One of the benefits of being on Microsoft’s Azure Active Directory (AAD) platform is the ability to take advantage of advanced configuration options for ensuring that accounts stay secure. One of the key ways to do this in AAD is to enable conditional access so that there are additional requirements and restrictions based on where the user is logging in from. In this walkthrough, I’ll show you how to configure AAD so users who are in the office can login with just username and password but are required to use multi-factor authentication (MFA) when they’re not in the office.
Getting Conditional Access
The first step is enabling conditional access in your tenant.
1. Go to the AAD admin portal (aad.portal.azure.com). The Azure Active Directory admin center dashboard will appear.
2. On the left side of the page under Favorites, click Azure Active Directory. The Azure Active Directory overview page will appear.
3. On the left side of the page under Overview and Quick Start is a list of groups, such as Manage, Security, and Activity. Scroll down to the Security group, then click Conditional access. The Conditional access page will open. If you don’t have an active subscription with access to this advanced feature, you’ll see a screen that looks something like figure 1.
Figure 1: The Conditional Access Page
4. Click Get a free Premium trial to use this feature. You’ll be presented with a choice between an Enterprise Mobility and Security license (E5) and an Azure AD Premium 2 (P2) license trial. Click Free trial to select the license that best matches your needs. After you’ve asked for a free trial, it may be some time before your trial is activated and you are able to get into conditional access. Unfortunately, you’ll have to be patient.
Figure 2: The Free Trial Options
Setting Up Locations
The next step is to establish a trusted location. Once Azure Active Directory Premium is enabled, the Conditional access page will become the Conditional access – Policies page.
1. On the Conditional access – Policies page, on the left side of the screen under Manage, click Named locations. The Named locations pane will appear.
Figure 3: The Policies Pane
2. At the top of the Named locations pane, click + New Location. On the left side of the page, the New pane will appear.
3. In the Name field, type a name that corresponds to the office location you’re creating. In this example, we’ll use the name Office.
4. Under Define the location using, click the Mark as trusted location checkbox.
5. Under IP ranges, enter the IP address ranges of the IP addresses indicating that the user is in the office. Type /# to indicate the subnet mask. /32 indicates a single IP address.
Figure 4: The Configured New Location
6. When you’re done, click the Create button to create the location. The new location will be listed in the Named locations pane.
Creating the Conditional Access Policy
With the location created, you can make a policy that excludes trusted locations and requires multifactor authentication.
1. On the left side of the page, click Polices. You’ll be returned to the Conditional access – policies page.
2. At the top of the Policies pane, click + New Policy. On the left side of the page, the New pane will appear.
Figure 5: The New Pane for Policies
3. Under Name, type a name for the policy. In this example, we’ll use the name MFA External.
4. If you want to limit the policy to only apply to a set of users or groups, in the Assignments section, click Users and groups. The Users and groups pane will appear.
5. Under Include, click the Select users and groups option.
6. Under Select users and groups, click Select. The Select Users and groups pane will appear.
7. Select the groups to apply the policy to. It’s recommended that you limit your policy to groups to ensure that you don’t accidentally lock yourself out.
8. When you’re done, at the bottom of the Select Users and groups pane, click Select. The selected users and groups will appear in the Users and Groups pane.
Figure 6: The Configured Users and Groups Pane
9. At the bottom of the Users and groups pane, click Done.
10. In the New pane, under Assignments, click Cloud apps. The Cloud apps pane will appear.
11. In the Include tab, select All cloud apps.
Figure 7: The Configured Cloud Apps Pane
12. At the bottom of the Cloud apps pane, click Done.
13. In the New pane, under Assignments, click Conditions. The Conditions pane will appear.
14. Under Info, click Locations. The Locations pane will appear.
15. Under Configure, click Yes. You can now make changes to the Locations pane.
16. Click the Exclude tab. This will allow you to exclude certain locations from the policy.
17. Under Select the locations to exempt from the policy, click the All trusted locations option.
Figure 8: The Configured Locations
18. At the bottom of the Locations pane, click Done.
19. At the bottom of the Conditions pane, click Done.
20. Finally, we need to require MFA for these users. In the New pane in the Access controls section, click Grant. The Grant pane will appear.
21. Under the Grant access option, click the Require multi-factor authentication checkbox.
22. At the bottom of the Grant pane, click Select.
23. To enable the policy, at the bottom of the New pane under Enable policy, click On.
24. At the bottom of the New pane, click the Create button. The policy will be created and you’ll be returned to the Conditional access – Policies page. The new policy will be visible in the policy listing.
Testing the Policy
With the policy in place, you can test it by logging out and logging back into your cloud apps – and the connected client applications. If you have Office 365 client applications or Office 2016 client applications, they’ll transparently support the modern authentication required for MFA to work. Older clients will require registry changes.
Additionally, your tenant may require that a setting is changed for Skype for Business to work correctly. This, in turn, requires that you have the Skype for Business Online PowerShell module, which is available at http://go.microsoft.com/fwlink/?LinkId=294688.
The command to be run is Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed – this will enable modern authentication for Skype for Business. It may take 15 minutes for that change to take effect.