Thursday 27 April 2017

Comparing Azure Conditional Access and Azure Conditional Access Preview

Azure Conditional Access is a policy and access enforcement solution for both Azure and Office 365 services. Conditional Access  requires Azure AD Premium P1 or above before it's available to be configured on your tenant.

Microsoft are currently moving conditional access to the new Azure portal experience where it is in Preview. So I thought I would compare the old and new experience and post it here.

On top of this location and experience change they have also enabled far more granular policy controls for granting access to services as well as expanding support for Office 365 workloads. Which is great news to hear. We can now specify conditional access for Skype for Business online.

First off though, let's look at  the legacy portal experience at

Once logged in select your directory

From here we browse to 'Applications'

Select your workload, in this example I have selected 'Exchange Online'

We then have the option of enabling access rules for 'multi-factor authentication and location based policy control, and device based policies.

Once enabled we can specify rules that effect all users - or concentrate them on a specific group - and include exclusions if necessary.

In this example I am specifying a policy based on specific groups

And blocking access when a user is not at work (or allowed network).

To define your network locations, select 'define/edit your network location' and enter your public IP subnets that should be trusted.

Once back at the rule, ensure you save your selection

Should I wish to enable device access, I simply enable this also

Specify whether I want all devices in scope or specific ones

if I am being specific then selecting which OS/device this is

And then deciding if this is for the browser and native applications or native applications only

And the result of this rule? Being denied access to Exchange Online as I do not meet the conditional access criteria

So how does Azure Conditional Access Preview compare?

For users not used to the new Azure Portal you may at first need time to work out how the interface works.

Once logged in, select Azure Active Directory on the left pane

Once within Azure Active Directory, select Conditional Access

At this moment in time, if you have policies already configured in the legacy portal you cannot see them here. I am sure once out of Preview Microsoft will be looking to migrate your existing policies. For greenfield select 'New Policy'

Select a name for your policy. We then work our way through the assignment section, this specifies Users and Groups, Cloud Apps and Conditions

Specify if the policy is for all uses or groups, exclusions are still possible on the seperate tab

We can now multi select our cloud apps and create policies for multiple workloads

Now we have specified our users or groups, and cloud apps, we move on to the conditions for access

Device based access, multi factor enforcement and location based access are all rolled into one. The Preview still honours your Trusted IPs - and infact you must still configure them in the same place as previously shown.

You will find the Preview has far more granular control for fine tuning your conditional access requirements

We then enable the policy, the policy goes through validation checks and then is immediately enforced

We receive the same conditional access user experience

Keeping in mind the new experience is still in Preview - and you won't want to necessarily move over just yet - I would recommend looking at the new portal experience and start to plan how you will possibly add additional benefits to your conditional access policies that you may not have had the granular ability to do so before - or indeed the support for a particular service.

It will also provide you with the familiarity of the new portal experience.


Oliver Moazzezi – Office Servers and Services MVP
Twitter: @Olivermoazzezi


Tuesday 4 April 2017

What happens to my data when an Office 365 subscription ends and expedited deprovisioning

Office 365 will delete your subscription data after 90 days and no later than 180 days after cancellation. However, what happens if you have a requirement to delete that data sooner?

Microsoft offer something called 'expedited deprovisioning', you can read about it and the normal cancellation and deletion processes here, Expedited deprovisioning should probably be exposed more in the article - but at least the article now include information on the matter.

So if you have a requirement for a more resolute data deletion process, contact Microsoft and ask for expedited deprovisioning. They will delete your data within 3 days this way.

However make sure you have backed up the data you need or migrated it elsewhere as this is a permanent process and you won't be able to get the data back afterwards!

Oliver Moazzezi – Office Servers and Services MVP
Twitter: @Olivermoazzezi

Monday 3 April 2017

Utilizing Sway instead of Office for document creation and sharing

I had an interesting conversation with a customer last week. They were interested in making use of the benefits of Sway, but wanted to understand how they can protect content when using this service. Sway doesn't support Rights Management integration, so if you're looking at protecting documents and want to control who has access to them, provide instant revocation or indeed see where you're documents are being opened and by who (including who has tried to access them), then Sway isn't for you.

You can only password protect your content. You can limit the share function to users within your Organisation or for all, see the Share functionality below:

If you don't want to be able to provide external sharing, then as a Global Admin you can disable this function in the Office 365 Admin Center. Including limiting where content is ingested from.

Interestingly, Sway doesn't currently support encryption at rest like the traditional core workloads of Exchange, SharePoint, OneDrive for Business and Skype for Business Online which provide Bitlocker or file level encryption at rest services. It's only available from North American datacenters too - so be aware of where your data is being held.

If you need to utilize Rights Management or Information Protection capabilities, then I would suggest at this time continuing to utilize the Office suite with Azure RMS/AIP - especially if you need to share with external third parties. By all means give your employees access to Sway, but you may want to ensure external sharing is disabled for now.

Oliver Moazzezi – Office Servers and Services MVP
Twitter: @Olivermoazzezi