Conditional access is getting better and better and better
Conditional access is getting better and better and better
Yeah, I know, I’ve been using similar blog post titles recently. And yes, it might sound cheesy. However, looking specifically at conditional access, it’s easy to say that the current evolution, in the Azure portal, is better than it is in the Azure classic portal, which is better than it is in the Intune Silverlight portal. Based on that, maybe “ The evolution of conditional access ” would have been a nice title also. In this post I will go through a little bit of history of conditional access, followed by going through the enhanced capabilities of conditional access in the Azure portal.Little bit of history
Let’s start by looking at a little bit of history of conditional access. No, I won’t put all the evolutions on a timeline, but I will try to show the biggest changes. Conditional access started as a feature in the Intune Silverlight portal only. In that time it was limited to a few Office 365 services. Later on conditional access also became part of the Azure classic portal and the functionalities got expanded to include other cloud apps and published apps. Very recently conditional access also became part of the Azure portal (still in preview) and the functionalities got expanded to include multiple policies and many, many configuration options. Now let’s go through these evolution in a bit more detail.
Intune Silverlight portal The Intune Silverlight portal is the portal were it all started for the conditional access functionalities. In the Intune Silverlight portal it’s possible to enable and configure conditional access for the following Microsoft cloud services:Exchange Online; Exchange On-premises; Exchange Online Dedicated (new and legacy); SharePoint Online; Skype for Business Online; Dynamics CRM Online.
Within the conditional access policies it’s possible to configure the following conditions:Platforms (all or specific); Browser (all or supported only); Groups (targeted and/or exempted).
Azure classic portal The Azure classic portal is the portal that started with providing more capabilities by making conditional access configurations available as part of Azure AD. In the Azure classic portal it’s possible to configure conditional access for the following additional apps (in addition to the Intune Silverlight portal):Software as a service (SaaS) apps connected to Azure AD; On-premises apps published via the Azure AD Application Proxy.
Within the conditional access policies it’s possible to configure the following additional conditions (in addition to the Intune Silverlight portal):Multi-factor authentication (always, when not at work, block when not at work).
Azure portal The Azure portal is still in preview for the Azure AD functionalities. However, the Azure portal is were conditional access becomes a grown-up functionality. The Azure portal also supports all the mentioned apps from the Azure classic portal and the Intune Silverlight portal. On top of that, it enables the ability to create one policy for all apps, or a policy per app, or even multiple policies per app.
Within the conditional access policies it’s also possible to configure all the mentioned conditions from the Azure classis portal and the Intune Silverlight portal. On top of that, it enables to ability to make every available combination of the available conditions.
Note : The Azure portal even includes the capability to configure conditional access for managed apps. This is part of the Intune mobile app management configuration.
Note : At this moment all three locations are still available for configuring conditional access. When a conditional access policy is configured at multiple locations, the end-user only gets access when all requirements are met.Conditional access in the Azure portal
This section is about a preview of the Azure AD management experience in the Azure portal.
Now let’s have a look at the new conditional access experience in the Azure portal and why these changes are really interesting. Let’s do this by going through the different controls and condition statements that are available in the Azure portal.Policies
The first thing that’s important to know, is that there is no limit anymore in creating conditional access policies for specific apps. The configuration in the Azure portal enables the administrator to create multiple conditional access policies. Not just one per cloud app, but it can even be multiple policies per cloud app. Before every sign-in, Azure AD evaluates all applicable policies and ensures that all requirements are met before granting access to the end-user. Now let’s have a look at adding a policy in more detail.
Policy When adding a new conditional access policies there are the following 4 sections that can be configured:Name : Every conditional access policy requires a name. That name will be used to identify the policy; Assignments : With assignments the administrator defines the criteria that need to be met, for the controls to be applied, in the form of a condition statement; Controls : With controls the administrator can either block access or allow access. And by allowing access the administrator can also add additional requirements; Enable policy : Every conditional access policy will only be applied when it’s enabled.
The next thing is to have a look the different assignments that can be part of the condition statement. The assignments can be configured for User and groups , Cloud apps and additional Conditions . When there are multiple assignments configured in the conditional access policy, all assignments are logically ANDed . If there are multiple assignment configured, all assignments must be satisfied.User and groups In the User and groups assignment, the administrator can configure to who the conditional access policy must be applied. This can be done by including all users, or by selecting specific users and/or groups. When specific users must be excluded, that can be configured by adding those users in the exclude section of this assignment.
Cloud apps In the Cloud apps assignment, the administrator can configure to what the conditional access policy must be applied. This can be done by including all cloud apps, or by selecting specific cloud apps. When specific apps must be excluded, that can be configured by adding those apps in the exclude section of this assignment.
本文系统（windows）相关术语:三级网络技术 计算机三级网络技术 网络技术基础 计算机网络技术
本文标题：Conditional access is getting better and better and better