Increase productivity and protection by connecting devices to AAD and configuring Device-based Conditional Access Policy
Mohammad Zmaili
Product Manager @ Microsoft Security | Identity and Network Access | Customer Experience Engineering | Speaker | Consultant | Blogger | Helping organizations protecting their identities and information
The number of users working from home (WFH) increases in response of COVID-19 (aka. coronavirus) outbreak, and we need to make sure that identities and their information remain protected and secured by connecting devices to Azure AD and configuring Device-based Conditional Access Policy.
Previously, I shared an article that answers Do I really need to connect my device to Azure AD?! and in this article we will discuss how to configure device-based Conditional Access Policies.
When configuring Device-based Conditional Access Policy, customer falls into one of the following scenarios:
Scenario #1: Cloud customers with no Azure AD Premium license or Intune license.
To configure Device-based conditional access, cloud customers should have both Azure AD Premium license and Intune license. Cloud customers who are not having both licenses, can enable Azure Active Directory Premium free for one month and sign up for a Microsoft Intune free trial for 30 days.
After enabling the tenant for both Azure AD Premium license and Microsoft Intune license, cloud customers will have both Azure AD Premium and Intune licenses and they can go with scenario #3 in this article.
Scenario #2: Cloud customers with Azure AD Premium license but no Intune license.
Cloud customers who have Azure AD premium license can configure an easy Conditional Access Policies, but they cannot configure Device-based conditional access policy as users will always fail because their devices are not managed by Intune which is Microsoft MDM solution.
For cloud customers who are having Azure AD Premium license but not Intune license, they can sign up for a Microsoft Intune free trial for 30 days.
After enabling the tenant for Microsoft Intune, cloud customers will have both Azure AD Premium and Intune licenses and they can go with scenario #3 in this article.
Scenario #3: Cloud customers with Azure AD Premium and Intune licenses
Cloud users who are having Intune license can connect their devices to Azure AD as Azure AD Joined for corporate devices (aka. CYOD) or as Azure AD Registered for personal devices (aka. BYOD). Also, they can enroll their devices to Intune automatically after they become connected to Azure AD.
In this scenario, IT professionals can protect identities and their information by allowing the access to Office 365 services and applications from compliant devices only. The device will never become compliant before it meets the device compliance policies. More information about device compliance policies can be found in the article, Set rules on devices to allow access to resources in your organization using Intune
To configure a Conditional Access that Requires compliant devices, visit Conditional Access: Require compliant devices article.
Continue reading more scenarios on my blog: https://azureera.com/configuring-device-based-conditional-access-policy/
IAM Strategy Owner @ Maersk
4 年Yes! The alternative that is just to say "well anything that connects from our internal IP ranges is safe" is making some pretty gigantic assumptions to put it mildly and also doesn't help when your trusted devices are outside those subnets, as they very likely will be to some extent (especially now).