Set Up Conditional Access with Microsoft Search in Bing
Published Aug 13 2019 07:08 AM 34.4K Views
Microsoft

Introduction

Have you ever needed a way to allow some users to access Microsoft Search in Bing, while excluding others? Perhaps you want to exclude users who haven’t yet taken an orientation session, or perhaps you want to roll out this feature in stages. Well, you’re in luck! In this article, you’ll learn how to do exactly that, using a feature known as Conditional Access.  With it, you can easily deploy Microsoft Search in Bing to any set of users you choose.

Assuming that you have administrative permissions and a licensing option that enables Conditional Access to Microsoft Search, here’s how to use it to limit access to Microsoft Search in Bing to a specific subset of users. If you haven’t done this before, now is a good time to review best practices for conditional access to ensure that you don’t accidentally lock yourself out.

 

Verify Access

You should start by assigning a test user. Once you have a test account prepared, the first step is to verify that the test account can access Microsoft Search in Bing.

Open your browser and sign in with your test account to bing.com using the “Work or school account” option.

 

Figure 1 – Sign in with the “Work or school account” optionFigure 1 – Sign in with the “Work or school account” option

 

Type “my files” into the Bing search box to verify that Microsoft Search in Bing is working. You should see a result that looks something like this:

 

Figure 2 – Verify that Microsoft Search in Bing is workingFigure 2 – Verify that Microsoft Search in Bing is working

 

Success! You now know your test account can access Microsoft Search in Bing. Now, let’s exclude this account via Conditional Access.

 

Enable Conditional Access

Start by signing into the AAD admin center as a global admin, via the Microsoft Search in Bing - Getting Started From the Security menu, choose Conditional Access.

Figure 3 – Use the guidance in the Get started section to create your first policy.Figure 3 – Use the guidance in the Get started section to create your first policy.

 

Tip: You can place Conditional Access (or any other frequently used resource) in the “Favorites” area of the left column by selecting “All services” and searching for the word “conditional”, then clicking the star next to the search result

 

Figure 4 – To add Conditional Access to Favorites, select All Services (1), search for Conditional (2), and click the star (3).Figure 4 – To add Conditional Access to Favorites, select All Services (1), search for Conditional (2), and click the star (3).

 

Click New policy and give it a name.

  1. Let’s include our test user.
  2. Click Assignments > Users and groups
  3. Then, on the Include tab, Select Users and groups
  4. Select ‘test user’
  5. Then, switch to the Exclude tab and select your admin account
  6. Click Done when both selections have been made

Figure 5 – On the Include tab, add Test user. On the Exclude tab, add your admin user account.  (This would be a critical step if you applied Conditional Access to “All users.”) Then name your new policy.Figure 5 – On the Include tab, add Test user. On the Exclude tab, add your admin user account. (This would be a critical step if you applied Conditional Access to “All users.”) Then name your new policy.

 

In the screenshot on the right of Figure 5, we’ve chosen to exclude the administrative account from this test policy—you don’t want to lock yourself out if you apply a policy like this to all users! Remember, a policy designed to block access won’t affect anyone who is excluded from the policy.

  1. The next step is to include the app or service we want our conditional access policy to apply to. In this case, it’s Microsoft Search in Bing. Verify that it is included under “Cloud apps or actions.”

 

Figure 6 – The system will warn you if you try to exclude administrative roles—but be careful!Figure 6 – The system will warn you if you try to exclude administrative roles—but be careful!

 

You’re almost there! Now that you’ve selected the users who will and won’t be affected, and the app this policy applies to, you just have to tell the policy what to do when it’s in effect. In this case, you want it to “Block.” So, select Block from Access controls > Grant, then click Select.

 

Figure 7 – Set the Grant value to “Block access” for the user(s) you want to block.Figure 7 – Set the Grant value to “Block access” for the user(s) you want to block.

 

  1. When all of these steps are completed, click Enable policy ‘on’ and then click Create to create the new policy.
  2. After a brief validation step, you should see a “Validation Successful” message and the new policy appears under Policies. It’s time to test your new policy!

 

Test with the “What If” tool

The “What If” tool tests the impact of conditional access on a user when signing in under certain conditions. As the policy you created is designed to block access for “test user”, you start by selecting that user. Then, click “What If” to see what policies, if any, will affect this user.

 

Figure8.png

 

If you’ve done everything right, you should see something like this:

 

Figure 8 – The ‘What If’ toolFigure 8 – The ‘What If’ tool

 

Congratulations! You have successfully enabled conditional access. You can verify this by attempting to access Microsoft Search in Bing with the test user account. You will find that it is indeed blocked from signing in at the Bing sign-in screen. (Regular web searches with Bing still work, however.)

 

Figure 9 – It works!Figure 9 – It works!

 

After any sign-in attempt has been made, the event is captured in the Sign-in events log. As an admin, you can access a complete list of sign-in events by clicking on the graph on the main Overview screen.

 

Figure 10 – Click the graph on the Overview screen to see this list of sign-in events.Figure 10 – Click the graph on the Overview screen to see this list of sign-in events.

 

Figure 11 – The list of sign-in events can be filtered by user. Here, we see the results of searching for “test”Figure 11 – The list of sign-in events can be filtered by user. Here, we see the results of searching for “test”

 

Let’s take a closer look at that ‘Failure’ event:

 

Figure 12 – The Failure event details screen includes error codes, failure reasons, and other details.Figure 12 – The Failure event details screen includes error codes, failure reasons, and other details.

 

Deploy the Policy

Now you are ready to setup Conditional Access for actual users in your organization by applying this policy to their account.

 

If you run into trouble, try typing a query such as “how to configure conditional access” into the “Virtual assistant” found in the Azure Active Directory admin center under Troubleshooting + Support.

 

Figure.13 – The Virtual Assistant can provide guidance on many different topics. Try it if you get stuck.Figure.13 – The Virtual Assistant can provide guidance on many different topics. Try it if you get stuck.

For more information

See https://docs.microsoft.com/azure/active-directory/conditional-access/ for additional details.

3 Comments
Steel Contributor

Another great example of conditional access. Great job, much appreciated!

Would you only use this to block selected users or could you include options such as MFA or trusted devices are allowed to use Search and other devices cannot (so the sort of opposite of what you described here) and if so does this mean you get an MFA prompt if you visit bing.com?

Microsoft

Brian: I will test this ASAP, but I expect that it will work as you've described when you attempt to sign in. MFA is definitely supported in Conditional Access scenarios.

Version history
Last update:
‎Aug 13 2019 07:07 AM
Updated by: