Conditional Access Azure AD Microsoft

Microsoft’s Conditional Access for Azure AD first surfaced in July. Since then, a preview has come to iOS, Android, and Windows, and it’s now generally available on those devices.

Azure AD Conditional Access essentially gives admins a lot more control. They can deny user logins based on MFA, device health, location, and detected risk. This makes it easier to keep corporate and user data safe.

Conditional Access Features and Applications

According to Alex Simmons, Director of Program Management at Microsoft, CA covers every application that authenticates with Azure AD.

You can expect it to work with the following applications:

  • Azure and Microsoft CRM
  • Office 365
  • Every app in the gallery, including: ServiceNow,, Concur
  • On premises apps published via the Azure AD Application proxy
  • LOB apps registered with Azure AD

Enrolling devices in the policies varies depending on the OS. Windows domain joined devices register automatically. However, iOS and Android devices register when enrolled into Microsoft Intune.

According to a previous blog post by Simmons, policies make use of the following requirements:

Domain joined devices: You can set a policy to restrict access to devices that are joined to an on-premises Active Directory domain and are also registered with Azure AD. This policy applies to Windows desktops, laptops or enterprise tablets that belong to an on-premises Active Directory domain which have registered with Azure AD.

Compliant devices: You can set a policy to restrict access to devices that are marked compliant in the directory by the management system. This policy ensures that only devices that meet security policies such as enforcing file encryption on a device are allowed access.”

Microsoft is currently working on adding the Azure management portal and Office 365 portal to the service. The work is ongoing and “shouldn’t take too long to complete.”

Users can start with CA today by going to the configure tab in the Azure Management Portal. There you’ll see a “device based access rules” toggle.

You can read more about the capabilities here.