Working at risual, we do a lot of work in Azure, and one of the things we deal with is Conditional Access (CA). A business can use Conditional Access to determine whether a user or device is permitted to access their tenant. Azure is continuously evolving, and Microsoft will regularly make changes to make things easier to find.
Just recently, I’ve been working on Conditional Access for a client, and several controls have either been deprecated, taken out of preview, or changed their names or functions. The following three changes that all administrators should be aware of, as it has occasionally caught me flatfooted.
Device State: Deprecation
When we set up a CA policy, we can set up a condition that the device must be compliant or that they have been hybrid Azure AD joined. There used to be two checkboxes in the “Device State” condition, but this feature has been deprecated.
We now have a condition called “Filter for Devices” to provide the same functionality. The filter also has a greater granularity, which gives us more control of the devices, much the same way as the filter for Dynamic Rules Group.
For example, the following filter will control access to the Microsoft Azure Management blade from any unmanaged or non-compliant devices, based on the Access Control.
device.trustType -eq “ServerAD” -or device.isCompliant -eq True
Continuous Access Elevation (CAE): Out of Preview
When clients access their tenant through Exchange or SharePoint, they are issued an OAuth2 access token. Said token is valid for an hour, after which the client is redirected to refresh the token.
Microsoft has implemented CAE for tokens to provide a near-instant change of certain policies and apps following critical events.
In using the Sesson control, we now can disable the CAE for either all users or specific groups.
Resilience Defaults: Out of Preview
It doesn’t happen often, but authentication can have outages. The Azure Active Directory (Azure AD) Backup Authentication Service which will refresh all access tokens for all existing sessions. It will not permit authentication for new sessions or for guest accounts.
As part of the Sesson control in the policies, we can now disable the Resilience Default. This prevents that policy being evaluated thus denying access during the outage.
In summary, the deprecation of one control and the other two out of preview; that means that our conditional policies can be more granular and therefore more effective.
