In this video, Sharon demonstrates how to revoke user access to SaaS applications in Azure Active Directory and control access using conditional access policies.
- [Instructor] As IT admins, we are responsible for keeping the company's data safe, and to do so for our applications that are in Azure Active Directory, we can setup conditional access rules. I've already logged into Azure. I'm in the Azure Active Directory blade. I'm going to scroll down just a little bit, and click on Conditional access. Here, we can enforce access requirements based on a specific condition. To get started, click on Add. Provide a name for your policy.
We'll call it Device Policy. Next, who are we going to assign this policy to? We can assign it to nobody, all users, or select users and groups. If you're just testing your policies, you may want to start off with select users and groups, and have a test group or test users for this. I'm going to go ahead and keep it to None right now. I want to build out the rest of the policy. I also have the option to exclude specific users and groups. Next, which of the cloud apps do you want this policy to apply to? You can take all of the cloud apps, or you can go ahead and select some.
If you're going to select only specific apps, you'll have to come in and then select those apps that you want to apply the policy to. I'm going to go ahead and select Box. Click Select, and then Done. Next, the conditions. First we have our Sign-in risk. Within Azure, sign-ins are applied risk levels. You can select the risk level that you're willing to allow to access this particular app.
Again, you have the option to turn this on or off. I'm going to leave this one off. Next are device platforms. Do we want to configure this? Yes. Maybe I only want Windows devices being able to access this application. I'm going to go ahead and click Done. Next is our location. Do we want to include all locations? Or maybe we only want to allow from trusted IPs. I'm going to click No in this, and then finally the type of client apps that this policy will apply to.
Does this apply to the browser? To the mobile apps and desktop clients? You'll notice here Exchange ActiveSync is not available to me, because I don't have an Office 365 account attached to this subscription. I'm going to leave that, and click Select. So our conditions are that it must be a Windows device, and it will also apply to any browsers or web apps and desktop clients. I'm going to go ahead and click Done. Next we can enforce some additional controls.
We can require multi-factor authentication, we can require a compliant device. Yes I'd like to make sure that the device is compliant. We could require that device to be domain joined if we wish. Then we go ahead and click Select, and then we'd go ahead and enable this policy, and then Create, but again keeping in mind that I actually haven't assigned this to any users or groups. As always, I would highly recommend you setup a test base for this. You do not want to frustrate your users if they're trying to access something and they can't.
And there's our policy. Finally, what if a user leaves? Well we want to make sure they can't access those application anymore. We'll click on Users and groups. Click on All users. I'm going to go ahead and pick on Sherlock again. So I have the option, if Sherlock leaves, I can go ahead and delete his account, and therefore he will not have access. Or, maybe I just don't need him having access anymore to our cloud-based applications. In that case, I can click on Profile, and then Block sign in.
Now he is unable to actually sign in. I click Save, and Sherlock Holmes is now blocked. That's all there is to it. You can control access to your apps using conditional access, and you can individually block your users by blocking their sign in.
- Azure AD
- Adding company branding
- Adding a custom domain
- AD Connect configuration
- AD Connect Health
- Administering users and groups
- Configuring SaaS applications
- Granting conditional access
- Revoking access
- Application proxy and discovery
- Integrating web and desktop applications
- Creating an Azure AD B2C directory
- Registering an application
- Creating a Microsoft identity