Last week Microsoft announced the public preview of Azure AD Conditional Access to protect Azure AD SaaS applications based on device-based policy rules. Conditional Access (CA) is already available for a quite long time for those who are using Microsoft Intune, but was scoped to Microsoft cloud services such as Dynamics CRM Online, Exchange Online, Exchange on-premises, SharePoint Online and Skype for Business Online.
With the introduction of CA for Azure AD SaaS applications it’s a great step forwards raising the security bar in a mobile first cloud first world securing your SaaS applications and how they being accessed.
In this blog I will not elaborate the detailed operation of CA but will show you how easily it is to configure and apply Azure AD Conditional Access for an on-premise web application which we have published by Azure AD Proxy.
Azure AD as the control pane
For those who are already familiar with CA, it is enabled and configured by Microsoft Intune. However in this context CA is configured in Azure AD on per application base, with exception of compliance policies. Compliance policies still needs to be configured in Microsoft Intune and are used to configure your (custom) definition of compliance. In this example I am configuring CA for an on-premise hosted web application Microsoft Advanced Threat Analytics.
In order to enable Azure AD Conditional Access you must met the following requirements:
- Azure AD Premium or Enterprise Mobility + Security (EMS) or Enterprise Cloud Suite (ECS) licenses;
- *Microsoft Intune licenses (for compliant detection):
Note! It’s my personal interpretation you’ll require an Intune license for the compliance part. Validation pending by Microsoft. Let’s hope I’m wrong here
Step 1: Enable Conditional Access for Azure SaaS application
- Open the classic Azure Management portal, select your Azure AD tenant.
- In your Azure AD tenant browse to Applications node and select the application for which you want to enable conditional access.
- Select configure and browse to the device based access rules section.
Conditional Access can be applied to all users (cloud-, synced- or federated accounts) or limited (scoped) to a sub set of users in your organization. With device rules you have the option to define the level of security, whether require a managed device, compliant of both to grant access. Require all device types to be compliant and block access from devices that are not compliant 0r require a compliant device for selected device types. Device types that are not selected will be exempt from this policy.
Note! For browser and native applications enforces the policy on access to applications by:
- Browsers (e.g. Edge in Windows 10, Safari in iOS, etc.)
- Applications using the Active Directory Authentication Library (ADAL) in any platform or the Web Account Manager (WAM) API in Windows 10
- Select On to enable conditional access.
- Select All Users (or select groups to limit the scope).
- In our scenario must be managed & compliant, therefore we select Marked as compliant.
- On the bottom select Save to preserve our changed settings. Conditional Access for your application is now enabled.
Step 2: Validate end-user behavior
No we enabled CA for our demo application Inovativ Advanced Threat Analytics, let’s find out what the end-user behavior is.
- Starting point will be an unmanaged device from where we open the Azure AD Access panel (myapps.microsoft.com).
- Now we select the published application Inovativ Advanced Threat Analytics application in order to open in our browser. In this example we used a published application, but this could be one of more than 2600+ SaaS applications available in the Azure AD Marketplace.
When selected the application conditional access kicks in and detects, the device from which the application is accessed, is not part (managed) of our IT organization. In order to get access to the application you have the option to enroll your device, which can done in the same dialog.
Once we have enrolled our device, which is managed now by our IT organization, we open the web application once again. Unfortunately we still don’t have access. It’s because of the device rule we defined previously for our application (marked as compliant). The prompt indicates the device is managed now, however some access rule are set which requires devices must be compliant as well.
In this case the cause of not being compliant is the fact we didn’t configured a passcode. This is just an example of a compliance rule, there are many more criteria which can be defined to be considered as complaint. This can be defined by configuring one or more compliance rules in Microsoft Intune.
Once we set a passcode on our device we trigger a policy refresh evaluation to speed up the process of becoming reported as compliant.
The third attempt accessing the application will show us the money! Because we are compliant now we can access our on-premise web application. This time on a managed and compliant device.
By integrating Conditional Access for Azure AD SaaS applications, Microsoft is leveraging the next step of securing your business apps and data, with extensive integration of its cloud services. Combined with Azure AD Join (single sign-on) Azure Multi Factor Authentication, Microsoft raising the security bar to unprecedented heights once again to publish and access your business applications in a secured and controlled manner.