Skip to content

Commit

Permalink
Merge pull request MicrosoftDocs#1936 from Microsoft/FromPrivateRepo
Browse files Browse the repository at this point in the history
From private repo
  • Loading branch information
v-alje authored Jun 2, 2017
2 parents 52e69a2 + a94eca3 commit e1c3539
Show file tree
Hide file tree
Showing 222 changed files with 2,799 additions and 1,223 deletions.
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
title: Conditional access device policies for Office 365 services | Microsoft Docs
description: Details on how device-based conditions control access to Office 365 services. While Information Workers (IWs) want to access Office 365 services like Exchange and SharePoint Online at work or school from their personal devices, their IT admin wants the access to be secure.IT admins can provision conditional access device policies to secure corporate resources, while at the same time allowing IWs on compliant devices to access the services.
title: Azure Active Directory conditional access device policies for Office 365 services | Microsoft Docs
description: Learn about how to provision conditional access device policies to help make corporate resources more secure, while maintaining user compliance and access to services.
services: active-directory
documentationcenter: ''
author: MarkusVi
Expand All @@ -17,25 +17,28 @@ ms.date: 05/18/2017
ms.author: markvi

---
# Conditional access device policies for Office 365 services
# Active Directory conditional access device policies for Office 365 services

The term, “conditional access” has many conditions associated with it such as multi-factor authenticated user, authenticated device, compliant device etc. This topic primarily focusses on device-based conditions to control access to Office 365 services. While Information Workers (IWs) want to access Office 365 services like Exchange and SharePoint Online at work or school from their personal devices, their IT admin wants the access to be secure. IT admins can provision conditional access device policies to secure corporate resources, while at the same time allowing IWs on compliant devices to access the services. Conditional access policies to Office 365 may be configured from Microsoft Intune conditional access portal.
Conditional access requires multiple pieces to work. It involves a multi-factor authenticated user, an authenticated device, and a compliant device, among other factors. In this article, we primarily focus on device-based conditions that your organization can use to help you control access to Office 365 services.

Azure Active Directory enforces conditional access policies to secure access to Office 365 services. An administrator can create a conditional access policy that blocks a user on a non-compliant device from accessing an O365 service. The user must conform to company’s device policies before access can be granted to the service. Alternately, the admin can also create a policy that requires users to just enroll their devices to gain access to an O365 service. Policies may be applied to all users of an organization, or limited to a few target groups and enhanced over time to include additional target groups.
Corporate users want to access Office 365 services like Exchange and SharePoint Online at work or school from their personal devices. You want the access to be secure. You can provision conditional access device policies to help make corporate resources more secure, while granting access to services for users who are using compliant devices. You can set conditional access policies to Office 365 in the Microsoft Intune conditional access portal.

A prerequisite for enforcing device policies is for users to register their devices with Azure Active Directory Device Registration service. You can opt to enable Multi-factor authentication (MFA) for registering devices with Azure Active Directory Device Registration service. MFA is recommended for Azure Active Directory Device Registration service. When MFA is enabled, users registering their devices with Azure Active Directory Device Registration service are challenged for second factor authentication.
Azure Active Directory (Azure AD) enforces conditional access policies to help secure access to Office 365 services. You can create a conditional access policy that blocks a user who is using a noncompliant device from accessing an Office 365 service. The user must conform to the company’s device policies before access to the service is granted. Alternately, you can create a policy that requires users to enroll their devices to gain access to an Office 365 service. Policies can be applied to all users in an organization, or limited to a few target groups. You can add more target groups to a policy over time.

## How does conditional access policy work?
When a user requests access to O365 service from a supported device platform, Azure Active Directory authenticates the user and device from which the user launches the request; and grants access to the service only when the user conforms to the policy set for the service. Users that do not have their device enrolled are given remedial instructions on how to enroll and become compliant to access corporate O365 services. Users on iOS and Android devices will be required to enroll their devices using Company Portal application. When a user enrolls his/her device, the device is registered with Azure Active Directory, and enrolled for device management and compliance. Customers must use the Azure Active Directory Device Registration service in conjunction with Microsoft Intune to enable mobile device management for Office 365 service. Device enrollment is a pre-requisite for users to access Office 365 services when device policies are enforced.
A prerequisite for enforcing device policies is that users must register their devices with the Azure AD device registration service. You can opt to turn on multi-factor authentication for devices that register with the Azure AD device registration service. Multi-factor authentication is recommended for the Azure Active Directory device registration service. When multi-factor authentication is turned on, users who register their devices with the Azure AD device registration service are challenged for second-factor authentication.

When a user enrolls his/her device successfully, the device becomes trusted. Azure Active Directory provides Single-Sign-On to access company applications and enforces conditional access policy to grant access to a service not only the first time the user requests access, but every time the user requests to renew access. The user will be denied access to services when sign-in credentials are changed, device is lost/stolen, or the policy is not met at the time of request for renewal.
## How does a conditional access policy work?

## Deployment considerations:
When a user requests access to an Office 365 service from a supported device platform, Azure AD authenticates the user and the device. Azure AD grants access to the service only if the user conforms to the policy set for the service. Users on devices that are not enrolled are given instructions on how to enroll and become compliant to access corporate Office 365 services. Users on iOS and Android devices are required to enroll their devices by using the Intune Company Portal application. When a user enrolls a device, the device is registered with Azure AD and it's enrolled for device management and compliance. You must use the Azure AD device registration service with Microsoft Intune for mobile device management for Office 365 services. Device enrollment is required for users to access Office 365 services when device policies are enforced.

You must use Azure Active Directory device registration service to register devices.
When a user successfully enrolls a device, the device becomes trusted. Azure AD gives the authenticated user single sign-on access to company applications. Azure AD enforces a conditional access policy to grant access to a service not only the first time the user requests access, but every time the user renews a request for access. The user is denied access to services when sign-in credentials are changed, the device is lost or stolen, or the conditions of the policy are not met at the time of request for renewal.

When users are about to be authenticated on premises, Active Directory Federation Services (AD FS) (1.0 and above) is required. Multi-factor authentication (MFA) for Workplace Join fails when the identity provider is not capable of MFA. For example, AD FS 2.0 is not MFA capable. Your administrator must ensure that the on-premises AD FS is MFA capable and a valid MFA method is enabled, before enabling MFA on the Azure Active Directory device registration service. For example, AD FS on Windows Server 2012 R2 has MFA capabilities. You must also enable an additional valid authentication (MFA) method on the AD FS server before enabling MFA on the Azure Active Directory device registration service. For more information on supported MFA methods in AD FS, see Configure Additional Authentication Methods for AD FS.
## Deployment considerations

You must use the Azure AD device registration service to register devices.

When on-premises users are about to be authenticated, Active Directory Federation Services (AD FS) (version 1.0 and later versions) is required. Multi-factor authentication for Workplace Join fails when the identity provider is not capable of multi-factor authentication. For example, you can't use multi-factor authentication with AD FS 2.0. Ensure that the on-premises AD FS works with multi-factor authentication, and that a valid multi-factor authentication method is in place before you turn on multi-factor authentication for the Azure AD device registration service. For example, AD FS on Windows Server 2012 R2 has multi-factor authentication capabilities. You also must set an additional valid authentication (multi-factor authentication) method on the AD FS server before you turn on multi-factor authentication for the Azure AD device registration service. For more information about supported multi-factor authentication methods in AD FS, see [Configure additional authentication methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs).

## Next steps

See the [Azure Active Directory Conditional Access FAQ](active-directory-conditional-faqs.md) for more answers to common questions.
* For answers to common questions, see [Azure Active Directory conditional access FAQs](active-directory-conditional-faqs.md).
44 changes: 18 additions & 26 deletions articles/active-directory/active-directory-conditional-faqs.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
title: Azure Active Directory Conditional Access FAQ | Microsoft Docs
description: 'Frequently asked questions about conditional access '
title: Azure Active Directory conditional access FAQs | Microsoft Docs
description: Get answers to frequently asked questions about conditional access in Azure Active Directory.
services: active-directory
documentationcenter: ''
author: MarkusVi
Expand All @@ -16,51 +16,43 @@ ms.date: 05/25/2017
ms.author: markvi

---
# Azure Active Directory Conditional Access FAQ
# Azure Active Directory conditional access FAQs

## Which applications work with conditional access policies?

**A:** Please see [Applications and browsers that use conditional access rules in Azure Active Directory](active-directory-conditional-access-supported-apps.md).

---
For information about applications that work with conditional access policies, see [Applications and browsers that use conditional access rules in Azure Active Directory](active-directory-conditional-access-supported-apps.md).

## Are conditional access policies enforced for B2B collaboration and guest users?
**A:** Policies are enforced for B2B collaboration users. However, in some cases, a user might not be able to satisfy the policy requirement if, for example, an organization does not support multi-factor authentication.
The policy is currently not enforced for SharePoint guest users. The guest relationship is maintained within SharePoint. Guest users accounts are not subject to access polices at the authentication server. Guest access can be managed at SharePoint.

---
Policies are enforced for business-to-business (B2B) collaboration users. However, in some cases, a user might not be able to satisfy the policy requirements. For example, a guest user's organization might not support multi-factor authentication.

Currently, conditional access policies are not enforced for SharePoint guest users. The guest relationship is maintained in SharePoint. Guest user accounts in SharePoint are not subject to access polices at the authentication server. You can manage guest access in SharePoint.

## Does a SharePoint Online policy also apply to OneDrive for Business?
**A:** Yes.

---
Yes. A SharePoint Online policy also applies to OneDrive for Business.

## Why can’t I set a policy on client apps, like Word or Outlook?
**A:** A conditional access policy sets requirements for accessing a service and is enforced when authentication happens to that service. The policy is not set directly on a client application; instead, it is applied when it calls into a service. For example, a policy set on SharePoint applies to clients calling SharePoint and a policy set on Exchange applies to Outlook.

---
A conditional access policy sets requirements for accessing a service. It's enforced when authentication to that service occurs. The policy is not set directly on a client application. Instead, it is applied when a client calls a service. For example, a policy set on SharePoint applies to clients calling SharePoint. A policy set on Exchange applies to Outlook.

## Does a conditional access policy apply to service accounts?
**A:** Conditional access policies apply to all user accounts. This includes user accounts used as service accounts. In many cases, a service account that runs unattended is not able to satisfy a policy. This is, for example the case, when MFA is required. In these cases, services accounts can be excluded from a policy, using conditional access policy management settings. Learn more about applying a policy to users here.

---
Conditional access policies apply to all user accounts. This includes user accounts that are used as service accounts. Often, a service account that runs unattended can't satisfy the requirements of a conditional access policy. For example, multi-factor authentication might be required. Service accounts can be excluded from a policy by using conditional access policy management settings.

## Are Graph APIs available to configure configure conditional access policies?
**A:** not yet.
## Are Graph APIs available for configuring conditional access policies?

---
Currently, no.

## Q: What is the default exclusion policy for unsupported device platforms?
## What is the default exclusion policy for unsupported device platforms?

**A:** At the present time, conditional access policies are selectively enforced on users on iOS and Android devices. Applications on other device platforms are, by default, unaffected by the conditional access policy for iOS and Android devices. Tenant admin may, however, choose to override the global policy to disallow access to users on unsupported platforms.
Currently, conditional access policies are selectively enforced on users of iOS and Android devices. Applications on other device platforms are, by default, not affected by the conditional access policy for iOS and Android devices. A tenant admin can choose to override the global policy to disallow access to users on platforms that are not supported.

---

## Q: How do conditional access policies work for Microsoft Teams?
## How do conditional access policies work for Microsoft Teams?

**A:** Microsoft Teams relies heavily on Exchange Online and SharePoint Online for core productivity scenarios such as meetings, calendars, and files. Conditional access policies set up for these cloud apps apply to Teams during the sign-in experience.
Microsoft Teams relies heavily on Exchange Online and SharePoint Online for core productivity scenarios, like meetings, calendars, and file sharing. Conditional access policies that are set for these cloud apps apply to Microsoft Teams when a user signs in.

Microsoft Teams is also supported separately as a Cloud App in Azure AD Conditional Access policies and CA policy set up for this cloud app will apply to Teams during the sign-in experience.
Microsoft Teams desktop clients for Windows and Mac support modern authentication, which brings sign-on based on the Azure Active Directory Authentication Library (ADAL) to Microsoft Office client applications across platforms.
Microsoft Teams also is supported separately as a cloud app in Azure Active Directory conditional access policies. Certificate authority policies that are set for a cloud app apply to Microsoft Teams when a user signs in.

---
Microsoft Teams desktop clients for Windows and Mac support modern authentication. Modern authentication brings sign-in based on the Azure Active Directory Authentication Library (ADAL) to Microsoft Office client applications across platforms.
Loading

0 comments on commit e1c3539

Please sign in to comment.