Another piece in the puzzle. That’s what struck me when I first saw AzureIP being protected by conditional access policies at Ignite last September. And this piece allows you to manage how your users can access AzureIP labelled and protected content.

Start from the top

Let’s say I would try to open a document from an unmanaged device. And this document is labelled and protected by Azure Information Protection. Normally, this will not be a problem. The document is opened and AzureIP will check your credentials and permissions on the document. It will enforce these permissions and the document is presented to me.

But let’s assume that we want to add some more protective measures. For instance, we do not want AzureIP protected content to be opened from an unsafe location or an unmanaged device. Or, more basic, we want to verify the identities of our users by using multi factor authentication. That’s where conditional access steps in.

Conditional access

Azure AD conditional access allows you to set conditions for users trying to connect to specific platforms. Using an authenticator app on your mobile device when accessing your e-mail (multi factor authentication) is one example of this.

Conditional access has two main compontents: the condition and the action. The condition is based on either the sign-in risk, device/platform, location or even the client-app of your users.

CA_AIP_5.png

Based on this condition, you can enforce your controls.

CA_AIP_6

And AzureIP is now part of the cloud apps you can configure for conditional access. When set-up correctly, you can disallow the use of AzureIP if the device is not domain joined (for example).

In action

When configured and after a couple of minutes, the AzureIP client will start to notice the conditional access policies. In the examples below I tried to login to AzureIP, when (figure 1) multi factor authentication was required and (figure 2) my device was not trusted.

challenge

Figure 1 – MFA when using AzureIP

CA_AIP_4

Figure 2 – My device is not trusted, so I cannot access AzureIP

Do  be careful! These conditional access policies also work when accessing the admin portal. Which makes sense. But if you encounter these kinds of errors:

AIP Admin portal

Error with the AzureIP admin-portal after enabling CA

Then you know where to look…

Nice stuff!

Much more information then in this blog 🙂 can be found here: https://cloudblogs.microsoft.com/enterprisemobility/2017/10/17/conditional-access-policies-for-azure-information-protection/

Posted by Albert Hoitingh

I'm an Office 365 businessconsultant/architect. My focus is on Office 365, information-management, security and governance. I'm honored to be a Microsoft MVP. I like to present and share information, most recently @ SharePoint Saturday London, Cambridge and Lisbon.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s