Today I’m excited to announce an update to the Conditional Access preview. You’ll recall from my post last month that Conditional Access is powerful policy based evaluation engine that lets you create access rules for any Azure AD connected application. More sensitive apps can be assigned stricter policies, such as requiring Multi-Factor Authentication (MFA) from a registered device while less sensitive apps can have more open policies.
In this update we take another step toward delivering that vision by adding support for on-premises apps that use our Azure AD Application Proxy and for third party or line of business apps developed specifically for Azure AD.
On-Premises is now supported by applying Conditional Access to apps that use the Azure AD Application Proxy. This gives admins a central point of management for setting Conditional Access rules for apps that are hosted on-premises and in the cloud. Rules can be set to require users accessing an on-premises application to perform MFA based on their group membership and location. Supported on-premises apps include SharePoint, Outlook Web Access and IIS based apps.
With this update, we’ve made it dead simple to enforce and manage MFA for legacy on-prem applications. With a flip of a switch, you can enforce MFA on an application without needing to make apply changes to the application.
These same rules can also be applied to LOB applications that your organization has developed and registered with Azure AD, as well multi-tenanted apps developed by other organizations. Conditional Access enforcement is independent of the SSO protocol an app choose to use. All AAD protocols are supported, including OpenID Connect, OAuth 2.0, SAML or WS-Federation.
As you would expect, the experience for applying policy is the same for all of the supported apps.
From the Azure management portal go to the app you want to manage and you can set access rules on the Configure tab.
For more information on setting access rules please see the documentation here.
Conditional Access is an Azure AD Premium feature. If you don’t have an Azure AD Premium subscription you can get a trial here.
Continue to look for more updates, as we will be to building support for additional app types and providing support for more Conditional Access rules.
As always we look forward to and welcome your feedback.
Alex Simons (Twitter: @Alex_A_Simons)
Director of Program Management
Microsoft Identity and Security Services Division