Office 365 Conditional Access

• Overview
• Prerequisites
• Configuring Conditional Access Policy
• Creating the policy on the Azure Portal
• Applying the policy on MDM
• Removing Conditional Access Policy
• Stopping the policy on MDM
• Disabling the policy on the Azure portal

Overview

Office 365 Conditional Access Policy lets you ensure only Windows 10 devices enrolled with MDM can access Office 365 (and/or other apps that require Microsoft Azure sign in), while restricting access to unenrolled devices. You can do this by creating a device-based Conditional Access policy on the Azure portal.

Granting access is restricted to Windows 10 devices, whereas all other device types can be blocked if required.

Prerequisites

• Azure Active Directory must be integrated with MDM.

Configure Conditional Access Policy

Configuring the Conditional Access policy consists of two steps:

• Creating the policy on the Azure Portal
• Applying the policy on MDM

Creating the Conditional Access policy on the Azure Portal

• Login to Azure Portal with your account credentials and navigate to Azure Active Directory -> Security -> Conditional Access.
• Click on +New Policy to create the Conditional Access policy.
• Having provided a policy name, select Users and Groups present under Assignments.
• Here, identify and choose the users and/or groups that this Conditional Access policy applies to.
• Click on Done.

Test the policy against a smaller group of users to make sure it works as expected.

• Under Assignments, select Cloud apps or actions.
• Here, select Office 365 (includes these apps), and/or identify other apps or services you want to protect using this Conditional Access policy.
• Click on Done.
• Under Assignments, select Conditions.
• Click on Device Platforms and identify the platforms you want this Conditional Access policy to apply to.
• Click on Done.
  NOTE: Microsoft Azure permits third-party MDM solutions to grant access only to enrolled Windows 10 devices, while blocking all other device platforms.
• Under Access controls, select Grant.
• Configure the action to be taken based on the conditions you have set. Select Grant access and ensure Require device to be marked as compliant is checked.
• Under Enable policy, select On and click on Create.

Right after enabling the Conditional Access policy on Azure, the selected users and groups cannot access Office 365 and other app(s) selected in the policy.

Applying the policy on MDM

• On the MDM console, navigate to Device Mgmt -> Office 365 (under Conditional Access).
• If you haven't already integrated your Azure Active Directory, click on Integrate.
• Now, click on Apply Policy option present in the Access Policy view. 

In the Device Details view, all enrolled Windows 10 devices will be marked compliant and users can login to their Azure accounts and access Office 365 (and/or other apps included while creating the policy), using these devices.

Unenrolled devices will be marked Non-compliant and users cannot log in to Azure using such devices.

NOTE: For the Office 365 Conditional Access Policy to function in a streamlined and efficient manner, it is recommended to enroll Windows 10 devices using Windows Azure Autopilot enrollment.

Removing Conditional Access Policy

Removing the Conditional Access policy consists of two steps:

• Stopping the policy on MDM
• Disabling the policy on the Azure portal

Stopping the policy on MDM

• On the MDM console, navigate to Device Mgmt -> Office 365 (under Conditional Access).
• In the Access Policy view of the Office 365 Conditional Access policy, click on Stop Policy.

After stopping the policy, MDM will not grant access to devices enrolled henceforth.  The devices to which you have already applied the policy will continue accessing Office 365 (and/or other apps included while creating the policy), if they are enrolled with MDM. Essentially, stopping the policy does not have an effect on devices to which you have already applied the Conditional Access policy.

In order to completely remove the policy, follow the steps mentioned in the next section.

Disabling the policy on the Azure portal

To entirely remove the policy, even from all the devices to which the policy has already been applied, you must disable the Conditional Access policy on the Azure portal. Follow these steps.

• Login to Azure Portal with your account credentials and navigate to Azure Active Directory -> Security -> Conditional Access.
• Now, find and select the policy that you want to remove from Azure.
• Under Enable policy, select Off and click on Save.

This will ensure the policy gets completely removed and all the previously selected users and groups will be able to access Office 365, and other apps included while creating the Conditional Access policy.