Azure Conditional Access – next step
A year ago, I wrote a post about Azure AD conditional access, with the change to the new portal a lot has changed. This post will show what is changed since then and what is coming.
The biggest change in conditional access is that last year you had to configure this per application in the old portal, there was no reference in the new portal (current one) back then. Now you can create policies that apply to one or multiple applications or even tenant wide. There is now 1 logical location where you can manage these settings. This location is in the Azure Active Directory Blade under security.
Basics
There have been some large changes and as mentioned you are able to control a lot more, on Ignite they showed this slide which gives a great overview of the options you have
Policies
The biggest change is that you now have policies that you can configure. These policies have several options where before you could only turn on MFA, now you can block access if the user is not on a managed device and then prompt for MFA. It is more granular to configure, the downside of this is that it might get more complex to maintain.
Besides the MFA IP location as trusted that can be set, you are now able to create named locations op IP base that can be used in your policy. The named location can also be a country, but that is in preview now. The other great new option is that you can enable MFA for external users, the downside is that the user must sign up for MFA in your tenant so they might get MFA from their own company and yours.
The full documentation can be found here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal
Preview
There are more things to come as you can see in the screenshots in this post
- Custom controls These controls are for third party multi-factor authentication like RSA, DUO, and Trusona
- Terms of use This can be used to let users get consent with the terms of use for using Azure AD as the authentication tool, you can track who accepted it
- VPN Connectivity I did not find how to configure this one, the documentation is here https://docs.microsoft.com/en-us/windows/access-protection/vpn/vpn-conditional-access
- Named location country A list of countries that can be configured as a named location