Forum Discussion

Robert Woods's avatar
Robert Woods
Steel Contributor
Jul 01, 2017

Conditional policies in Azure AD vs. Intune

We would like to implement conditional access policies for a group of our users through Azure AD. Are these policies different from the Conditional access policies available in Intune? Also, I was wondering if there were any pitfalls to enabling modern authentication for EXOL and Skype for business?

 

https://support.office.com/en-us/article/Enable-Exchange-Online-for-modern-authentication-58018196-f918-49cd-8238-56f57f38d662 

 

  • Joe Stocker's avatar
    Joe Stocker
    Bronze Contributor

    I have not found any pitfalls to enabling modern authentication for EXO or Skype for business.

    In my experience, it may take a few days before the setting will take effect for the SFB whereas there doesn't seem to be much delay for it to begin working in EXO.

    One thing you may run into is your Global Admins may struggle to get remote powershell to work after enabling MFA on their accounts. To solve this, download the latest powershell modules for SFB and Exchange.

    Skype Powershell Module Download

    http://go.microsoft.com/fwlink/?LinkId=294688

     

    New Exchange PowerShell Module that supports MFA

    https://technet.microsoft.com/en-us/library/mt775114(v=exchg.160).aspx

     

    The conditional access for Intune is merging into the Azure AD Premium conditional access in the Azure portal (http://portal.azure.com).

    If you have a device enrolled in Intune, conditional access in Azure AD can leverage that to check compliance.

    https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal

      • Dean_Gross's avatar
        Dean_Gross
        Silver Contributor
        In general you are correct. The list of reasons for using ADFS is getting shorter and shorter. The need for ADFS is typically driven by other requirements
  • Hi,

    Keep in mind that you control modern authentication with Conditional Access, legacy authentication like POP, IMAP, or EWS is not using modern authentication. So you might need to take care of theses workloads. For example turn them off in the services... In the past the recommendation was to use ADFS to block legacy auth:

     

    Block apps that do not use modern authentication (ADAL)

    https://docs.microsoft.com/en-us/intune/app-modern-authentication-block

     

    But there is an upcoming feature to allow blocking of legacy auth with Conditional Access. It is in private preview at the time of writing and will be in public preview soon. So keep an eye on Conditional Access announcements. If available you shouldn't need ADFS anymore (except if you have other special requirements for it).

     

    best,

    Oliver

    • Oliver Kieselbach's avatar
      Oliver Kieselbach
      MVP

      My tenants got updated today 👍 and support now Conditional Access for legacy auth:

       

       

      best,

      Oliver

      • Joonas Pakkanen's avatar
        Joonas Pakkanen
        Brass Contributor

        Hi! 

         

        Did you get this work?

        Doesn't work for me.

         

        Regards, Joonas

  • Douglas Einck's avatar
    Douglas Einck
    Copper Contributor

    Crafting CA rules for InTune, noticing there are two app registrations related to InTune, Is the enrollment one literally just the initial call to register and the other more long-term or? Thanks

    1. Microsoft InTune
    2. Microsoft InTune Enrollment

Resources