Great news today! The Azure AD Conditional Access per app MFA and and Network Location policies are GA! We have seen incredible demand for these capabilities from customers so I’m completely stoked that they are ready for broad production use!
Of note, quite a few customers of the customers we’ve been working directly with in public preview are already using these policies in the production environment and getting a ton of value from them. The Conditional Access policy engine is built to allow admins maintain control in a cloud-first, mobile-first world. Conditional Access policy evaluation can be based on device health, MFA, location and detected risk. You can learn more about Conditional Access here.
Today’s announcement moves the features currently in the Conditional Access public preview to GA, enabling the following policies to be set per-application:
- Always require MFA
- Require MFA when not at work
- Block access when not at work.
The admin experience for configuring conditional access policies for an application is super simple. With only a few clicks you can configure your policy and select which users you want it to apply to:
Once a policy is configured, it will be automatically applied when a user attempts to sign into an application. For example, let’s say a if an admin has configured a conditional access policy requiring MFA for Exchange Online. When the user goes to the Office 365 portal, they will be seamlessly signed in:
But when they click on the “Mail” tile to access their email, the user will be challenged to complete an MFA challenge:
The MFA and Network Location policies are applied across all devices. For example, admins can create a Conditional Access policy for SharePoint that requires users to be on their corporate network to access the service. If a user tries to access SharePoint from outside their iPhone when they are off of the corporate network their authorization fails and they get blocked like this:
And best of all, conditional access works for browser apps, rich client apps, phone apps and even on-premises apps being accessed using our Azure AD Application Proxy!
Teams across Microsoft have worked together on Conditional Access and to enable these policies across all the apps and services listed here. Most notably, per-app access can be set on the following services:
- Microsoft Office 365 Exchange Online
- Microsoft Office 365 SharePoint Online
- Dynamics CRM
- Microsoft Office 365 Yammer
- All of the 2,600+ SaaS applications from the Azure AD application gallery
- On-premises app registered with Azure AD Application Proxy
- LOB apps registered with Azure AD.
Many Customers are already using MFA and Location rules
Over the last few months, we’ve been working closely with our early adopter customers and Microsoft’s own IT department to help them deploy Conditional Access in production. We’ve received a ton of positive feedback from them on how the extra security provided by these policies gave them the confidence to accelerate their adoption of cloud services:
Conditional access gave us the ability to deliver a positive user experience while providing a secure solution tightly integrated with our existing Microsoft platform Office 365, Azure Application Proxy, and Azure AD SaaS applications
Using Azure AD conditional access policy for Onedrive, SharePoint and Exchange online, we were able to adopt Office 365, while protecting critical company data, choosing which groups of users would have access to which applications and from which locations
Conditional access gave Microsoft IT the granularity we needed to tightly control our rollout of MFA for email. Being able to tightly coordinate the technical deployment with our internal communication/education program was key to delivering a great user experience and more security.
We love to see the value this is bringing to organizations, and are excited to make it available to all our customers!
Conditional Access is an Azure AD premium feature, requiring per-user licenses for users accessing apps that have had policy applied. To help discover which users are accessing apps that have policy, we’ve added an unlicensed user report, that you can learn about here. The report will let you see any unlicensed usage, telling you the username and applications being accessed, to help you assign and make the best use of your licenses.
Try it out
If you haven’t already tried the preview on Conditional Access, now is the time to dive and learn more about this important capability. It really is the secret ingredient in Azure AD and you’ll see us make some huge additions to this area in the next 120 days!
To get you started ASAP we’ve prepared a set of guides for you here. And it really is easy – If you are already have Azure AD Premium you can have your first set of policies ready to pilot within 5-10 minutes of reading this article!
Looking forward to any feedback or suggestions you have!
Alex Simons (Twitter: @Alex_A_Simons)
Director of Program Management
Microsoft Identity Division