Conditional Access in #AzureAD in the new Azure portal

December 16, 2016 Chris Spanougakis 1 comment

We all want to keep our employees happy, while enabling them to be productive. As we know, productivity and security are two different topics and they rarely go together. If you started using Azure AD, you should know that is now possible to create policies and rules, so that you can protect your company’s valuable information while in the cloud.

So let’s see how it works.

You have to login to ne new Azure portal, navigate to Azure Active Directory and click on the Conditional Access tab:


Then, you have to click on the “Add” button to create a new policy:


A Conditional Access policy is simply a statement about When the policy should apply (called Conditions), and What the action or requirement should be (called Controls).

Conditions (When the policy should apply)

Conditions are the things about a login that don’t change during the login, and are used to decide which policies should apply. Azure AD supports the following Conditions:

  1. Users/Groups are the users/groups in the directory that the policy applies to.
  2. Cloud apps are the services the user accesses that you want to secure.
  3. Client app is the software the user is employing to access cloud app.
  4. Device platform is the platform the user is signing in from.
  5. Location is the IP-address based location the user is signing in from.
  6. Sign-in risk is the likelihood that the sign-in is coming from someone other than the user.

For example, you could create a condition that should be related to the device that the user will use to log-on:


Taka a look at the documentation here to find out more about conditions:

Controls (What the action or requirement should be)

Controls are the additional enforcements that are put in place by the policy (such as “do a Multi-factor authentication” challenge) that will be inserted into the login flow. Azure AD supports the following controls:

  1. Block access
  2. Multi-factor authentication
  3. Compliant device
  4. Domain Join

You can select individual controls or all of them. More details about the controls can be found here:

In case that you’re familiar with Intune, you can clearly see that this new admin experience unifies conditional access workloads across Intune and Azure AD.

If you are an Intune customer using the existing browser-based console or the Configuration Manager console, or an Azure AD customer using the classic Azure portal, you can now preview the new Conditional Access policy interface in the Azure portal.


Thanks for your time!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.