Forum Discussion
Conditional policies in Azure AD vs. Intune
We would like to implement conditional access policies for a group of our users through Azure AD. Are these policies different from the Conditional access policies available in Intune? Also, I was wondering if there were any pitfalls to enabling modern authentication for EXOL and Skype for business?
I have not found any pitfalls to enabling modern authentication for EXO or Skype for business.
In my experience, it may take a few days before the setting will take effect for the SFB whereas there doesn't seem to be much delay for it to begin working in EXO.
One thing you may run into is your Global Admins may struggle to get remote powershell to work after enabling MFA on their accounts. To solve this, download the latest powershell modules for SFB and Exchange.
Skype Powershell Module Download
http://go.microsoft.com/fwlink/?LinkId=294688
New Exchange PowerShell Module that supports MFA
https://technet.microsoft.com/en-us/library/mt775114(v=exchg.160).aspx
The conditional access for Intune is merging into the Azure AD Premium conditional access in the Azure portal (http://portal.azure.com).
If you have a device enrolled in Intune, conditional access in Azure AD can leverage that to check compliance.
- Joe StockerBronze Contributor
I have not found any pitfalls to enabling modern authentication for EXO or Skype for business.
In my experience, it may take a few days before the setting will take effect for the SFB whereas there doesn't seem to be much delay for it to begin working in EXO.
One thing you may run into is your Global Admins may struggle to get remote powershell to work after enabling MFA on their accounts. To solve this, download the latest powershell modules for SFB and Exchange.
Skype Powershell Module Download
http://go.microsoft.com/fwlink/?LinkId=294688
New Exchange PowerShell Module that supports MFA
https://technet.microsoft.com/en-us/library/mt775114(v=exchg.160).aspx
The conditional access for Intune is merging into the Azure AD Premium conditional access in the Azure portal (http://portal.azure.com).
If you have a device enrolled in Intune, conditional access in Azure AD can leverage that to check compliance.
- Robert WoodsSteel Contributor
Joe Stocker and there is no ADFS requirement for any of this to work correct?
- Dean_GrossSilver ContributorIn general you are correct. The list of reasons for using ADFS is getting shorter and shorter. The need for ADFS is typically driven by other requirements
Hi,
Keep in mind that you control modern authentication with Conditional Access, legacy authentication like POP, IMAP, or EWS is not using modern authentication. So you might need to take care of theses workloads. For example turn them off in the services... In the past the recommendation was to use ADFS to block legacy auth:
Block apps that do not use modern authentication (ADAL)
https://docs.microsoft.com/en-us/intune/app-modern-authentication-block
But there is an upcoming feature to allow blocking of legacy auth with Conditional Access. It is in private preview at the time of writing and will be in public preview soon. So keep an eye on Conditional Access announcements. If available you shouldn't need ADFS anymore (except if you have other special requirements for it).
best,
Oliver
My tenants got updated today 👍 and support now Conditional Access for legacy auth:
best,
Oliver
- Joonas PakkanenBrass Contributor
Hi!
Did you get this work?
Doesn't work for me.
Regards, Joonas
- Douglas EinckCopper Contributor
Crafting CA rules for InTune, noticing there are two app registrations related to InTune, Is the enrollment one literally just the initial call to register and the other more long-term or? Thanks
- Microsoft InTune
- Microsoft InTune Enrollment