Thursday 27 April 2017

Comparing Azure Conditional Access and Azure Conditional Access Preview

Azure Conditional Access is a policy and access enforcement solution for both Azure and Office 365 services. Conditional Access  requires Azure AD Premium P1 or above before it's available to be configured on your tenant.


Microsoft are currently moving conditional access to the new Azure portal experience https://portal.azure.com where it is in Preview. So I thought I would compare the old and new experience and post it here.


On top of this location and experience change they have also enabled far more granular policy controls for granting access to services as well as expanding support for Office 365 workloads. Which is great news to hear. We can now specify conditional access for Skype for Business online.


First off though, let's look at  the legacy portal experience at https://manage.windowsazure.com

Once logged in select your directory




From here we browse to 'Applications'




Select your workload, in this example I have selected 'Exchange Online'




We then have the option of enabling access rules for 'multi-factor authentication and location based policy control, and device based policies.




Once enabled we can specify rules that effect all users - or concentrate them on a specific group - and include exclusions if necessary.




In this example I am specifying a policy based on specific groups




And blocking access when a user is not at work (or allowed network).




To define your network locations, select 'define/edit your network location' and enter your public IP subnets that should be trusted.






Once back at the rule, ensure you save your selection








Should I wish to enable device access, I simply enable this also




Specify whether I want all devices in scope or specific ones




if I am being specific then selecting which OS/device this is




And then deciding if this is for the browser and native applications or native applications only




And the result of this rule? Being denied access to Exchange Online as I do not meet the conditional access criteria






So how does Azure Conditional Access Preview compare?


For users not used to the new Azure Portal you may at first need time to work out how the interface works.




Once logged in, select Azure Active Directory on the left pane




Once within Azure Active Directory, select Conditional Access




At this moment in time, if you have policies already configured in the legacy portal you cannot see them here. I am sure once out of Preview Microsoft will be looking to migrate your existing policies. For greenfield select 'New Policy'




Select a name for your policy. We then work our way through the assignment section, this specifies Users and Groups, Cloud Apps and Conditions




Specify if the policy is for all uses or groups, exclusions are still possible on the seperate tab




We can now multi select our cloud apps and create policies for multiple workloads








Now we have specified our users or groups, and cloud apps, we move on to the conditions for access




Device based access, multi factor enforcement and location based access are all rolled into one. The Preview still honours your Trusted IPs - and infact you must still configure them in the same place as previously shown.




You will find the Preview has far more granular control for fine tuning your conditional access requirements




We then enable the policy, the policy goes through validation checks and then is immediately enforced




We receive the same conditional access user experience












Keeping in mind the new experience is still in Preview - and you won't want to necessarily move over just yet - I would recommend looking at the new portal experience and start to plan how you will possibly add additional benefits to your conditional access policies that you may not have had the granular ability to do so before - or indeed the support for a particular service.

It will also provide you with the familiarity of the new portal experience.

Enjoy,


Oliver Moazzezi – Office Servers and Services MVP
Twitter: @Olivermoazzezi

 



























No comments: