During this lesson, learn how to configure conditional access policies using the Azure portal. The instructor explores the various configuration options.
- [Instructor] Conditional access allows us, the IT admin the ability to control who and what has access to our networks, while allowing the user to access the corporate resources from where, when, and on whatever device they have. And it works by using two simple statements. The first statement is the condition statement, which is when this happens. And the second statement is the control statement, then do this. And we only have two options, block or grant.
Let's see this in action in Azure. We're gonna go ahead and create a new conditional access policy, and we'll do this through Azure Active Directory. You'll need to scroll down to security, and then conditional access. You'll notice that I already have two policies. Let's go ahead and create a new one. For this policy, we're gonna call it MFA for SharePoint Online. And that's because I'm going to configure multi-factor authentication for our users accessing SharePoint Online.
The first thing we need to do is assign this policy to users in groups. You can select none, all users, or select users in groups, which is what I'm going to choose, and then I'm gonna select a specific group. I'm gonna pick on the HR group. Next we need to select the cloud apps that this is going to apply to. And you can say all the cloud apps, or select apps.
Now, pay attention to all cloud apps. There's a warning here that you could lock yourself out, so just be aware of that. I'm gonna select apps, and then I'm gonna look for SharePoint Online. And you'll notice that there are several apps here that I can choose from. And now we can determine the conditions, and we have four options here starting off with the device platform. This policy can apply to specific devices, or to all platforms.
For our demonstration I'm gonna have it apply to Windows Phone devices only. Next we can choose locations, and we can select from any location, all trusted locations, or selected locations. I'm gonna show you selected locations. Let's say that this policy will be applied to anyone who's coming in from, let's say, Canada. And you'll note here, the exclude option, and that might be a little bit more important when you're choosing location.
Next, we can configure the client apps that this policy will apply to. We're gonna turn this on for browser, mobile apps and desktop clients. And finally, we have device state. And we'd use this to configure, no matter what the device state is, whether it's compliant or non-compliant. I'm going to leave this one as no, and close that. Go ahead and click done. Now that we have all of the conditions set up, now we focus in on access controls, and this is the block or grant access.
If the device and user meet the condition that we've set in this assignment, then we can either block access completely to SharePoint, or we can grant access, and for our example, we're gonna require multi-factor authentication. We can also require that the device be marked as compliant, require Hybrid Azure Active Directory joined devices only, or require approved client apps only. In addition, we can require that all the selected controls be used, or just one.
You can go ahead and click select. And finally, we have session, and session controls enable limited experiences within the cloud app. I'm not gonna select anything from here. At this point you would go ahead and enable that policy, and then create. Now when we have a user who logs in from a Windows device from Canada, trying to access SharePoint Online, they will need to provide multi-factor authentication. For the exam I would highly recommend that you review conditional access in a little bit more detail and become familiar with all the components of conditional access policies.
- Managing Azure subscriptions and resources
- Implementing and managing storage
- Configuring and managing virtual networks
- Managing identities
- Evaluating and performing server migration to Azure
- Implementing and managing application services
- Implementing advanced virtual networking
- Securing identities