News

Microsoft Previews Conditional Access Policies for Office 365 Apps

• By Kurt Mackie
• 02/04/2020

Microsoft on Tuesday announced a preview of Azure Active Directory conditional access policies for Office 365 applications.

Conditional access policies can be used to check if certain conditions are in place before granting end users access to applications, which is known as "early-bound policy enforcement." There's also a "late-bound policy enforcement" approach where one application makes a request of another, Microsoft's "Service Dependencies" document explained.

Supported Apps and Licensing
The conditional access policies work across all Azure AD-connected applications, as well as Office 365 applications such as Exchange Online, Microsoft Teams and SharePoint Online. Microsoft lists its supported applications in this "Reference" document, but more apps could be supported. For instance, Microsoft's announcement stated that "you can also enforce policy to apps that aren't available in the Conditional Access app list, like the Office.com portal."

Organizations can use a "baseline policy" (available with all Azure AD editions) or a standard policy, which permits customizations. "Standard policies require an Azure AD Premium P1 license," Microsoft explained in its "How To" document.

The use of conditional access policies results in various actions, such as blocking access or requiring multifactor authentication (a secondary means of proving identity beyond a password). The policies might require that devices be managed by an organization or that they use approved client applications. The policies also can block legacy authentication methods or respond to other sign-in risks.

What can be done with the Azure AD conditional access policies will depend on the licensing that's in place, as noted by the "How To" document:

If additional features are required, you might also need to get related licenses. For example, while Conditional Access is Azure AD Premium P1 feature, identity protection requires an Azure AD Premium P2 license.

Testing
Organizations can test the Azure AD conditional access service by setting policies for test users using the Azure Portal. Microsoft also has a "What If" tool within the Azure Portal that simulates a user sign-in to test the effects after conditional access policies have been set, but it just works with one user. It'll detect if so-called "classic policies" (old ones) are being used.

In addition, there's a new "report only" conditional access policy state "that allows administrators to evaluate the impact of Conditional Access policies before enabling them in their environment," according to this document. Policies don't get enforced when the report-only state is enabled. Users of Azure Monitor have access to a Conditional Access Insights Workbook to view the policy effects when the report-only state is turned on.

Improved My Apps Portal
In other Azure AD news, Microsoft announced this week that its improved My Apps portal for end users has reached "general availability" commercial-release status. IT pros can create a collection of applications (SaaS, custom or on-premises apps) for end users within the My Apps portal. The ability to do that requires having "an Azure AD Premium P1 or P2 license," though.

The improved My Apps portal permits the filtering of apps based on employee roles or functions in an organization. It also serves a single destination for registering, managing devices or changing passwords.