In this blog post, I will show you how to enable Conditional Access in Azure Active Directory and block access to an Office 365 application based on a condition.
Conditional Access
Azure Active Directory Conditional Access is a key security and identity access tool that allows or blocks access to applications based on smart conditions like location, device platform, user group and many more.
Conditional Access also allows the use of MFA based on conditions that can apply in different scenarios.
Cost
Azure AD Conditional Access comes at a cost and it’s not free or part of the basic Azure AD license.
To use it you will need a minimum Azure AD Premium P1 license, In my Case, I have Enterprise Mobility + Security E3 that bundles it together.
Get Started
In the example below, I will create a conditional Access policy that:
- Apply to a user called Tim Hyper
- The policy will block access to the Microsoft Planner app from any Windows device.
- All other devices are OK and will allow access to Planner
Create Policy
To create a Conditional Access policy, I will click on the Azure Active Directory icon from the Azure portal
From Azure AD I will click on Conditional Access
I will name my Policy Planner.
You will also notice that the policy has two parts:
- Assignments – configure conditions based on platform, location etc
- Access Controls – Either block or allow with conditions like MFA or normal
In the user part, I will select my user Tim
In the Cloud apps section, I will select the Microsoft Planner App
In the Device platforms, I will select the Windows platform that will be targeted
In Access controls section I will select Block Access to block access to Microsoft Planner from any Windows platform
And in the last section, I will select On to Enable the policy
Policy in action
To test the policy, I will try to access Microsoft Planner from the Office 365 portal
And below you can see how Azure AD blocks the access to Microsoft Planner only.
Conclusion
In a world where cloud applications are everything and access is available from anywhere and any device conditional Access is the only tool that can provide a proper identity control.