In this video, Pete Zerger demonstrates device-based access requirements in Azure Active Directory conditional access policies to control access to apps based on device type and state. Learn how to restrict access to cloud apps hosting sensitive data from
- [Narrator] Let's take a look at device-based access requirements in the conditional access feature in Azure Active Directory. With conditional access we have some device-based controls that allow us to control access based on the type and state of the device. The first of which is the platform. I'm logged into the Azure portal, I've selected my default directory, and I'm going to scroll down to the conditional access area. I'll take you step-by-step through configuring the conditional access policy with device-based access controls, we're going to look at a pre-configured policy, because these do take a few minutes sometimes to take effect.
In this case I'd like to restrict access to Exchange online, to allow users on domain-joined devices only, to access their mail via a browser. So I'll start by looking at my user assignments, in this case I'm applying the policy to all users, I can certainly take that down to specific users or a group of users, including a dynamic group. For the app, I've selected Office 365 Exchange Online, certainly we can select all Cloud apps and configure conditional access policies that are global in nature.
In the Conditions area, I've selected one condition, and that's my Device platform will be a Windows machine. And in my Access controls, I'm going to grant access, but I'm going to require the devices to be domain-joined, as you see here, and I'll require multi-factor authentication just as a best practice. And you'll notice that I'm granting access, not denying. So now when I attempt to access Office 365 and Exchange Online when I'm on a managed system that's domain-joined, I should be allowed access, and when I attempt to access the same app from an unfamiliar computer not joined to my domain, I should be denied.
So I'm logged in as Don Funk here from Kinetico, our standard user, and I'll click on his Exchange Online app, we'll see Don's going to be prompted for multi-factor auth, he's chosen to be called on his mobile phone so he'll receive a phone call, listen to the message, and hit the pound key. This should take Don into his mailbox, and here we are. At that point we have access to email as expected.
So let's jump out to another machine, this is not domain-joined, not familiar at all to the Kinetico IT department. Don is again logged in here with his Kinetico account, and I'll attempt to access Exchange Online, he's going to get that same MFA prompt, another phone call from the service, he can opt to, as you see there, defer that second prompt for up to 14 days, because I've configured that in our MFA policy.
You'll see in this case, because Don has logged in from an unfamiliar device, he receives a message from Conditional Access that we require domain-joined devices, and access from personal devices is not allowed. So as you can see, device compliance and conditional access policies enables us to optimize security in anywhere productivity scenarios.
In this course—the first in the series—Microsoft MVP Pete Zerger takes you through the basics of setting up endpoint protection. He begins by explaining how to set up Azure Active Directory Premium. Next, he goes into enabling multi-factor authentication, followed by setting conditions for secure access. To wrap up, Pete covers managing mobile devices with Intune, and publishing applications with Azure AD App Proxy.
- Setting up Azure Active Directory for an organization
- Enabling user-level and application-level multi-factor authentication
- Setting conditions for secure access
- Planning a mobile device management (MDM) strategy
- How Intune (standalone) MDM works
- How Intune mobile application management works
- Publishing applications with Azure AD App Proxy
- Assigning users and groups