Conditional Access is now part of Microsoft 365 Business!
Published Jun 12 2019 10:26 AM 127K Views
Microsoft

Over the past several months you’ve told us that adding Conditional Access to Microsoft 365 Business would help it secure SMB customers more comprehensively. Today, we are excited to announce the availability of Conditional Access for Microsoft 365 Business subscribers, enabling small and medium-sized businesses to enforce granular control on how company resources are accessed. Conditional Access policies and configurations available to Microsoft 365 Business subscribers are the same as those available to Azure Active Directory Premium P1 subscribers.

 

Why is Conditional Access important?
Are you concerned that employees at your company can access sensitive business data from mobile phones and personal or home devices that have no oversight?

 

Are you concerned that employees are downloading company data to personal apps and storage locations that cannot be wiped when they leave?

 

Do you want to ensure that employees can only access your network from certain locations and block access from other locations?

Conditional Access helps you do exactly that! By configuring Conditional Access policies you can maintain control over how and where your company data is accessed, making your business more secure. You can define exact criteria for who can gain access and block those who don't meet the criteria. The criteria can be based on factors like the type of device, app and location.

 

Benefits of Conditional Access
There was a time when it seemed like keeping business data behind a firewall in your office network and limiting access from the outside world was enough to protect your business. Today, company information is in the cloud and you need a way to provide employees with options to access it from a variety of locations and devices. Conditional Access enables Zero Trust security, helping you provide this access while maintaining control over “where, when and who” is connecting to your Office 365 environment; so you can protect company assets while also enabling employees to be productive from anywhere.

For example, you can define a Conditional Access policy that evaluates sign-in connections from mobile devices to Exchange Online, and requires employees use Outlook for iOS and Android to successfully access their work email and calendar. This gives your organization the security and productivity advantages of an email and calendar app built specifically for the Office 365 cloud. 

 

Fig 1. App-based conditional access policy for access to Exchange Online.Fig 1. App-based conditional access policy for access to Exchange Online.

Conditional Access and Azure Multi-Factor Authentication
Microsoft 365 Business includes advanced Azure Multi-Factor Authentication (MFA) capabilities that you can configure together with Conditional Access policies in order to gain additional assurance that account logins are made by the account’s legitimate owner. For example, you could create a single policy that requires MFA when someone accesses from a location that is not trusted (for example, a country in which you don't do business in). This way, a user signing in from a known location can still gain access to company resources while a user signing in from an untrusted location will be required to verify their identity through MFA before getting access.

 

Enabling Conditional Access
Microsoft 365 Business customers can enable Conditional Access via the Azure Directory settings in the Azure portal. For more information on how to configure Conditional Access policies, please see the article What is Conditional Access.

 

Microsoft 365 Business: A comprehensive security solution for SMBs
With Microsoft 365 Business, you have access to a comprehensive security solution specifically designed and priced for organizations with less than 300 employees. Ever since the launch of Microsoft 365 Business in October 2017, we’ve been incorporating customer and partner feedback and evolving Microsoft 365 Business to meet the needs of a changing security landscape. For more information on the features available in Microsoft 365 Business, please refer to the Microsoft 365 Business Service Description

 

Frequently Asked Questions:

1.  What features are included under Conditional Access in Microsoft 365 Business?

Conditional Access policies and configurations available to Microsoft 365 Business subscribers are the same as those available to Azure Active Directory Premium P1 subscribers.

This includes:

  • User targeting based on username, group and role
  • Per app targeting
  • By location – only allow access from trusted IP ranges or specific countries
  • By app type – browser, desktop / mobile apps using modern auth and legacy authentication
  • Require MFA
  • Require compliant or domain joined device
  • Require apps using Intune app protection
  • Custom authentication factors (custom controls) – MFA with 3rd party MFA providers, (e.g. DUO or RSA)

2.  Does this mean that Azure Active Directory Premium P1 is now included in Microsoft 365 Business?

No, Azure AD Premium P1 (AADP P1) is not included in Microsoft 365 Business. Microsoft 365 Business subscribers are entitled to the AADP P1 features most relevant to small and medium-sized businesses:

  • Self-service password reset for hybrid Azure
  • Azure Multi-factor Authentication
  • Conditional Access

3.  Is Conditional Access available to Office 365 Business Premium subscribers?

No, Conditional Access is not available to Office 365 Business Premium subscribers; it is a Microsoft 365 Business entitlement.

