The control capabilities in Azure AD conditional access offer simple ways to help secure resources in the cloud and on premises. Conditional access policies can help protect against the risk of stolen and phished credentials. In addition to requiring credentials, you might have a policy that only devices that are enrolled in a mobile device management system like Microsoft Intune can access your organization’s services.

Azure AD conditional access is a feature of Azure Active Directory Premium. Each user who accesses an application that has conditional access policies applied must have an Azure AD Premium license.

With conditional access control in place, Azure AD checks for the specific conditions you set for a user to access an application. After access requirements are met, the user is authenticated and can access the application.

Conditions

• Group membership: Control a user’s access based on group membership.
• Location: Use the location of the user to trigger multi-factor authentication, and use block controls when a user is not on a trusted network.
• Device platform: Use the device platform (iOS, Android, Windows versions) as a condition for applying policy.
• Device-enabled: Device state (enabled or disabled) is validated during device policy evaluation. If you disable a lost or stolen device in the directory, it can no longer satisfy policy requirements.
• Sign-in and user risk: Use Azure AD Identity Protection for conditional access risk policies. Conditional access risk policies give advance protection based on risk events and unusual sign-in activities.

Controls

• Multi-factor authentication: You can require strong authentication through multi-factor authentication. You can use multi-factor authentication with Azure Multi-Factor Authentication or by using an on-premises multi-factor authentication provider, combined with ADFS. Using multi-factor authentication helps protect resources from being accessed by an unauthorized user who might have gained access to the credentials of a valid user.
• Block: You can apply conditions like user location to block user access. For example, you can block access when a user is not on a trusted network.
• Compliant devices: You can set conditional access policies at the device level. You might set up a policy so that only computers that are domain-joined or mobile devices that are enrolled in a mobile device management application, can access your organization’s resources.

Applications

You can enforce a conditional access policy at the application level. Set access levels for applications and services in the cloud or on-premises. The policy is applied directly to the website or service.

Device-based conditional access

You can restrict access to applications from devices that are registered with Azure AD. Device-based conditional access protects an organization’s resources from users who attempt to access the resources from:

• Unknown or unmanaged devices.
• Devices that don’t meet the security policies your organization set up.

You can set policies based on the following requirements:

• Domain-joined devices: Set a policy to restrict access to devices that are joined to an on-premises AD domain and that also are registered with Azure AD.
• Compliant devices: Set a policy to restrict access to devices that are marked compliant in the management system directory. This policy ensures that only devices that meet security policies such as enforcing file encryption on a device are allowed access. You can use this policy to restrict access from the following devices:

Windows domain joined devices. Managed by System Center Configuration Manager deployed in a hybrid mode.

Windows 10 Mobile work or personal devices. Managed by Intune or by a supported third party mobile device management system.

iOS and Android devices. Managed by Intune.

Users who access applications that are protected by a device based, certification authority policy must access the application from a device that meets this policy’s requirements.