Conditional access for Azure Information Protection

Another piece in the puzzle. That’s what struck me when I first saw AzureIP being protected by conditional access policies at Ignite last September. And this piece allows you to manage how your users can access AzureIP labelled and protected content.

Start from the top

Let’s say I would try to open a document from an unmanaged device. And this document is labelled and protected by Azure Information Protection. Normally, this will not be a problem. The document is opened and AzureIP will check your credentials and permissions on the document. It will enforce these permissions and the document is presented to me.

But let’s assume that we want to add some more protective measures. For instance, we do not want AzureIP protected content to be opened from an unsafe location or an unmanaged device. Or, more basic, we want to verify the identities of our users by using multi factor authentication. That’s where conditional access steps in.

Conditional access

Azure AD conditional access allows you to set conditions for users trying to connect to specific platforms. Using an authenticator app on your mobile device when accessing your e-mail (multi factor authentication) is one example of this.

Conditional access has two main compontents: the condition and the action. The condition is based on either the sign-in risk, device/platform, location or even the client-app of your users.

CA_AIP_5.png

Based on this condition, you can enforce your controls.

CA_AIP_6

And AzureIP is now part of the cloud apps you can configure for conditional access. When set-up correctly, you can disallow the use of AzureIP if the device is not domain joined (for example).

CA_Policy_AIP
Azure AD portal – CA blade

In action

When configured and after a couple of minutes, the AzureIP client will start to notice the conditional access policies. In the examples below I tried to login to AzureIP, when (figure 1) multi factor authentication was required and (figure 2) my device was not trusted.

challenge
Figure 1 – MFA when using AzureIP
CA_AIP_4
Figure 2 – My device is not trusted, so I cannot access AzureIP

Do  be careful! These conditional access policies also work when accessing the admin portal. Which makes sense. But if you encounter these kinds of errors:

AIP Admin portal
Error with the AzureIP admin-portal after enabling CA

Then you know where to look…

Nice stuff!

Much more information then in this blog 🙂 can be found here: https://cloudblogs.microsoft.com/enterprisemobility/2017/10/17/conditional-access-policies-for-azure-information-protection/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s