Home

Conditional policies in Azure AD vs. Intune

%3CLINGO-SUB%20id%3D%22lingo-sub-106442%22%20slang%3D%22en-US%22%3EConditional%20policies%20in%20Azure%20AD%20vs.%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-106442%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20planning%20to%20deploy%20ODB%20for%20about%2010000%20users.%3C%2FP%3E%3CP%3EThe%20main%20issue%20right%20now%20is%20controlling%20the%20access%20and%20dealing%20with%20compliance.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20are%20a%20few%20things%20that%20I%20need%20some%20clarification%20on%3B%3C%2FP%3E%3CP%3EThe%20end%20goal%20here%20is%20to%20have%20MFA%20prompts%20for%20internal%2Fexternal%20users%20who%20try%20access%20SPO%2FODB%20from%20outside%20of%20trusted%20networks%2C%20regardless%20of%20the%20devices%20being%20managed%2Funmanaged.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFirst%3B%3C%2FP%3E%3CP%3EWe%20already%20have%20MFA%20set%20up%20over%20here%20with%20DUO%20Mobile%20Security%3B%20Can%20the%20same%20MFA%20be%20used%20for%20O365%20when%20users%20access%20resources%20outside%20of%20the%20trusted%20network%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESecondly%3B%3C%2FP%3E%3CP%3EFor%20Device%20management%20(MDM)%20there%20is%20Airwatch%20in%20place%20already%20that%20has%20all%20the%20managed%20devices%20registered.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20intending%20to%20use%20Azure%20Conditional%20access%20control%20for%20this%20scenario%20but%20the%20documentation%20says%20that%20the%20MDM%20used%20for%20this%20is%20Intune%2C%20my%20question%20is%20can%20the%20current%20MDM%20Airwatch%20be%20used%20to%20feed%20information%20to%20Azure%20AD%20policies%20about%20a%20device%20being%20compliant%20or%20not%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20what%20we%20intend%20to%20apply%20to%20control%20access%20from%20unmanaged%20devices%20that%20are%20not%20on%20the%20network.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-conditional-access-technical-reference%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-conditional-access-technical-reference%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-106442%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECompliance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-106646%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20policies%20in%20Azure%20AD%20vs.%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-106646%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20with%20AD%20FS%20(or%20third%20party%20federation%20solution)%20you%20can%20use%20custom%20providers%2C%20but%20it%20requires%20you%20to%20have%20the%20domain%20federated.%20And%20if%20you%20are%20federated%2C%20you%20can%20implement%20the%20conditional%20policies%20on%20the%20AD%20FS%20server%2C%20no%20need%20to%20pay%20the%20Azure%20AD%20Premium%20license%20for%20AAD%20Conditional%20access.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-106501%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20policies%20in%20Azure%20AD%20vs.%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-106501%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Vasil%2C%3C%2FP%3E%3CP%3E%26nbsp%3BThank%20you%20for%20the%20quick%20response.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWould%20the%20following%20hold%20true%3FIf%20yes%2C%20then%20maybe%20a%20custom%20MFA%20provider%20could%20be%20used%20with%20AAD%20Conditional%20access.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ESource%3A%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-conditional-access-azuread-connected-apps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-conditional-access-azuread-connected-apps%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EConfigure%20federation%20services%20to%20provide%20multi-factor%20authentication%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EFor%20federated%20tenants%2C%20MFA%20may%20be%20performed%20by%20Azure%20Active%20Directory%20%3CSPAN%3Eor%20by%20the%20on-premises%20AD%20FS%20server%3C%2FSPAN%3E.%3C%2FP%3E%3CP%3E%3CSPAN%3EBy%20default%2C%20MFA%20will%20occur%20at%20a%20page%20hosted%20by%20Azure%20Active%20Directory.%20To%20configure%20MFA%20on-premises%2C%20the%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%E2%80%93SupportsMFA%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Bproperty%20must%20be%20set%20to%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Etrue%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Bin%20Azure%20Active%20Directory%2C%20by%20using%20the%20Azure%20AD%20module%20for%20Windows%20PowerShell.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-conditional-access-azuread-connected-apps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-conditional-access-azuread-connected-apps%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-106497%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20policies%20in%20Azure%20AD%20vs.%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-106497%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you%20want%20to%20use%20custom%20MFA%20provider%2C%20you%20have%20to%20federate%20with%20your%20on-premises%20AD%20or%20use%203rd%20part%20federation.%20Azure%20AD%20Conditional%20access%20only%20supports%20Azure%20MFA%20as%20a%20second%20factor.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Deleted
Not applicable

We are planning to deploy ODB for about 10000 users.

The main issue right now is controlling the access and dealing with compliance.

 

There are a few things that I need some clarification on;

The end goal here is to have MFA prompts for internal/external users who try access SPO/ODB from outside of trusted networks, regardless of the devices being managed/unmanaged.

 

First;

We already have MFA set up over here with DUO Mobile Security; Can the same MFA be used for O365 when users access resources outside of the trusted network?

 

Secondly;

For Device management (MDM) there is Airwatch in place already that has all the managed devices registered.

 

We are intending to use Azure Conditional access control for this scenario but the documentation says that the MDM used for this is Intune, my question is can the current MDM Airwatch be used to feed information to Azure AD policies about a device being compliant or not?

 

This is what we intend to apply to control access from unmanaged devices that are not on the network.

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-technica...

3 Replies

If you want to use custom MFA provider, you have to federate with your on-premises AD or use 3rd part federation. Azure AD Conditional access only supports Azure MFA as a second factor.

Hi Vasil,

 Thank you for the quick response.

 

Would the following hold true?If yes, then maybe a custom MFA provider could be used with AAD Conditional access.

 

Source:https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azuread-...

Configure federation services to provide multi-factor authentication

For federated tenants, MFA may be performed by Azure Active Directory or by the on-premises AD FS server.

By default, MFA will occur at a page hosted by Azure Active Directory. To configure MFA on-premises, the –SupportsMFA property must be set to true in Azure Active Directory, by using the Azure AD module for Windows PowerShell.

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azuread-...

Yes, with AD FS (or third party federation solution) you can use custom providers, but it requires you to have the domain federated. And if you are federated, you can implement the conditional policies on the AD FS server, no need to pay the Azure AD Premium license for AAD Conditional access.

Related Conversations
Intune Win32 apps error 0x80070002
bjornmertens in Microsoft Intune on
5 Replies
Calendar not available for older AD accounts
_jancis in Microsoft Teams on
0 Replies
Factory Reset on a Personal Device
Thomas Bishop in Azure on
3 Replies
HowTo OMA-URI - something not working
PatrickF11 in Microsoft Intune on
19 Replies