Microsoft Azure – Conditional Access policy

Posted: June 6, 2020 in Azure

Conditional access policy is used to give access to company resources based on conditions (if-then-elseif-else-except)

In this example Conditional Access policy checks following:

  • If user access from company network (if in the office), policy won’t be applied, user have unlimited access
  • If user access outside company network, and if device he’s accessing from is compliant (Enrolled in Intune), and if he uses managed browser (or Edge on Windows 10), or if he’s using Office 365 application, he can access to company resources
  • If user access outside company network, and if device he’s accessing from is NOT compliant (Not enrolled in Intune), access is blocked

Enabling modern authentication

Enable Office 365 modern authentication to solve issue when desktop Outlook app is prompting for password

# Connect to Exchange Online
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -DisableNameChecking

# check if modern authentication is enabled

Get-OrganizationConfig | Format-Table Name,OAuth* -Auto

# if output is false, modern authentication is not enabled

# enable modern authentication

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

Creating named location(s)

Define (trusted) locations, IP ranges.If user’s IP address is within this scope, policy won’t be applied.

In Azure portal click Azure Active Directory-Security-Conditional access-Named Locations-New Location

Creating Conditional access policy

Azure active directory-Security-Conditional access-New policy

In users and groups specify user group to which this policy will apply

Select application to which you need to configure access

For location to include select any

In exclude, select location we created earlier

Select the client apps this policy will apply to

Device state:Yes

In exclude, select both options, policy won’t apply if device is member of On-Premise and Azure AD (Hybrid Azure AD join) or if device is enrolled in Intune and comply to all policies (compliant)

Grant access and specify conditions which needs to be fulfilled

Evaluating conditional access policy

After policy is created, click What If

Select user, application to which access is evaluated, IP address (optionally),device type,application from which resource is accessed and device state

After clicking “What If”, you’ll see if policy will be applied for specific user.This is the best way to start troubleshooting if policy behaves in non expected way.

If trying access outside company office,and “unamanaged” browser (Opera in my case),you’ll get below message

If trying access from Edge, you’ll should be able to sign in to Office 365, in case policy works in unwanted way, check if device you’re trying to access from is compliant:

Microsoft Endpoint Manager Admin Center-Devices-All devices

check login logs:

Azure active directory-Sign-Ins

Select user-click on conditional access and on “three dots” to see details


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s