Skip to content

Enterprise Mobility + Security


Hopefully, you saw at Ignite the awesome new set of capabilities that are coming with Azure Information Protection. Following up from the announcement that we would have a public preview of Conditional Access, we wanted to provide some more information about how this works and how you can quickly get started today!

The preview of Conditional Access for Azure Information Protection (AIP) enables admins to configure conditional access policies help secure access to sensitive information.

How will this work?

Below is a list of some common scenarios that light up when conditional access policies are enabled for AIP-protected content:

  1. Require Multifactor Authentication: Enforce an MFA challenge to access AIP protected documents. This can help protect against the risk of stolen and phished credentials.
  2. Device compliance/Domain Joined: Allow access only if the user device is domain joined and/or is compliant as per company MDM/MAM policy (device compliance policies are configured in Intune).
  3. Risky-Sign in: Block access to sensitive content when a user has either High, Medium or Low likelihood of risky-sign in (i.e sign-in attempt was not performed by the legitimate owner of a user account).
  4. Trusted network: Block access when the user is not at work. In other words, you require access to sensitive content to be only from a network you trust.

Admins can now configure conditions and controls in the Microsoft Azure portal. Let’s walk through an example for each of these to help you in your thinking.

Figure 1: AIP now supports Conditional Access in Azure portal

Example 1: Require MFA to access AIP protected content

Let’s say your tenant admin has configured a Conditional Access policy such that all users require multi-factor authentication when accessing AIP protected documents on the Windows platform as shown below.

Figure 2: MFA control enforced here

Figure 3: Conditions can be platform specific

In this scenario, end users will receive an MFA challenge after entering their username/password when opening AIP protected document in Word on a Windows 10 PC.

Note: MFA challenges are authentication level. This means users will not be prompted for MFA when opening protected content using other Office applications like Excel, PowerPoint on the same machine given they have done MFA already in Word. Also, if a user had to do MFA as part of their Windows login (either as part of first time MFA setup and/or first-time login to PC) they will not be re-prompted inside the applications.

Figure 4 MFA prompt inside Office applications

Figure 5 MFA prompt inside AIP iOS app

Example 2: Require a compliant device to access AIP protected content from mobile devices

Now imagine your tenant admin has configured Conditional Access policy such that some users (e.g. contractors in your company) require compliant devices when accessing AIP protected documents on mobile platforms.

Figure 6 ‘Require compliant device’ control applied

The admin also needs to configure device compliance policy in the Intune blade as shown below. In this example scenario, the admin has configured system security settings like ‘Require a password’ and ‘Min password length’.

For details on device compliance policies and how to create them, check out the detailed blog post from the Intune team.

Figure 7: Device compliance policies created for different platforms in Intune blade

Once the device compliance policy is deployed, each device is checked for compliance as part of AIP app’s sign-in flow when opening protected files.

Figure 8 Error dialog in AIP Windows app when device is not compliant

Note: Users will be prompted to install application(s) like Intune company portal to verify compliance. Read this documentation for more information.

Example 3: Block Access to AIP protected content if user is not on a trusted network

As shown below, as an admin you can configure a policy such that users are blocked from accessing AIP protected content from a network location you don’t trust.

Figure 9 Trusted network policy enabled

The location is identified by the IP address of the client you have used to connect to Azure Active Directory. This condition requires you to be familiar with named locations and MFA trusted IPs.

Example 4: Block access to sensitive content when user has risky sign-in

As shown below admin can configure a conditional access policy such that users with ‘High’ risk sign-in will be blocked from accessing AIP protected content.

Figure 10 Sign-in risk level as condition in a conditional access policy

Azure Active Directory Identity Protection can help you detect risky events in your organization.

A couple of final things

Conditional Access policies can be enforced when doing secure collaboration/sharing across different organizations with Azure AD B2B collaboration which allows organizations to enforce multi-factor authentication (MFA) policies for B2B users as MFA policies are enforced at the resource organization.

And yes, if you have an on-premises MFA setup, you can use that. Please find details here.

We’re really excited about the wide range of scenarios that this lights up and hope you find it useful. For any updates and additional information, see our FAQ for conditional access. As always, we’re looking forward to your feedback.

Prerequisites:

Azure Active Directory Conditional Access is a feature of Azure Active Directory Premium. Each user who accesses an application that has Conditional Access policies applied must have an Azure Active Directory Premium license.

Get started NOW!

It really is very easy to get started. We have a lot of information available to help you, from great documentation to engaging with us via Yammer and e-mail. What are you waiting for? Get to it!