Watch a Salesforce demo that shows conditional access with Multi-Factor Authentication.
- [Instructor] Now that we've set up basic single sign-on cells first, I want to introduce another really powerful feature of Azure Active Directory called conditional access. What conditional access lets you do is create policies that define for a given application or set of applications not only who can access those applications, but when they can access them, where they can access them from, and what they need to do in order to gain access. So to give you an example, we might say that for a specific application you can only access that application when you're on the corporate network, but for other applications we'll let you access the application as long as you do two-factor authentication, or maybe we'll say you have a choice of either doing two-factor authentication or connecting to the application from a device that's managed by the company.
All these types of conditions, we can put these together with conditional access policies. So what we'll do here, we'll create a new conditional access policy that requires users to complete multi-factor authentication any time they want to access salesforce.com. To do that, we'll browse through the Salesforce application by going to Enterprise applications, clicking All applications, and then selecting Salesforce. Finally, we'll click Conditional access, and we'll go ahead and create a new policy by clicking New policy.
We'll give this a name. We're going to make this specific to the Salesforce application, so I'm going to call this the SalesForce Policy. The first thing we need to do is say what users and groups will this policy apply to. We'll keep this simple. Let's say it applies to all users accessing the application. Notice that you can both include and exclude, so you could say all users except specific people. Cloud apps, what applications does this apply to? Since we created this under Salesforce, it's pre-selected that for us, but notice we could have a policy that applies to every cloud app or all cloud apps but certain ones.
And finally, Conditions are when this policy applies. There's a bunch of different choices here. Sign-in risk is something with Azure AD Identity Protection that lets us say should we only apply this policy based on how risky the sign-in is. Is it a low-medium or high risk sign-in? Device platforms, this could only apply to people connecting from Windows devices or iOS devices, for example. Locations, these are network locations like subnets and IP addresses where the user's connecting from, or you could even say this only applies if users are coming from certain countries.
And finally, client applications. This is things like, are they coming from a browser, or are they coming from a legacy device like an Exchange ActiveSync client. In our case, we're going to apply this to everything, so we're not going to choose any of these. Instead, with the access controls, we're going to say that multi-factor authentication is required, and notice there's a number of different choices here. Requiring the device to be marked as compliant means that Intune comes into the picture here, something we're going to talk about later in the course. Requiring a domain joined machine means the domain is joined to both Active Directory and Azure Active Directory.
And you can also do this requiring either all the controls above, so we could say require multi-factor and a compliant device, or any of the above. We'll just go with multi-factor. And then finally, we're going to turn the policy on. Once this is in place, I'm going to switch to my end user screen again, and we're going to try accessing Salesforce again, and we should see that we'll be prompted to do two-factor authentication. So now that I've switched to being an end user again, I'm signed into the access panel, and I have the Salesforce tile. And I'm going to go ahead and click on that like I normally would, but we're going to see what happens now that we've added the conditional access policy.
It's going to take me to Salesforce, where I'm going to say I'm going to log in with Azure AD. And because this is the first time as an end user that I'm accessing something that requires multi-factor authentication, Azure AD is actually going to prompt me to do that. So I'm going to go ahead and walk through that process. I can choose to authenticate either with my phone via text message or voice call, via voice call to my office phone, the Microsoft authenticator mobile app. I'll go ahead and do that and register my cellphone number here.
And Azure AD is going to send me a text message, which I'll go ahead and enter just to validate that that really is my phone number. Then I'll click Done, and I'm signed in to Salesforce. The next time I sign in, I'll show you what would happen again. It's just going to prompt me to enter a code that's going to be texted to me. So I'll sign back in. I'll go ahead and pick Salesforce, select Azure AD to sign in.
Now this time it's automatically going to go ahead and text me a verification code. I'll go ahead and put that code in and click Sign in, and now I've done two-factor authentication. So this is what conditional access can do. We've only scratched the surface, but we've said any time someone wants to access this application, require them to do two-factor authentication. Of course, we could take that to the next level and say only require them to do two-factor authentication when they're outside the corporate network, where they're not coming from a known device, for example. But you get an idea of how much you can do with this to further secure your applications and data.
- Authentication options with Azure AD
- Configuring Azure AD Connect for sync and authentication
- Securing remote access with the Azure Application Proxy
- Managing apps and devices with Intune
- Building and deploying a basic Intune policy for iOS or Android
- Protecting data beyond the firewall with Azure Information Protection (AIP)
- Configuring AIP classification labels and protection
- Integrating Exchange and SharePoint with AIP
- Managing risk with Advanced Threat Analytics
- Connecting Office 365 to cloud app security