Companies are rapidly adopting cloud services and mobile workspace, changing the ways employees interact with company apps and data using either company-owned or personal devices. Whether it is a large or small and medium business, users in every organization are becoming more productive than it ever was thanks for cloud technologies. However, this result in a more complex requirement that calls for more sophisticated policies for the IT teams to protect the organization data while providing the flexibility, mobility and productivity across its workforce regardless of whether a user is on BYO or a corporate-owned device running internal app or third-party SaaS applications. Conditional access provides a set of access policies and configurations which regulates user and device in accessing numerous services and data sources.
Previously, Conditional Access was only available through Azure Active Directory Premium and Enterprise Mobility + Security, which are part of M365 Enterprise E3 and M365 Enterprise E5 licenses. When Microsoft 365 Business was launched, it was meant to provide the productivity and security features of a Microsoft 365 Enterprise but at a price affordable to SMB. However, Conditional Access has been missing in the Microsoft 365
Responding to feedbacks from both partners and end customers that Conditional Access would help it secure SMB customers more comprehensively, Microsoft recently announced last 12th of June 2019 the availability of Conditional Access to M365 Business. Conditional Access enables Zero Trust security, helping organizations provide the access while maintaining the control over “where, when and who” is connecting to their own Office 365 environment; this protects company assets while also enabling employees to be more productive from anywhere without compromising the security practices.
How Conditional Access can work well with Azure Multi-Factor Authentication?
Microsoft 365 Business includes advanced Azure MFA capabilities that organization can configure together with Conditional Access policies in order to gain additional assurance that account login activities are being made by the account’s owner. Helpful security policies that you may think about which can help your organization enhance its postures against malicious activities could be one of the following:
- Users should only be on a trusted network and location.
- Registering security information should only be available for users with a low sign-in risk.
- Users can only manage their registrations through a managed corporate device.
To help your customers enable Conditional Access + MFA in their M365 Business subscriptions, a QuickStart guide can be found in this link.
What features are included under Conditional Access in Microsoft 365 Business?
Set of policies and configurations that are available for M365 Business subscribers are the same as those with Azure Active Directory Premium P1 licenses. Below are perhaps the highlights of the configurable policies of Conditional Access for M365 Business subscribers:
- By location – only allow access from trusted network IP ranges or specify which country can have an access
- By app type – browser, desktop / mobile apps using modern auth and legacy authentication
- Require MFA
- Require compliant or domain joined device
- Require apps using Intune app protection
How to enable Conditional Access for your organization?
IT team of every organization can leverage the experience of their workforce without compromising the security practices by enabling Conditional Access policies and configurations. Partners can advise their M365 Business customers to enable the Conditional Access settings via the Azure AD settings in the Azure portal. As a first step, you may advice your customers to deploy Conditional Access in phases:
- Apply a policy to a small group of users or it is best recommended to have the policy be deployed to a test user and verify it behaves as expected.
- Apply a policy to “All Users” group only if necessary.
- Most effective way is to create a user account that is dedicated to policy administration and make sure that it is excluded from all the policies that you plan to deploy. This will ensure that you still have access and can update a policy if a change is required.
For more guidance in planning the deployment of your Conditional Access settings across the organization, please visit this link.
Does that mean that I get the same benefits as those AAD P1 users?
Although Conditional Access is now accessible to M365 Business customers, that doesn’t mean that AAD P1 is included in the M365 subscription package, thus only AAD P1 features that are most-relevant for SMBs are included like:
- Self-service password reset for hybrid Azure
- Azure Multi-factor Authentication
- Conditional Access
To find out more information about the available features in AAD Premium P1, please visit this link.
What products give you Conditional Access?
Conditional Access is available with the following Microsoft products available through the CSP program:
- Microsoft 365 Business
- Microsoft 365 Enterprise E3
- Microsoft 365 Enterprise E5
- Azure AD Premium P1
- Azure AD Premium P2
- Enterprise Mobility + Security E3
- Enterprise Mobility + Security E5
In today’s mobile-first world where the threat landscape is increasingly complex and sophisticated it is significant for you as a Partner to help your customers build the protection at the front doors. Grow your business and become the trusted advisor of your customers by helping them adopt security best practices with your advisory, deployment and managed services today.
Keep organization’s data secured while staying productive!
Resources Available for Conditional Access:
- Conditional Access Documentation: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/index
- QuickStart Guide: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-based-mfa
- Conditional access is now part of Microsoft 365 Business announcement: https://techcommunity.microsoft.com/t5/Microsoft-365-Business-Blog/Conditional-Access-is-now-part-of-Microsoft-365-Business/ba-p/684063
This blog is brought to you by rhipe's Partner Enablement Specialist Paul Dilag.