Conditional Access Insights and Reporting

Conditional Access Schematic

One of the most desirable Conditional Access policy controls is to only grant access to cloud applications if the Windows 10 devices are Azure AD Hybrid joined.

To ensure all Windows 10 devices are Azure AD Hybrid joined can be quite tricky , It is not as simple as enabling Azure AD Hybrid join in the AD connect wizard and simply synching an organizational unit that contains all of the Window 10 machines

The Windows 10 devices must be able to communicate with the Microsoft Office365 and Intune endpoints.

Microsoft Azure AD Conditional Access Policy – Report Mode only has been available for some time, however trying to demonstrate and analyze the impact of enabling the new conditional access policy was quite difficult when trying to review the activity for the new policy in the Azure AD sign in logs or even via a csv export of the policy activity.

Microsoft released Conditional Access Insights and Reporting : Overview and setup available HERE Power BI can also connect to the Log Analytics workspace to create custom dashboards if required.

Now when attempting to review conditional access policies in report mode only and in this example the policy is a report mode only if devices were blocked from signing in unless they were Azure AD Hybrid joined.

The impact summary is simple to read and break down

The next page summarizes user sign in details and which users would be impacted most by enabling the policy and then allow IT administrators to take action and get the users \ devices compliant before enabling the policy.

Block sending of messages based on real-time content inspection in SASS with Cloud APP Security

This post demonstrates how to integrate Facebook Workplace with Azure AD and enable single sign on, and CASB protection for keywords that users post in a Facebook Workplace site.

The process would be exactly the same for any SAAS application and this post demonstrates the power of CASB integration with SAAS applications. For example , when using CASB to protect SAAS applications like GMAIL, Salesforce, Service Now, CASB can block real time key words and inspect files for sensitive information types defined by an organisation and integrate with Azure Information Protection.

There is a Microsoft tutorial on how to integrate Azure AD with Facebook workplace but I found the guide difficult to follow.

So I will try and structure this post in order to block a keyword from being posted to Facebook Workplace.

  1. Sign up for a Facebook Workplace account and sign in. Then click on the admin panel , security and authentication settings.
  2. Click on the Add new SSO Provider
  3. After you click on the link displayed above , scroll down and copy the audience URL which is the unique identifier.
  4. Next we add a new tab in the browser and go to Azure Active Directory , Enterprise Applications and add Facebook Workplace from the gallery.
  5. Add the users or security group that will have access to this published application within Azure AD
  6. Create a conditional access policy and do the following
    Select Facebook Workplace as the app
    Select the users in scope for testing
    Select session control and select the settings displayed in the image below
    There is obviously a lot more protection that can be applied with this conditional access policy, like location protection , azure hybrid joined machines etc..  For the purpose of this blog we are simply demonstrating the interaction with CASB and conditional access session policies.
  7. As I always use Chrome until Edge Chromium is GA , the next step is to to open a new tab and install the My Apps Secure Sign-in Extension for Chrome and sign in with the credentials that you are signed into the Azure Portal with.
  8. Within Azure AD , Select Facebook Workplace and select single sign on and select SAML
  9. Edit basic saml configuration and paste in the following urls
    A:Identifier (Entity ID) :  The audience url captured in step 3
    B:Reply URL (Assertion Consumer Service URL) :
    C:Sign On Url :
  10. Exit the SAML basic configuration and then move to step 5 in the SAML configuration and click on ‘Setup WorkPlace for Facebook’
  11. When we click on ‘Setup WorkPlace by Facebook’ , The browser will redirect the session to the Facebook WorkPlace authentication settings and click on the ‘Single Sign On  (SSO) button
  12. Wait a few seconds and the Chrome add in we discussed in step 7 will display the following screen which will auto populate the Azure SAML configuration automatically into Facebook WorkPlace.
  13. The next pop up requests the admin to test SSO and then save the changes.
  14. The next window will re-direct the Facebook Workplace login url through CASB
  15. Click on close on the next page
  16. Next really important step , Go back to the Facebook Workplace tab and select save changes
  17. Next steps are to create the Cloud App Security Policy to block a key word using this template :Block sending of messages based on real-time content inspection
  18. The activities in the policy are displayed below
  19. The content inspection config of the policy uses contoso as the keyword
  20. The action is to block and notify the user with the organisation’s terms and conditions for usage of cloud apps or a custom response
  21. Finally , Facebook WorkPlace will be available for the users in scope to use the application in the portal

Final note , SAAS applications that support SCIM will be much easier to on-board into Azure Active Directory and CASB. I hope this blog post shows how easy it is to on-board SAAS apps into Azure AD and CASB.


Hybrid Azure AD Joined Devices

Anyone familiar with conditional access, will have noticed this access control in Conditional Access policies. So what does it mean , How can I enable this, Is this a good feature.

This is not a good feature, it is an excellent feature. The best way to describe this control requirement is as follows. DO NOT GRANT access unless the machine is DOMAIN JOINED. Many enterprise companies have corporate wifi rolled out and only permit access to the corporate wifi via credentials and a machine certificate issued by the local certificate authority.

AD Connect keeps getting better and better and Microsoft have made it so easy to enable this feature. The following screenshots ill demonstrate how easy it is to enable this feature.

Modify the configuration of AD Connect and select ‘Configure Device Options’

Enter Azure AD Credentials

Note: Only select the second option ‘Supported Windows domain level domain-joined devices if you are using Azure Seamless Sign On, Azure Seamless Sign on provides the functionality to support Windows 7 and above operating systems.

Then enter enterprise admin on-premise credentials as per the image below.

Download and run the PowerShell script using on-premise enterprise admin credentials that AD Connect has prepared as per image above.

Next step is to follow this Microsoft Article : To enable auto enrollment of Windows Devices.

Now that we have enabled device auto enrollment into Intune, What are the benefits?

  • Intune Device Management – Intune can manage 5 devices per user license
  • Conditional Access Policy Control : Hybrid Azure AD objects
  • Intune – Bitlocker Management
  • Azure Dynamic Machine groups can be a useful method for managing global or large enterprise organisations.
  • Windows 10 Security Base Lines
  • Intune integration with Windows Defender ATP

These are just a small number of benefits , Open to comments on more benefits.

Update: 24.05.2019

Follow THIS Microsoft guide and block downloading from SharePoint Online on no domain joined devices