Figure 1: AIP now supports Conditional Access in Azure portal
Figure 2: MFA control enforced here
Figure 3: Conditions can be platform specificIn this scenario, end users will receive an MFA challenge after entering their username/password when opening AIP protected document in Word on a Windows 10 PC. Note: MFA challenges are authentication level. This means users will not be prompted for MFA when opening protected content using other Office applications like Excel, PowerPoint on the same machine given they have done MFA already in Word. Also, if a user had to do MFA as part of their Windows login (either as part of first time MFA setup and/or first-time login to PC) they will not be re-prompted inside the applications.
Figure 4 MFA prompt inside Office applications
Figure 5 MFA prompt inside AIP iOS app
Figure 6 ‘Require compliant device’ control appliedThe admin also needs to configure device compliance policy in the Intune blade as shown below. In this example scenario, the admin has configured system security settings like ‘Require a password’ and ‘Min password length’. For details on device compliance policies and how to create them, check out the detailed blog post from the Intune team .
Figure 7: Device compliance policies created for different platforms in Intune bladeOnce the device compliance policy is deployed, each device is checked for compliance as part of AIP app’s sign-in flow when opening protected files.
Figure 8 Error dialog in AIP Windows app when device is not compliantNote: Users will be prompted to install application(s) like Intune company portal to verify compliance. Read this documentation for more information .
Figure 9 Trusted network policy enabledThe location is identified by the IP address of the client you have used to connect to Azure Active Directory. This condition requires you to be familiar with named locations and MFA trusted IPs .
Figure 10 Sign-in risk level as condition in a conditional access policyAzure Active Directory Identity Protection can help you detect risky events in your organization. A couple of final things Conditional Access policies can be enforced when doing secure collaboration/sharing across different organizations with Azure AD B2B collaboration which allows organizations to enforce multi-factor authentication (MFA) policies for B2B users as MFA policies are enforced at the resource organization. And yes, if you have an on-premises MFA setup, you can use that. Please find details here . We’re really excited about the wide range of scenarios that this lights up and hope you find it useful. For any updates and additional information, see our FAQ for conditional access . As always, we’re looking forward to your feedback. Prerequisites: Azure Active Directory Conditional Access is a feature of Azure Active Directory Premium . Each user who accesses an application that has Conditional Access policies applied must have an Azure Active Directory Premium license.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.