Microsoft Azure

Microsoft Announces Improvements to Azure AD Conditional Access

Microsoft announced April 5th two new Azure Active Directory (AD) Conditional Access features reaching general availability: report-only mode, and the insights and reporting workbook. General availability means that these features are now ready to be used in production environments. A new policy details blade for troubleshooting is also now in preview.

Azure AD report-only mode

The addition of report-only mode for Azure AD Conditional Access policies allows administrators to see how enforcing policies will affect users. Once the impact has been assessed, policies can either be modified as required or enabled. During sign-in, Conditional Access policies in report-only mode are evaluated but not enforced. The results are logged in the Conditional Access and Report-only tabs of Sign-ins, which you can find under Monitoring in the Azure management portal.

Microsoft says that report-only mode has seen strong adoption. While the feature was in preview, more than 26 million users were in scope of a report-only policy. Starting April 5th, all new Conditional Access policies are created in report-only mode by default. Microsoft also added the ability to programmatically manage report-only policies using the Microsoft Graph APIs.

Before enabling Conditional Access policies in report-only mode, you might want to exclude Mac, iOS, and Android devices. Users of these platforms may be prompted to select a device certificate during policy evaluation, even though compliance isn’t being enforced.

Sponsored Content

Maximize Value from Microsoft Defender

In this ebook, you’ll learn why Red Canary’s platform and expertise bring you the highest possible value from your Microsoft Defender for Endpoint investment, deployment, or migration.

Azure AD Conditional Access insights and reporting workbook

The new Conditional Access insights and reporting workbook lets administrators visualize Conditional Access queries and see the impact of a policy by time, set of applications, and users. The workbook streams data from Azure Monitor, so that needs to be set up first. The workbook’s dashboard is in the Insights and reporting tab in the Azure AD Conditional Access menu.

Image # Expand
Microsoft Announces Improvements to Azure AD Conditional Access (Image Credit: Microsoft)

 

After selecting a time range in the dashboard, you can see the impact of Conditional Access policies over the selected period. The dashboard lets admins drill down to get more detailed information by:

  • Device platform
  • Device state
  • Location
  • Client app
  • Sign-in risk
  • Application

Azure AD Conditional Access policy details blade

Currently in preview, the new policy details blade gives admins an easy way to find out why a policy resulted in success, failure, or why it wasn’t applied. The blade shows the conditions and access controls that were met during sign-in. For example, on the Sign-ins page, you can select a sign-in and then a policy to see whether it was applied.

In the screenshot below, Lisa Smith’s sign-in had the report-only policy “Block access outside trusted locations” applied because the account met the user, application, and location conditions. If the policy had been enabled, Lisa would have been blocked access to the MyApps portal because the policy is configured to deny access.

Image #1 Expand
Microsoft Announces Improvements to Azure AD Conditional Access (Image Credit: Microsoft)

Welcome improvements to Azure AD

At a time when more of us are working from home, better ways to manage controls for remote access to corporate applications and systems are welcome. Azure AD Conditional Access policies are an important part of enabling zero-trust networks, which are more secure than the virtual private network (VPN) solutions that many organizations still deploy.

For organizations that have yet to look at zero-trust networks, Azure AD Conditional Access policies can also be used with Windows Server’s Routing and Remote Access Service (RRAS), which acts as a VPN server, if the right infrastructure is in place.

For more information on zero-trust networks for remote access, see Choosing between Virtual Private Network and Zero Trust Remote Access Solutions on Petri.

 

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by:

 
Office 365 Coexistence for Mergers & Acquisitions: Don’t Panic! Make it SimpleLive Webinar on Tuesday, November 16, 2021 @ 1 pm ET

In this session, Microsoft MVPs Steve Goodman and Mike Weaver, and tenant migration expert Rich Dean, will cover the four most common steps toward Office 365 coexistence and explain the simplest route to project success.

  • Directory Sync/GAL Sync – How to prepare for access and awareness
  • Calendar Sharing – How to retrieve a user’s shared calendar, or a room’s free time
  • Email Routing – How to guarantee email is routed to the active mailbox before and after migration
  • Domain Sharing – How to accommodate both original and new SMTP domains at every stage

Aimed at IT Admins, Infrastructure Engineers and Project Managers, this session outlines both technical and project management considerations – giving you a great head start when faced with a tenant migration.the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

Sponsored by: