Microsoft Previews Azure Active Directory Conditional Access for Exchange and SharePoint Online
Microsoft today announced Azure Active Directory Conditional Access support for Exchange Online and SharePoint Online services, which is now at the preview stage.
Microsoft's "conditional access" term refers the ability to set up a multifactor authentication security challenges for users of applications under certain conditions. Under this scheme, users must provide secondary authentication to gain access, typically by entering a PIN or by responding to a text message or an automatically generated phone call.
It might be thought that the Azure Active Directory service already had the ability to set conditional access policies for Exchange Online and SharePoint Online users. After all, last year Microsoft announced that Azure Active Directory had conditional access support for its SharePoint Server premises-based product, as well as for Outlook on the Web applications and IIS-based applications.
However, conditional access support using Azure Active Directory seems to be a somewhat evolving capability. Only applications that support so-called "modern authentication" can take advantage of this conditional access protection.
Microsoft's modern authentication lingo means that an application or service can work with the Active Directory Authentication Library to support user sign-ins. This capability, too, has been an evolving one, but Microsoft claimed it rolled out its modern authentication capability from preview to "general availability" back in May.
Exchange and SharePoint have been laggards in terms of modern authentication support because they are based on "older protocols," according to this Microsoft Azure "Conditional access support for applications" document. Now, though, it's possible to test conditional access with the Exchange Online and SharePoint Online services.
IT pros can specify three rules for access. Multifactor authentication can always be required. It can be required only when the user isn't at work. Lastly, access can be blocked when the user isn't at work. Those three rule-setting capabilities are already available for "Azure App Proxy, apps from the application gallery, Azure Remote App, Yammer and Dynamics CRM," according to Alex Simons, director of program management at the Microsoft Identity Division, per Microsoft's announcement.
Conditional access support also is available for "pre-integrated federated SaaS applications" associated with an Azure Active Directory tenant, something that might be done for line-of-business types of applications. However, this capability is described as just being at the preview stage in this "Getting started with conditional access to Azure AD" Microsoft Azure document.
Requirements and Recommendations
Use of the conditional access capability comes with some requirements. Microsoft typically lists having Azure Active Directory Premium licensing in place. If conditional access is used with Exchange Online and SharePoint Online, then an Office 365 subscription is needed, too.
It would seem that having conditional access in place might be enough assurance for organizations concerned with access breaches. Microsoft's announcement suggested, though, that organizations also will need its Azure Active Directory Identity Protection service, too.
"We recommend enabling these polices alongside risk based Conditional Access policy available with Azure AD Identity Protection," Simons added. "The risk based policies give an advanced baseline of coverage, challenging users for MFA or blocking access as risk is detected. Then apply a per-application policy, like always requiring MFA, for services with additional security or compliance requirements."
The Azure Active Directory Identity Protection service, though, is still fairly new. Microsoft released a preview of it in March. It uses machine learning to detect breaches by checking for six kinds of identity compromise risks. It uses a scoring system to evaluate the risks and then sends alerts to IT pros about the potential problems.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.