Device-based policies for Azure AD Conditional Access available in preview

Kit McDonald

A preview for the Azure AD Conditional Access was announced today in the Enterprise Mobility and Security Blog. The device-based policies make it possible to restrict access to enterprise managed devices and to configure them for your organization’s individual needs. This is particularly useful to protect you from unknown devices and those that don’t meet security policies.

As detailed in the Azure Active Directory for conditional access, you can check off criteria of what a device meets before they have access to the application.

Policies can be set based on the following requirements:

  • Domain joined devices – You can set a policy to restrict access to devices that are joined to an on-premises Active Directory domain and are also registered with Azure AD. This policy applies to Windows desktops, laptops or enterprise tablets that belong to an on-premises Active Directory domain which have registered with Azure AD. For more information on how to setup automatic registration of domain joined devices with Azure AD, see How to setup automatic Registration of Windows domain joined devices with Azure Active Directory.
  • Compliant devices – You can set a policy to restrict access to devices that are marked compliant in the directory by the management system. This policy ensures that only devices that meet security policies such as enforcing file encryption on a device are allowed access.

To test out these new policies, go to the Azure Management Portal and select that application. Configuring the app is as simple as switching the Enable Access Rules button on. More importantly, it works with every application that authenticates with Azure AD such as Office 365, Azure, Microsoft CRM and all the apps available.

Of course, for the devices to participate they need to be registered with Azure AD in one of the following ways:

  1. Windows domain joined devices (in on-premises Active Directory) can be easily registered with Azure AD in an automatic manner. This includes both Windows 10 and down-level Windows devices.
  2. iOS and Android devices are registered with Azure AD when they get enrolled into Microsoft Intune, our MDM service.
  3. Windows 10 Azure AD joined devices are registered upon join to Azure AD.
  4. Windows 10 personal devices (BYOD) are registered when the work account is added to Window

The policies support iOS, Android, Windows 10 Anniversary Update, Windows 7, and Windows 8.1 devices. Learn more about conditional based access for Azure AD on its documentation page.