Microsoft announced April 5th two new Azure Active Directory (AD) Conditional Access features reaching general availability: report-only mode, and the insights and reporting workbook. General availability means that these features are now ready to be used in production environments. A new policy details blade for troubleshooting is also now in preview.
The addition of report-only mode for Azure AD Conditional Access policies allows administrators to see how enforcing policies will affect users. Once the impact has been assessed, policies can either be modified as required or enabled. During sign-in, Conditional Access policies in report-only mode are evaluated but not enforced. The results are logged in the Conditional Access and Report-only tabs of Sign-ins, which you can find under Monitoring in the Azure management portal.
Microsoft says that report-only mode has seen strong adoption. While the feature was in preview, more than 26 million users were in scope of a report-only policy. Starting April 5th, all new Conditional Access policies are created in report-only mode by default. Microsoft also added the ability to programmatically manage report-only policies using the Microsoft Graph APIs.
Before enabling Conditional Access policies in report-only mode, you might want to exclude Mac, iOS, and Android devices. Users of these platforms may be prompted to select a device certificate during policy evaluation, even though compliance isn’t being enforced.
The new Conditional Access insights and reporting workbook lets administrators visualize Conditional Access queries and see the impact of a policy by time, set of applications, and users. The workbook streams data from Azure Monitor, so that needs to be set up first. The workbook’s dashboard is in the Insights and reporting tab in the Azure AD Conditional Access menu.
After selecting a time range in the dashboard, you can see the impact of Conditional Access policies over the selected period. The dashboard lets admins drill down to get more detailed information by:
Currently in preview, the new policy details blade gives admins an easy way to find out why a policy resulted in success, failure, or why it wasn’t applied. The blade shows the conditions and access controls that were met during sign-in. For example, on the Sign-ins page, you can select a sign-in and then a policy to see whether it was applied.
In the screenshot below, Lisa Smith’s sign-in had the report-only policy “Block access outside trusted locations” applied because the account met the user, application, and location conditions. If the policy had been enabled, Lisa would have been blocked access to the MyApps portal because the policy is configured to deny access.
At a time when more of us are working from home, better ways to manage controls for remote access to corporate applications and systems are welcome. Azure AD Conditional Access policies are an important part of enabling zero-trust networks, which are more secure than the virtual private network (VPN) solutions that many organizations still deploy.
For organizations that have yet to look at zero-trust networks, Azure AD Conditional Access policies can also be used with Windows Server’s Routing and Remote Access Service (RRAS), which acts as a VPN server, if the right infrastructure is in place.
For more information on zero-trust networks for remote access, see Choosing between Virtual Private Network and Zero Trust Remote Access Solutions on Petri.