covered in the next blogpost, so stay tuned!
2 thoughts on “Scenario: Using both Intune Device and App Based Conditional Access – Part 1”