 

4.  When will Conditional Access be available to Microsoft 365 Business Subscribers?

Conditional Access is already available for all Microsoft 365 Business subscribers. Customers can configure granular Conditional Access Policies via the Azure Active Directory Settings in the Azure Portal

 

54 Comments

I just have to say, this is one of the best news for Microsoft 365 Business ever. Finally this SKU is something we can truly sell with confidence to anyone within the space below 300 seats. Thank you. 

This is really huge improvement! I have a lot of customer which this announcement make them happy. Thanks. :thumbs_up:

Copper Contributor

This quite literally made my day. Thank you again Ashanka, your dedication to this product and going to bat for the SMB is very much appreciated. I am going to throw a party, I think...

Brass Contributor

Outstanding news! 

Brass Contributor

Smiley Happy This is very good news! This "package" will be a Hit this year among the solution for SMB market. 

Great News!!! 

A game changer in security for Small and Medium Business space. 

Copper Contributor

Now please add GPO capability to the Office that comes with M365B, that would be smashing.

Copper Contributor

@WelshWizard, what features from GPO are you wanting? Anything in particular that you can’t achieve with Intune? Note that GPO’s apply specifically to ProPlus, but Intune can be used to deploy and manipulate several settings in Office, including Business edition.

Copper Contributor

Fantastic news and really makes this SKU a easy choice for most SMBs. Thanks!

Copper Contributor

Does that include the GCC license platforms?

Copper Contributor

Very helpful

THANKS to Microsoft 


@Ashanka Iddya  schrieb:

Over the past several months you’ve told us that adding Conditional Access to Microsoft 365 Business would help it secure SMB customers more comprehensively. Today, we are excited to announce the availability of Conditional Access for Microsoft 365 Business subscribers, enabling small and medium-sized businesses to enforce granular control on how company resources are accessed. Conditional Access policies and configurations available to Microsoft 365 Business subscribers are the same as those available to Azure Active Directory Premium P1 subscribers.

 

Why is Conditional Access important?
Are you concerned that employees at your company can access sensitive business data from mobile phones and personal or home devices that have no oversight?

 

Are you concerned that employees are downloading company data to personal apps and storage locations that cannot be wiped when they leave?

 

Do you want to ensure that employees can only access your network from certain locations and block access from other locations?

Conditional Access helps you do exactly that! By configuring Conditional Access policies you can maintain control over how and where your company data is accessed, making your business more secure. You can define exact criteria for who can gain access and block those who don't meet the criteria. The criteria can be based on factors like the type of device, app and location.

 

Benefits of Conditional Access
There was a time when it seemed like keeping business data behind a firewall in your office network and limiting access from the outside world was enough to protect your business. Today, company information is in the cloud and you need a way to provide employees with options to access it from a variety of locations and devices. Conditional Access enables Zero Trust security, helping you provide this access while maintaining control over “where, when and who” is connecting to your Office 365 environment; so you can protect company assets while also enabling employees to be productive from anywhere.

For example, you can define a Conditional Access policy that evaluates sign-in connections from mobile devices to Exchange Online, and requires employees use Outlook for iOS and Android to successfully access their work email and calendar. This gives your organization the security and productivity advantages of an email and calendar app built specifically for the Office 365 cloud. 

 

Fig 1. App-based conditional access policy for access to Exchange Online.Fig 1. App-based conditional access policy for access to Exchange Online.

