Introduction

In continuity to my previous article "Automatic hybrid Azure AD join for Windows 10 devices" this article explain what is conditional access policy from Azure AD and how it is applied. There are two types of conditional access can be used with NAM and Office 365. The first one is, create policy at NAM that if user is coming from internal IP address or client only release the token or SAML assertion to complete the federation.

The second type of conditional access is using Azure AD conditional Access. Azure portal provides configuration UI to create conditional access policy to be applied. This policy can only apply for modern authentication (ADAL) with Office 365.  Conditional access policy can help with sign-in risk, Network login location, device state, user/group and client application accessed over web or cloud apps.

Prerequisites for Azure AD Conditional Access

Azure AD premium license for each user should be assigned to apply conditional access policies for those users. Azure AD Premium P1 license or greater on is required to use conditional access policy.

Device registered to Azure AD or Hybrid AD Join are eligible for conditional policy implementation. You should also understand that conditional access policy only works when modern authentication is used with Office 365 resources. Conditional access policy won’t apply to on-premises applications like local SharePoint or exchange.

Configuring Azure AD Conditional Access

1. Make sure device Azure AD Join or Hybrid join registered to Azure. look for cool solution
2. Login to azure portal as admin at https://portal.azure.com
3. select Azure Active Directory and under security Conditional Access
4. configure new policy for test
   1. Click on "New Policy"
   2. Give a name to policy e.g., "test hybrid azure"
   3. Select Users and groups
   4. Select Cloud apps to apply
   5. Select conditions like device platforms, Sign-In risk, Locations, Client Apps, Device State (if the device is managed)
   6. Select Access Controls Grant, Session
   7. Enable policy

Test Configured Conditional Access policy

1. Login to windows (latest OS)
2. Windows will auto register with Azure with hybrid AD Join.
3. Make sure device is registered
   1. Login to https://portal.azure.com
   2. Select "Azure Active Directory" --> "Devices" check your device is listed and join type is "Hybrid Azure AD joined"
4. open web browser and access https://www.office.com
5. Office login should be successful if the device Hybrid AD Join.
6. if device is not Hybrid AD Join Office 365 will deny the access.

Troubleshooting

1. Login to Azure portal
2. Select "Azure Active Directory" from left side menu
3. Under "Monitoring" section select "Sign-ins"
4. Select the event and select "Conditional Access" to check policy execution status

References

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/technical-reference

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/best-practices

https://www.netiq.com/communities/cool-solutions/automatic-hybrid-azure-ad-join-windows-10-devices/

Azure AD Conditional Access with Hybrid AD Join Device integrated with Access Manager