Modern mobile reality

Now more than ever, people are connected. With smartphones, tablets, laptops, and PCs, people have an increasing number of options for getting and staying connected at any time. Users expect the freedom to access their corporate email and documents from anywhere on any device—and they expect the experience to be seamless and modern. IT, on the other hand, needs to make sure that corporate data is secure while enabling users to stay productive in today’s mobile-first world, where the threat landscape is increasingly complex and sophisticated.

Why conditional access from Microsoft Enterprise Mobility + Security?

Conditional access provides the control and protection you need to keep your corporate data secure, while giving your people an experience that allows them to do their best work from any device. With Enterprise Mobility + Security, you can define policies that provide contextual controls at the user, location, device, and app levels. You can allow or block access or challenge users with Multi-Factor Authentication, device enrollment, or password change. Plus, our machine learning-based identity protection, which leverages billions of signals daily, can detect suspicious behavior and apply risk-based conditional access that protects your applications and critical company data in real time.

With conditional access by Enterprise Mobility + Security, you get the control you need to ensure your corporate data is secure, while your people roam freely between apps and devices, accessing your data in the cloud and on‑premises.

The evolution of access control blog post

Path to modernizing Windows management

Scenarios

Test drive conditional access through the scenarios below

Application

User/Location

Device

Risk

Giovanni is traveling for business and needs access to corporate apps and data in order to keep his projects on track while he’s away from the office. Luckily he is able to log on and easily get single sign-on (SSO) access to various corporate cloud and on‑premises apps right on his phone.

Today he needs to complete a task in the Salesforce app. Because of the sensitive data in this app, IT has set a policy that requires all users to confirm their identity with Microsoft Azure Multi-Factor Authentication (MFA) before opening it.

When accessing the app, Giovanni is quickly guided through the simple MFA process. Upon completion, the app opens—and he can go about business as usual.

Giovanni is traveling for business and needs access to corporate apps and data in order to keep his projects on track while he’s away from the office. Luckily he is able to log on and easily get single sign-on (SSO) access to various corporate cloud and on‑premises apps right on his phone.

Today he needs to complete a task in the Salesforce app. Because of the sensitive data in this app, IT has set a policy that requires all users to confirm their identity with Microsoft Azure Multi-Factor Authentication (MFA) before opening it.

When accessing the app, Giovanni is quickly guided through the simple MFA process. Upon completion, the app opens—and he can go about business as usual.

Applied Control

Enforce MFA

IT has set a policy that enforces MFA anytime this app is accessed. Once a user successfully completes the MFA process, he or she will be granted access to the app.

Administrators can choose which policies to apply to which apps, based on the sensitivity of the data accessed. Policies can apply to any cloud (software-as-a-service model) or on‑premises apps that are protected by Azure Active Directory.

Learn more:

Azure Active Directory Conditional Access

Getting started with conditional access to Azure AD

Protect Windows devices with multi-factor authentication

Restrict Access to SharePoint Online with Microsoft Intune

Julia needs to include sales projections in her presentation, so she opens a custom on‑premises application to pull them. Because of the sensitivity of the data within this app, IT has set a policy that blocks access from untrusted locations for most groups, including marketing.

Julia on the marketing team is working from a coffee shop today, outside of the corporate network. She’s trying to finalize a presentation and needs to access corporate data in order to do so.

Julia will need to wait until she is on the corporate network to access this information.

Julia needs to include sales projections in her presentation, so she opens a custom on‑premises application to pull them. Because of the sensitivity of the data within this app, IT has set a policy that blocks access from untrusted locations for most groups, including marketing.

Julia on the marketing team is working from a coffee shop today, outside of the corporate network. She’s trying to finalize a presentation and needs to access corporate data in order to do so.

Julia will need to wait until she is on the corporate network to access this information.

Applied Control

Block

Since this app provides access to highly sensitive data, IT has applied a location-based conditional access policy that blocks users who are working from an untrusted location. Marketing is one of several security groups to which this policy applies.

Administrators can set policies that apply to all users or multiple security groups, as well as exclude groups from policies.