Conditional Access and Azure Multi-Factor Authentication
Microsoft 365 Business includes advanced Azure Multi-Factor Authentication (MFA) capabilities that you can configure together with Conditional Access policies in order to gain additional assurance that account logins are made by the account’s legitimate owner. For example, you could create a single policy that requires MFA when someone accesses from a location that is not trusted (for example, a country in which you don't do business in). This way, a user signing in from a known location can still gain access to company resources while a user signing in from an untrusted location will be required to verify their identity through MFA before getting access.

 

Enabling Conditional Access
Microsoft 365 Business customers can enable Conditional Access via the Azure Directory settings in the Azure portal. For more information on how to configure Conditional Access policies, please see the article What is Conditional Access.

 

Microsoft 365 Business: A comprehensive security solution for SMBs
With Microsoft 365 Business, you have access to a comprehensive security solution specifically designed and priced for organizations with less than 300 employees. Ever since the launch of Microsoft 365 Business in October 2017, we’ve been incorporating customer and partner feedback and evolving Microsoft 365 Business to meet the needs of a changing security landscape. For more information on the features available in Microsoft 365 Business, please refer to the Microsoft 365 Business Service Description

 

Frequently Asked Questions:

1.  What features are included under Conditional Access in Microsoft 365 Business?

Conditional Access policies and configurations available to Microsoft 365 Business subscribers are the same as those available to Azure Active Directory Premium P1 subscribers.

This includes:

  • User targeting based on username, group and role
  • Per app targeting
  • By location – only allow access from trusted IP ranges or specific countries
  • By app type – browser, desktop / mobile apps using modern auth and legacy authentication
  • Require MFA
  • Require compliant or domain joined device
  • Require apps using Intune app protection
  • Custom authentication factors (custom controls) – MFA with 3rd party MFA providers, (e.g. DUO or RSA)

2.  Does this mean that Azure Active Directory Premium P1 is now included in Microsoft 365 Business?

No, Azure AD Premium P1 (AADP P1) is not included in Microsoft 365 Business. Microsoft 365 Business subscribers are entitled to the AADP P1 features most relevant to small and medium-sized businesses:

  • Self-service password reset for hybrid Azure
  • Azure Multi-factor Authentication
  • Conditional Access

3.  Is Conditional Access available to Office 365 Business Premium subscribers?

No, Conditional Access is not available to Office 365 Business Premium subscribers; it is a Microsoft 365 Business entitlement.

 

4.  When will Conditional Access be available to Microsoft 365 Business Subscribers?

Conditional Access is already available for all Microsoft 365 Business subscribers. Customers can configure granular Conditional Access Policies via the Azure Active Directory Settings in the Azure Portal

 


 

Copper Contributor
Does this mean Microsoft 365 now includes the "MDM auto-enrollment, Self-Service BitLocker recovery, Additional local administrators to Windows 10 devices via Azure AD Join, Enterprise State Roaming" and "Advanced group features?"
Brass Contributor

Awesome news! This will really help our small businesses better meet compliance and security requirements.

All of the details are here :

 

https://docs.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-business-service-descri...

 

Bitlocker and Auto Enrollment have been there for a long time 

 

Copper Contributor

This is a massive addition. Great news. I think the last piece of the puzzle for me would by Dynamic Groups. Makes Intune auto-enrolment, polices etc fully automated as the device automatically goes in to the relevant groups as soon as it is synced to AAD.

Copper Contributor

Great news - Any chance of making Microsoft 365 Business licence available for IUR ?

 

 

Copper Contributor

Great news :)

Iron Contributor

Is there any document that highlights what parts of AADP1 are *not* included in M365B?  Conditional access is awesome but wondering if trusted IP's are also included?  A table comparing what's in/out would be awesome.  Thank you!

Named Locations aka IP Ranges are a part of the Conditional Access feature. You shouldn't define locations or ip adresses anywhere else anyways @David Wanderer 

Iron Contributor

@Jan Ketil Skanke, I usually define IP's in MFA/service settings so users on site (in most situations) won't get prompted for MFA.  Is there another way I should be doing this?

