Conditional Access policies ensure your devices are compliant before accessing your cloud services.  There is a checkbox feature to grant access only for compliant devices. This way you can create a Conditional Access policy to protect your services and allow access only to devices marked as compliant.  Not familiar with Intune management console?  Check out our Intune guide.

Conditional Access is an Azure Active Directory feature.  Conditional Access is included with an Azure Active Directory Premium license. Intune optimizes security by adding mobile device compliance and mobile app management to the solution.  You will need Business Premium, E3 or E5 licensing for Intune.  The final option is to peace-meal each feature you need.  This may include Azure Active Directory P2, Intune, and whatever else.

Setup Intune Conditional Access Policies

Microsoft 356 Intune’s – conditional access lets you set security policies that are initiated automatically when conditions are met.  The IT Administration can block access if the data suggests the user has been compromised or if its highly unlikely that the user would sign in under those conditions.  You can enforce additional authentication requirements when the system detects a medium risk based on the sign-in conditions (see “Sign-in risk” below).

We recommend that you apply polices that are appropriate for your organization for the following conditions:

  • Location: You can adjust Intune to be cognoscente of the location you have tapped into wirelessly… The individual working for your business may access WiFi from a location where they typically do not conduct business from.  You can white list locations that are safe and secured while unsecured networks or untrustworthy IPs are simply blacklisted. MFA can be enabled when user are off the corporate network.
    • work vs home
      • When at work your admin will have no prompts for MFA but at home you will prompted to authenticated many times unless on a VPN all in the name of security.  Same with the coffee shop, etc.
  • Users and user groups:  IT Administrators should define which users or user groups can access which applications or resources, paying careful attention to sources of highly sensitive information such as human resources or financial data to reduce the risk that sensitive data is leaked.
  • Sign-in risk: Intune is able to understand every sign-in and give it a risk score of low, medium, or high depending on how likely it is that someone other than the legitimate owner of the account is attempting to sign in.  Anyone with a medium risk should be challenged with Multi-Factor Authentication (MFA) at sign-in. If the sign-in is a high risk, access should be blocked. This condition requires Azure AD Identity Protection, which you can read about in Step 3. Protect your identities.
  • Device platform: For this condition, define a policy for each device platform that either blocks access, requires compliance with Microsoft Intune policies, or requires the device be domain joined.
    • It is ideal to setup conditional access with per device setup for company owned devices.  Otherwise, lock down specific “cloud apps” for personally owned devices.
  • Device state: Use this condition to define policies for un-managed devices.
  • Client apps: Users can access many cloud apps using different app types such as web-based apps, mobile apps, or desktop apps. You can apply security policies if an access attempt is performed using a client app type that causes known issues, or you can require that only managed devices access certain app types.
  • Cloud apps: This condition specifies unique policies for sensitive apps. For example, you can require that HR apps like Workday are blocked if Azure AD detects a risky sign-in or if a user tries to access it with an un-managed device.

Additional Resources:

 

Common Ways to use Conditional Access

Compliance settings are mostly used in combination with conditional access to check a device for certain settings and then set a compliant flag or not.  It can also be used just for reporting if certain settings are set like BitLocker. For more of a visual break down of device polices, please review the following post before proceeding any further.  It’s a lot to absorb the first go around.

For a real world example, you need not to look any further than today’s stereotypical workplace.   Users can work from anywhere and from any device.  Regardless of whether working from home, on the road, and or using any device; user’s demand the same seamless access from anywhere.  Hackers will unfortunately exploit this type of ease of use.  It is important to protect you identity but that’s just the beginning.  Your security policies need to be flexible and responsive to conditions.

 

Conditional Access Example

Look at conditional access once all policies are reviewed.  We can access our conditional access polices from the main devices screen.

 

 

 

 

 

 

Below is the conditional access policy page.   First, you can see a list of any created polices.  We are going to click on new policy to make a new conditional access policy.

 

 

 

 

Here is our page for conditional access.  The option I want to show you for Intune is under the grant section.

 

 

 

 

 

 

 

 

 

 

Conditional Access policies ensure your devices are compliant Summary