SOLVED
Home

We use ADFS for SSO, can we use Azure conditional access policies for apps other than Office365?

%3CLINGO-SUB%20id%3D%22lingo-sub-379704%22%20slang%3D%22en-US%22%3EWe%20use%20ADFS%20for%20SSO%2C%20can%20we%20use%20Azure%20conditional%20access%20policies%20for%20apps%20other%20than%20Office365%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-379704%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20apps%20like%20Salesforce%2C%20Concur%20etc..%20that%20we%20may%20like%20to%20put%20some%20conditional%20access%20policies%20around%20(force%20MFA%2C%20deny%20access%20based%20on%20location%20etc)%20.%26nbsp%3B%20We%20use%20on%20prem%20ADFS%203.0%20to%20authenticate%20with%20those%20apps%20as%20well%20as%20Office%20365.%26nbsp%3B%20Are%20we%20able%20to%20only%20use%20the%20custom%20rules%20inside%20of%20ADFS%20to%20grant%5Cdeny%20access%20or%20could%20we%20somehow%20extend%20those%20apps%20to%20be%20able%20to%20use%20Azure%20conditional%20access%20like%20Office%20365%20is%20able%20to%20even%20though%20we%20authenticate%20via%20ADFS%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-379704%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EEMS%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-380391%22%20slang%3D%22en-US%22%3ERe%3A%20We%20use%20ADFS%20for%20SSO%2C%20can%20we%20use%20Azure%20conditional%20access%20policies%20for%20apps%20other%20than%20Office365%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-380391%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F9442%22%20target%3D%22_blank%22%3E%40Shawn%20Beckers%3C%2FA%3E%26nbsp%3BThanks.%20That's%20what%20I%20thought.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-380386%22%20slang%3D%22en-US%22%3ERe%3A%20We%20use%20ADFS%20for%20SSO%2C%20can%20we%20use%20Azure%20conditional%20access%20policies%20for%20apps%20other%20than%20Office365%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-380386%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F271366%22%20target%3D%22_blank%22%3E%40brentmattson%3C%2FA%3EYour%20non-O365%20apps%20which%20utilize%20ADFS%20for%20authentication%20won't%20be%20able%20to%20use%20the%20Azure%20AD%20CA%20policies.%26nbsp%3B%20You'll%20need%20to%20set%20up%20access%20control%20policies%20within%20ADFS%20for%20them%20since%20the%20auth%20requests%20for%20those%20apps%20don't%20touch%20Azure%20AD.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-889344%22%20slang%3D%22en-US%22%3ERe%3A%20We%20use%20ADFS%20for%20SSO%2C%20can%20we%20use%20Azure%20conditional%20access%20policies%20for%20apps%20other%20than%20Office365%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-889344%22%20slang%3D%22en-US%22%3E%3CP%3EI%20thought%20the%20same%20thing%20until%20I%20stumbled%20on%20this%20article.%26nbsp%3B%20Is%20this%20a%20typo%20or%20is%20there%20a%20way%20to%20configure%20CA%20with%20ADFS%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity%2Ffundamentals%2Fchoose-ad-authn%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity%2Ffundamentals%2Fchoose-ad-authn%3C%2FA%3E%3C%2FP%3E%3CH2%20id%3D%22toc-hId-1702946587%22%20id%3D%22toc-hId-1702946587%22%3EComparing%20methods%3C%2FH2%3E%3CDIV%20class%3D%22table-scroll-wrapper%22%3EConsideration%20Password%20hash%20synchronization%20%2B%20Seamless%20SSO%20Pass-through%20Authentication%20%2B%20Seamless%20SSOFederation%20with%20AD%20FS%3CBR%20%2F%3E%3CTABLE%3E%3CTBODY%3E%3CTR%3E%3CTD%3EWhat%20are%20the%20Conditional%20Access%20options%3F%3C%2FTD%3E%3CTD%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Foverview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20AD%20Conditional%20Access%2C%20with%20Azure%20AD%20Premium%3C%2FA%3E%3C%2FTD%3E%3CTD%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Foverview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20AD%20Conditional%20Access%2C%20with%20Azure%20AD%20Premium%3C%2FA%3E%3C%2FTD%3E%3CTD%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Foverview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20AD%20Conditional%20Access%2C%20with%20Azure%20AD%20Premium%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fadfshelp.microsoft.com%2FAadTrustClaims%2FClaimsGenerator%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAD%20FS%20claim%20rules%3C%2FA%3E%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
brentmattson
Occasional Contributor

We have apps like Salesforce, Concur etc.. that we may like to put some conditional access policies around (force MFA, deny access based on location etc) .  We use on prem ADFS 3.0 to authenticate with those apps as well as Office 365.  Are we able to only use the custom rules inside of ADFS to grant\deny access or could we somehow extend those apps to be able to use Azure conditional access like Office 365 is able to even though we authenticate via ADFS?

3 Replies
Solution

@brentmattsonYour non-O365 apps which utilize ADFS for authentication won't be able to use the Azure AD CA policies.  You'll need to set up access control policies within ADFS for them since the auth requests for those apps don't touch Azure AD.

I thought the same thing until I stumbled on this article.  Is this a typo or is there a way to configure CA with ADFS?

 

https://docs.microsoft.com/en-us/azure/security/fundamentals/choose-ad-authn

Comparing methods

Consideration Password hash synchronization + Seamless SSO Pass-through Authentication + Seamless SSOFederation with AD FS
What are the Conditional Access options?Azure AD Conditional Access, with Azure AD PremiumAzure AD Conditional Access, with Azure AD PremiumAzure AD Conditional Access, with Azure AD Premium

AD FS claim rules
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies