Microsoft is rolling out a change from August 9th August 24th 2017 for Azure Active Directory conditional access policies. Before this change rolls out any user logins to the Office 365 portal are not subject to conditional access requirements (e.g. enforcing multi-factor authentication or other conditions). It is only after the user clicks on a tile to access an application such as Outlook on the web, OneDrive, or Planner that they will be prompted to meet the requirements of your conditional access policies.
From August 9th this behavior will change, and conditional access policies that you apply to Exchange Online and SharePoint Online will also apply to the Office 365 portal. This is a positive change in that it levels the field for securing access to online portals, however it does introduce one potential issue. If a user wants to install the Office 365 ProPlus applications on a computer, they would normally log in to the portal to download the installer. If your conditional access policies require domain-joined or Intune-compliant devices, the user may not be able to login at all (e.g. from an unmanaged home PC).
To get around this, Microsoft advises that the user can still download the Office 365 ProPlus installer from this URL.
Update: Message Center now has this change occuring on the 24th of August in the tenants where I have been notified so far.
Paul, I found this blog post while looking for info on access and refresh tokens in 365 since I’m about to start 365 MFA rollouts w/ Outlook clients using Modern Authentication. According to this post @ Microsoft Docs:
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-configurable-token-lifetimes
the Refresh and Access Token settings (for controlling 365 session lifetimes) will be deprecated and replaced with Conditional Access rules in the future.
However, Conditional Access is a feature of Azure AD Premium, so unless I’m missing something it sounds like eventually we won’t be able to control session lifetimes (e.g. to force re-auth with MFA after a set period of time) without paying for Azure AD Premium. Do you have an insider’s opinion or, better yet, insider’s knowledge on this?
Hi Paul!
Is it possible to create conditional access policy but only to apply on OneDrive for business? I mean, in cloud applications list i have the option of SharePoint Online and not OneDrive for business.
What are you trying to achieve?
All users in my company are based in New York, but I had colleagues test the CA policies when they were abroad in the countries mentioned above.
Is there some way in which CA policies can be enhanced to detect spoofed IP addresses from VPN service providers ? If not then CA policies are only good for deterring the casual and/or unsophisticated hacker. Secureworks/Cloud App Security have detected attempted breaches coming from 19 countries, so any suggestions you may have would be much appreciated.
Sounds like you’re interested in the features of Azure Identity Protection. It can treat VPN/proxy IPs as “risky” or “suspicious”, and your Azure Identity Protection policies, or alternatively your conditional access policies, can use that risk level as a condition for allowing/blocking access, or requiring additional authentication. If you combine that with CA policy options like requiring managed/trusted devices, you can treat a legit user who happens to be travelling differently than an attacker trying to get around your rules by using a VPN. It’s fairly intelligent and flexible, and worth a look.
Thanks Paul I will take a look.
Conditional Access Policies can be bypassed via VPNs. My company configured a Conditional Access Policy to enable access to our Office 365/Azure services from the United States only. We verified that the policy was working by having colleagues in the UK, France and Portugal connect with valid credentials and MFA verification codes, only a notification that access from their particular location was prohibited. So far so good.
My colleague in Portugal was able to bypass the Conditional Access Policy by (1) using IP Vanish and selecting a New York based VPN server and (2) using Surfeasy and selecting a VPN server in Los Angeles. So, despite him being physically located in Portugal by selecting a US based VPN server he was able to bypass the Conditional Access Policy.
He hasn’t bypassed conditional access. If the CA rules are assigned to him, then they are assessed and he is found to be connecting from a US network location, so he is allowed access. What you’re describing is what I would expect to happen.
If you want only US people to be able to connect from the US, then assign it to a group that includes US users, and create another rule to block everyone else.
I have create a conditional access policy in AzureAD blade with for Exchange Online and enabled MFA and require approved clients but i can still access emails using the native client on iOS and Android? Is there a way to stop this without using Intune?
What does “require approved clients” mean? I can’t see your policies so you need to be super clear what you’ve configured and who you’ve assigned it to, how you’re testing the changes (including how long you’ve waited before testing again), etc etc.
Can you explain “Pay what you use” in Conditional access policy? So I could grant all of our user AD Premium P2 or P1, and create a Conditional Access to block EXTERNAL network to use Outlook 2016 for MAC except our internal network, IP and ranges.
We have only roughly 957 Outlook 2016 for MAC with unknown location,,maybe half (450) from external.
Thus, does it mean those external Outlook 2016 for MAC will hit the conditional access so we only pay 450 conditional access license use?
Beside it’s not always 450 hitting the conditional access 24/7 so will Microsoft do True-Up every 3 month to get the right number?
What if you have different settings between your Conditional Access policies for Exchange Online and SharePoint Online? What if one doesn’t require the endpoint to be domain-joined or Intune-enrolled? I assume the strongest CA policy will take precedent?
eg, We want to use app-enforced restrictions for SharePoint Online that allow limited access to SPO files (browser-only, with download/print/sync switched off). The endpoint does not need to be domain-joined or Intune-enrolled. However, our EXO CA policy does require either domain-joined or Intune-enrolled.
The EXO policy will apply when accessing EXO services, and the SPO policy will apply when accessing SPO services. For apps that use both EXO and SPO, access will only be granted when the user or device satisfies the conditions of *all* policies that have been targeted at that user.
Paul, when I go to the ‘Conditional Access’ page on the Azure AD blade for my tenant, it prompts me to start a trial of AD Premium (don’t have) so this change seems to be specific to tenants where AD Premium is active. However, in all the tech info I could find on this, there is no explicit mention of how the change impacts those without AD Premium. Can you offer any clarification on this?
Conditional access is a feature of Azure AD Premium. If you don’t have Azure AD Premium, then you aren’t using CA rules and therefore aren’t impacted by this change.