Microsoft Enables Device-Based Azure AD Conditional Access
In addition to requiring multifactor authentication or that a user log in from a corporate network, now administrators can restrict access to apps based on the devices used by employees.Microsoft has added a new capability to the Conditional Access feature in Azure Active Directory (AD) Premium, the policy engine that allows administrators to deny their users access to business applications and other resources unless they meet certain requirements. Last month, the company rolled out two new policies, per-app multifactor authentication (MFA) and network location. If switched on, the former requires that users employ multifactor authentication to log into their apps while the new network location policy can be used to block access to sensitive business applications if users stray from their corporate networks. This week, Microsoft added new device-based rules, announced Alex Simons, Microsoft Identity Division's director of program management. "These policies help you stay in control of your organization's data by restricting access to enterprise managed devices," stated Simons in an Aug. 10 announcement. "Policies can be applied on a per-application basis to require that devices be managed by your company and be correctly configured. The new capability supports iOS, Android, Windows 10 Anniversary Update, Windows 7 and Windows 8.1."
The new device-based rules apply to all browser and mobile applications that integrate with Azure AD, noted Simons. Naturally, that means Microsoft's own cloud software ecosystem, including Office 365, but also several third-party apps like Salesforce and on-premises applications that are linked via Azure AD Application Proxy, he added.