Microsoft Enables Device-Based Azure AD Conditional Access

In addition to requiring multifactor authentication or that a user log in from a corporate network, now administrators can restrict access to apps based on the devices used by employees.

Azure AD

Microsoft has added a new capability to the Conditional Access feature in Azure Active Directory (AD) Premium, the policy engine that allows administrators to deny their users access to business applications and other resources unless they meet certain requirements.

Last month, the company rolled out two new policies, per-app multifactor authentication (MFA) and network location. If switched on, the former requires that users employ multifactor authentication to log into their apps while the new network location policy can be used to block access to sensitive business applications if users stray from their corporate networks.

This week, Microsoft added new device-based rules, announced Alex Simons, Microsoft Identity Division's director of program management.

"These policies help you stay in control of your organization's data by restricting access to enterprise managed devices," stated Simons in an Aug. 10 announcement. "Policies can be applied on a per-application basis to require that devices be managed by your company and be correctly configured. The new capability supports iOS, Android, Windows 10 Anniversary Update, Windows 7 and Windows 8.1."

The new device-based rules apply to all browser and mobile applications that integrate with Azure AD, noted Simons. Naturally, that means Microsoft's own cloud software ecosystem, including Office 365, but also several third-party apps like Salesforce and on-premises applications that are linked via Azure AD Application Proxy, he added.

Although Azure AD is commonly used to provide identity and authentication services to enterprises and their users, the technology has also been spreading into the consumer cloud application realm.

Microsoft is enlisting the technology to help cloud app developers quickly deploy, manage and secure their own consumer-facing login systems, allowing them to concentrate their efforts on growing and improving their apps. In July, the company announced the general availability of Azure Active Directory B2C. The business-to-consumer (B2C) service allows users to log in with their existing social profiles. Developers can also require users to create accounts specific to their apps.

"It is completely customizable, integrating invisibly and seamlessly into your apps. If you have multiple apps, you can enable single sign-on for them all," said Swaroop Krishnamurthy, a Microsoft Azure Active Directory senior program manager, in a July 27 announcement. "In addition, Azure AD B2C makes it simple for consumers to manage their own accounts with self-service journeys such as sign-up, profile management and password reset."

In terms of scale, Azure Active Directory B2C cloud tenants can handle hundreds of millions of user profiles, claims Microsoft. It offers support for both the OpenID Connect and OAuth 2.0 authentication protocols.

Azure AD B2C is currently available in North America, free of charge. In early 2017, Microsoft plans to start charging for the service at a rate of $0.0011 per user and $0.0028 per authentication to start (the first 50,00 stored users and authentications per month will remain free). Multifactor authentication is priced at 3 cents per authentication.

Pedro Hernandez

Pedro Hernandez

Pedro Hernandez is a contributor to eWEEK and the IT Business Edge Network, the network for technology professionals. Previously, he served as a managing editor for the network of...