Conditional Access for Office 365 Apps
In this post, I will go over the steps of how to create a conditional access policy for Office 365 Apps using Azure AD.
What is conditional access? conditional access allows the administrator to fine-tune how users can access the cloud resources. These policies can allow you to restrict access so certain users can only access certain application or restrict them to only use a certain device or even restrict the users to only access the application if their devices are joined to the domain.
To get started you need to login to your Azure AD portal which can be access using: http://portal.office.com/
From the Azure Active Directory admin center, you can select Azure Active Directory and then click on Conditional access.
From the Conditional access menu, you can select +New policy on the right-hand side to start creating the new policy.
For the purpose of this post, I will create a Conditional access policy to restrict access to a certain user only for SharePoint Online. This would mean that the user will be not be able to access SharePoint through a web browser or mobile.
To get started let’s provide the policy a new and click on Users and groups.
Next go ahead and select which cloud app to add the restriction.
Now let’s move on and create the conditions for this policy by clicking on the Conditions section and then specify the condition for Device platforms, Locations and Client apps.
On the Device platforms, I will select all platform and click on done.
From the location condition, I will select all locations again and click on done.
For the Client apps, I will select all client apps to which this new policy will apply to and then click on done.
Now that we have specified the conditions and the user assignment, let’s go ahead and set the access controls for this policy.
From the same menu select Grant to specify if the app should be denied or allowed or if this app requires two factor authentications. For this post, I will select Block access.
Last but not least I will enable the newly created policy before clicking on create.
How do we know whether the policy we created is working? To test the new policy, I will attempt to login to SharePoint Online with the user account which was supplied in the policy.
When the user Yun-Sun try to access SharePoint Online he will receive the following message.
Now we can confirm that the policy is working and the user only access application which he is allowed access to.
However, the policy only restricts access to SharePoint and the user can still access his or her Office 365 portal as seen below.
To summarize with Azure AD, we can use Conditional Access Policies to restrict which Office 365 Apps a user can access as well as specify the condition of how the user can access the application for example the user must be domain joined or has to be in a certain location or region.