@David Wanderer yes it is. I recommend you use Named Locations under Conditional Access 

 

 

Copper Contributor

I cannot get Azure MFA NPS Extension to work with a tenant only having Microsoft 365 Business licenses assigned.

Powershell script throws error "New-MsolServicePrincipalCredential : Service principal was not found." which is normally because the tenant has no Azure AD Premium licenses assigned.

So doesn't "Microsoft 365 Business" licences include support for Azure MFA NPS Extension?

Copper Contributor

the link to the Business Service Descriptions doesn't work.

 

Copper Contributor

Hi @markahodges , I see you had expressed some confusion as to what the differences are between Office 365 Business Premium and Microsoft 365 Business (latter being more inclusive/more products and functionality). I have a free licensing guide available that is probably simpler than anything published by Microsoft. But the official "service description" for Microsoft 365 Business, which includes a comparison of features to Office 365 Business Premium is also available from Microsoft.

Copper Contributor

After I posted it I realized I was confusing the 2 options, but I still need to read your guide.

 

Thanks for info

Copper Contributor

After reading this I sold my Customer MS 365 Business just to realize that it is not true!

It does not give access to Cond. Access

https://docs.microsoft.com/en-us/microsoft-365/business/support/microsoft-365-business-faqs

 

Hi @LilleLars, look at updated https://docs.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/mi.... Conditional Access is here. I am just signed in M365 Business and see this in console.

 

But be careful, not all rules in CA policies are counted in Business. Like Sign-In Risk levels and so.

 

In every case, you can leverage baseline CA which are available definitely. 

Microsoft

Hi @LilleLars  

 

Conditional Access is definitely available to Microsoft 365 Business customers. This is a case of the FAQ document not being updated. Thanks for the flag! We'll get it updated shortly. Apologies for the confusion! 

Copper Contributor

okay, I will try Again

Will my AD version change to P1 or ?

thank you 

 

Copper Contributor

Ah I see AD Plan 1 but Limited..

really confusing..

Limited to: Self-service password reset, hybrid azure Azure MFA and CA.

Brass Contributor

Just need to be able to add "Phone System" on now and we will almost have the definitve product!

 

Copper Contributor

Can anyone advise if the MFA would extend to an on premise based RDS platform or is it purely for the Office 365 tenancy? With Azure AD P1 MFA you can extend this to either on premise or Azure based RDS / Citrix platform so they will get prompted when working remotely from the office but one of my engineers is getting errors when trying to do with the M365 Business licence.

 

Has anyone tried securing an on premise platform with MFA from M365B?

 

Thanks

Copper Contributor

@DannyH365 if you mean using Azure MFA for NPS extension, yes I have tried and it failed - did not work. The NPS extension seems to require a real AAD Prem P1 license.

Copper Contributor

@Ulrik Andreassendo you know of anyway using M365B licence how we can secure an on premise RDS server with the MFA provided without going AADP1?

Copper Contributor

@DannyH365 , @Ulrik Andreassen ...interesting to hear this did not work for you. I usually have at least one (or more) admin accounts (that don't need productivity software) with EM+S licenses, so I haven't run into this limitation (because my tenant has AAD P1 or even P2).  But, according to the Microsoft 365 Business service description, Azure MFA should be included. And with the hybrid support that was announced earlier this year, I would think, should include the ability to secure your on-premises RDS instance using the NPS extension. @Ashanka Iddya, is it mistake on the service description (to include Azure MFA) or is there something amiss on the technical side?

Copper Contributor

Hi @Ashanka Iddya 

 

Does the conditional access in M365 Business include the ability to restrict downloads from both sharepoint and exchange online (Use app enforced restrictions)?  It would certainly be easier to restrict downloading of files than to setup WIP for an unmanaged device access for both exchange and sharepoint

 

--Tracy

Copper Contributor

Can anyone confirm if M365 includes license to provide the ability to use  Azure MFA for NPS extension?

