Azure AD Conditional Access with Access Manager

Azure AD Conditional Access with Access Manager

Introduction

In continuity to my previous article "Automatic hybrid Azure AD join for Windows 10 devices" this article explain what is conditional access policy from Azure AD and how it is applied. There are two types of conditional access can be used with NAM and Office 365. The first one is, create policy at NAM that if user is coming from internal IP address or client only release the token or SAML assertion to complete the federation.

The second type of conditional access is using Azure AD conditional Access. Azure portal provides configuration UI to create conditional access policy to be applied. This policy can only apply for modern authentication (ADAL) with Office 365.  Conditional access policy can help with sign-in risk, Network login location, device state, user/group and client application accessed over web or cloud apps.

Prerequisites for Azure AD Conditional Access

Azure AD premium license for each user should be assigned to apply conditional access policies for those users. Azure AD Premium P1 license or greater on is required to use conditional access policy.

Device registered to Azure AD or Hybrid AD Join are eligible for conditional policy implementation. You should also understand that conditional access policy only works when modern authentication is used with Office 365 resources. Conditional access policy won’t apply to on-premises applications like local SharePoint or exchange.

Configuring Azure AD Conditional Access

  1. Make sure device Azure AD Join or Hybrid join registered to Azure. look for cool solution
  2. Login to azure portal as admin at https://portal.azure.com
  3. select Azure Active Directory and under security Conditional Accessconditional_access1.png
  4. configure new policy for test
    1. Click on "New Policy"
    2. Give a name to policy e.g., "test hybrid azure"
    3. Select Users and groups
    4. Select Cloud apps to applyconditional_access2.png
    5. Select conditions like device platforms, Sign-In risk, Locations, Client Apps, Device State (if the device is managed)conditional_access3.png
    6. Select Access Controls Grant, Sessionconditional_access4.png
    7. Enable policy

conditional_access5.png

Test Configured Conditional Access policy

  1. Login to windows (latest OS)
  2. Windows will auto register with Azure with hybrid AD Join.
  3. Make sure device is registered
    1. Login to https://portal.azure.com
    2. Select "Azure Active Directory" --> "Devices" check your device is listed and join type is "Hybrid Azure AD joined"conditional_access6.png
  4. open web browser and access https://www.office.com
  5. Office login should be successful if the device Hybrid AD Join.
  6. if device is not Hybrid AD Join Office 365 will deny the access.

conditional_access7.png

 

Troubleshooting

  1. Login to Azure portal
  2. Select "Azure Active Directory" from left side menu
  3. Under "Monitoring" section select "Sign-ins"conditional_access8.png
  4. Select the event and select "Conditional Access" to check policy execution statusconditional_access9.png

References

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/technical-reference

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/best-practices

https://www.netiq.com/communities/cool-solutions/automatic-hybrid-azure-ad-join-windows-10-devices/

 

 

 

 

 

 

 

Azure AD Conditional Access with Hybrid AD Join Device integrated with Access Manager

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Top Contributors
Version history
Revision #:
3 of 3
Last update:
‎2019-07-02 07:44
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.