Learn more:

Technical reference: conditional access to Azure AD apps

Getting started with conditional access to Azure AD

Vlad is running late and needs to prepare for an important meeting during his commute to the office. Thankfully, his colleague emailed him the pre-read materials as an attachment that he can access from his phone.

Upon clicking the attachment, he realizes that it is located on Microsoft OneDrive for Business. However, IT has set a policy that blocks unmanaged devices from accessing files there.

Vlad is quickly guided through the device enrollment process. Upon completion, he is able to open the attachment and prepare for his meeting.

Vlad is running late and needs to prepare for an important meeting during his commute to the office. Thankfully, his colleague emailed him the pre-read materials as an attachment that he can access from his phone.

Upon clicking the attachment, he realizes that it is located on Microsoft OneDrive for Business. However, IT has set a policy that blocks unmanaged devices from accessing files there.

Vlad is quickly guided through the device enrollment process. Upon completion, he is able to open the attachment and prepare for his meeting.

Applied Control

Enroll

IT has applied a policy that blocks unmanaged devices from accessing and opening files stored on OneDrive for Business. Devices need to be enrolled first, before the location can be accessed.

Administrators can set policies that enforce device compliance requirements prior to accessing company resources. These can include settings for device enrollment, domain join, and passwords and encryption, as well as a number of device health factors.

Learn more:

Securing access to Office 365 and other apps connected to Azure Active Directory

Protect Windows devices with multi-factor authentication

Getting started with Azure Multi-Factor Authentication in the cloud

Restrict access to SharePoint Online with Microsoft Intune

An unidentified hacker has phished an employee’s username and password. He intends to use them to gain access to corporate data, hiding his location by signing in through the Tor Browser.

The hacker’s malicious sign-in attempt triggers a risk-based conditional access policy, which has been applied to all apps in the organization.

When the unusual activity is detected, the sign-in risk score is rated as high for this event, and the activity is blocked.

An unidentified hacker has phished an employee’s username and password. He intends to use them to gain access to corporate data, hiding his location by signing in through the Tor Browser.

The hacker’s malicious sign-in attempt triggers a risk-based conditional access policy, which has been applied to all apps in the organization.

When the unusual activity is detected, the sign-in risk score is rated as high for this event, and the activity is blocked.

Applied Control

Block

With Azure Active Directory Identity Protection enabled, the risk level is calculated for every user and every sign-in attempt.

Risk-based conditional access policies can be applied to all apps protected by Azure Active Directory. Administrators can set policies that trigger specific controls based on various levels of risk. Actions can include block, enforce MFA, or password reset for the user.

Learn more:

Azure Active Directory Identity Protection

Types of Risk Events Detected by Azure Active Directory Identity Protection

Protected applications

Enterprise Mobility + Security conditional access protects all the applications you need in any cloud or on‑premises environment. The advanced access rules can benefit thousands of pre-integrated or user-added SaaS applications hosted in any cloud, along with custom apps that you build. Enterprise Mobility + Security can also protect mobile and web apps hosted on‑premises, eliminating the need to use VPN or other legacy web access management solutions. Beyond conditional access, Enterprise Mobility + Security can detect shadow IT and protect apps and data after user logon, based on behavioral analysis and suspicious patterns detection. All these applications are connected with Azure Active Directory in various ways.

Learn more:

Enlightened Section Clouds Enlightened Section Image

Protected applications

Enterprise Mobility + Security conditional access protects all the applications you need in any cloud or on‑premises environment. The advanced access rules can benefit thousands of pre-integrated or user-added SaaS applications hosted in any cloud, along with custom apps that you build. Enterprise Mobility + Security can also protect mobile and web apps hosted on‑premises, eliminating the need to use VPN or other legacy web access management solutions. Beyond conditional access, Enterprise Mobility + Security can detect shadow IT and protect apps and data after user logon, based on behavioral analysis and suspicious patterns detection. All these applications are connected with Azure Active Directory in various ways.

Enlightened Section Clouds Enlightened Section Image

Learn more: