Conditional Access to Exchange Online and Office 365
Traditionally, restricting where and from which device users could access their Mailbox in Office...
Azure Active Directory Conditional Access has been around since 2016. Conditional Access governs access to cloud resources by evaluating the conditions associated with the sign-in of a user or application accessing a resource. Conditional Access policies allow an admin to stipulate under what conditions certain actions are enabled. I like to think of them as If-then statements.
For example: If: “Sign in comes from an untrusted network, accessing any cloud app”, then: “Require another form of authentication (MFA) before granting access to the cloud app.”
A resource can be one of many SaaS applications integrated with Azure Active Directory (AAD) for instance 3rd Party applications such as Salesforce or Microsoft’s Exchange Online.
Up until recently, conditional access policies have had the granularity of allowing the administrator to create policies targeted for specific SaaS applications, such as Exchange Online or Microsoft Teams for example. Because of the deep integration and dependencies on other Office 365 services, restricting access to one application such as Teams for example will have inconsistent collaborative experiences. Some organizations prefer to have the same conditional access policy apply to many applications.
The restriction up until now has been it’s either ALL cloud apps you include in your policy, with the option to add exceptions, or individual cloud applications, and not a group of applications.
This allows for some room for error on the part of the administrator, in either configuring a policy incorrectly for one application and or not catering for an application completely. There are approximately 32 Microsoft cloud applications and hundreds of Azure AD registered gallery applications.
Conditional Access for Office 365 (preview) was introduced on February 4th, 2020 and is already being rolled out to tenants. When I first heard about Conditional Access for Office 365 suite, my first thought was that it was a type of implementation of a conditional access administration experience in the Microsoft 365 admin center. Before you go looking on https://admin.microsoft.com for a “Conditional Access” workspace, I’ll save you the trouble, it’s not. If you have experience creating conditional access policies in the Azure Active Directory portal (https://portal.azure.com), the admin experience is the same.
Conditional Access for Office 365 suite requires AAD Premium P1 or AAD Premium P2 and is not available to AAD Free or AAD Office 365 apps. This can be misleading as some people may have been led to believe that the new Conditional Access for Office 365 (preview) feature would be available to non-premium versions of Azure Active Directory.To expand a little on the licensing requirements for Conditional Access for Office 365 suite, I will attempt to explain the flavors of Azure Active Directory (AAD). There are four flavors of AAD, namely:
Microsoft 365 Business includes a subset of AAD Premium P1 which does include Conditional Access.
Conditional Access for Office 365 suite is merely an enhancement to the configuration options available in Conditional Access, so license requirements will be that of Conditional Access.
Conditional Access for the Office 365 suite gives admins the ability to assign a single conditional access policy across the Office 365 suite of services and apps with one click, or one umbrella app as I like to call it.
Office 365 (Preview) is a group of applications related to one another and part of the Office 365 suite of applications. Office 365 (preview) is listed as one single app in the conditional access “cloud apps or applications” selection blade in the assignments section of a Conditional Access policy. The “single” app allows administrators of conditional access policies to target the following services all at once:This provides a consistent coverage by setting a single policy across Office 365 apps.
So now, instead of targeting individual cloud apps and potentially facing issues related to inconsistent policies and dependencies, Microsoft recommends targeting this group of applications in one policy. Administrators can of course choose to exclude specific apps from the policy if they wish by including “Office 365 (preview)” (under the “Include” tab of cloud apps and actions blade) and then excluding the specific apps of their choice (under the “exclude” tab of the cloud apps and actions blade).
In the screenshot above, Cloud apps selection blade in Conditional Access policy, one can see the new “Office 365 (preview)” app is listed first, this is intentional, so that it is easy for admins to find.
As previously mentioned, admins who might be creating Conditional Access policies with the same controls and actions for each of the individual Office 365 suite applications, can now consolidate these policies into one without inconsistencies and better integration experiences for their end users. This minimizes the amount of Conditional Access policies admins need to create and maintain going forward.
I recently presented a session at Microsoft Ignite:The Tour where I spoke about Conditional Access in the real world. I provided some examples of how granular one can get with Conditional Access policies and not just block access. When multiple Conditional Access policies apply to a user access a cloud app, all of the policies must grant access before the user can access the cloud app or resource. This doesn’t mean that users are blocked by default as some admins think is the case. If one policy blocks access, a block action trumps all other configurations and the user will be blocked and not required to satisfy any other controls.
In conclusion, if you have been applying conditional access policies to individual Office 365 apps, try out the new Office 365 suite (preview) app and create a policy in “Report-only” mode to evaluate the impact of the new configuration without impacting your users.
ENow’s Office 365 Monitoring solution is like your own personal outage detector that pertains solely to you environment. ENow’s solution monitors all crucial components including your hybrid servers, the network, and Office 365 from a single pane of glass. Knowing immediately when a problem happens, where the fault lies, and why the issue has occurred, ensures that any outages are detected and solved as quickly as possible.
I am an IT pro with years of experience in the financial services industry. Currently, I work as a Solutions Architect for NBConsult. I have experience predominantly with Microsoft enterprise technologies, but like any sysadmin, I have a good understanding of multiple vendors and OEM technologies, not to mention cloud-based SAAS and particularly IT Admin services. Started my IT career in 1999, preparing thousands of IBM OS/2 machines for “Y2K” or the “Millennium Bug” by replacing them with Microsoft Window NT 4 Workstation. Today, I do Active Directory architectures, Exchange upgrades, migrations and hybrids, Intune device management and application management, PowerShell automation, SharePoint site administration, Microsoft Flows and PowerApps, even Azure DevOps and VS Code integration.