 

According to this doc below, "Microsoft 365 Business" should have the required license.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-licensing

 

Copper Contributor

Jtchi- I have a ticket open with Microsoft about this as there are a few documents that would indicate that M365 Biz should allow Azure MFA but I know that this does not work with NPS extensions or Application Proxy.

 

i will update once I hear anything more from MS but this ticket has been open now for over 3 months

Microsoft

Hi @DannyH365 and @jtchi 

 

I work on the engineering roadmap for M365B and I can confirm that NPS extension is not supported in M365B. We are however working with the Azure AD team to investigate this issue and recommend a fix. I don't have anything that I can share yet externally but wanted to assure you that we are working on addressing this issue. We will send an update as soon as we can announce something

Copper Contributor

Hi @Ashanka Iddya and @DannyH365 

 

Thanks for the confirmation and hope that we will get this issue resolved soon.

 

 

Copper Contributor

For conditional access, do we need a separate licence for each individual user? Or can we purchase the licence for a small group and have them use the conditional access features? 

Copper Contributor

You get conditional access with M365 Business but only for the Office365 Stack this cannot be rolled out to 3rd party applications or platforms.

 

Hi @DannyH365 I do not believe that is correct. The article clearly states that it is the same Conditional Access that is included with Azure AD Premium P1, which means it has the same capabilities, even though we don't have the full version of AAD P1 (yet).  The only limitation that I am aware of is that you cannot add "non-gallery" apps in Azure AD, but any app that is available in the gallery would be possible to add to your list of enterprise apps, and therefore it would be available to protect with CA policies.  There is one other limitation with regard to CA that I believe is just an error on Microsoft's part that needs to be ironed out, where you can't access the Conditional Access options in SharePoint admin center (Access controls for unmanaged devices).

Copper Contributor

@Ashanka Iddya- Just wondering if there was an update on using the NPS extension with M365 Business?

Copper Contributor

@ZenChrisEI did have an update from MS on this to say that the fix is being implemented and that this feature will be added to M365B very shortly but @Ashanka Iddya may know more on the timeline for this.

Copper Contributor

@DannyH365 I think I love you. Can I have your babies. xxxx :hearteyes: :hearteyes: :flushed: :stareyes: :lol: :happyface: :xd:

Copper Contributor

If I add Azure Active Directory Premium P1 to a Microsoft Office 365 Business Essentials or Business Premium license, then will I have conditional access and also Azure AD P1's flexibility in supporting phone calls and SMS for Azure MFA verification?

Copper Contributor

We had the same problem, M365B with NPS extention didn't work..  

This website did the trick:  http://azuredummies.com/2019/06/28/azure-mfa-nps-extension-service-principal-name-spn-how-to-deal-wi...  

You need the to activate a app within Azure AD. 

 

Copper Contributor

I just saw this link via twitter msft.it/6011T5ck3 that says that Azure AD Premium P1 has now been added to Microsoft 365 Business (Premium).

Copper Contributor

Ashanka:

 

The third point in your introduction says: 

Is Conditional Access available to Office 365 Business Premium subscribers?

No, Conditional Access is not available to Office 365 Business Premium subscribers; it is a Microsoft 365 Business entitlement.

 

I have been told that it is possible to combine an Office 365 Business Essentials (soon to be Microsoft 365 Business Basic) license with an Azure AD Premium P1 license for the underlying user-id to enable conditional access for the user-id.  Do you agree?  This is a scenario that I began three years ago in my solo entrepreneur business where I have one computer but three roles that began  as separate user-ids/emails, which were originally one O 365 Business premium license (more recently upgraded to M 365 Business) and two O 365 Business Essentials licenses.  Particularly with the advent of MFA, combined with Zero Trust Network Architecture, this is an almost intuitively obvious outcome.  Or is it?

Version history
Last update:
‎Oct 07 2019 11:12 AM
Updated by: