Create app-based Conditional Access policies and how it works
I've written about app protection policy and how to create it for iOS/iPadOS. In this blog, I'll explain how we can add conditional access to protect app protection apps and restrict users from accessing organization data from apps that aren't covered by the App protection policy.
Table Of Content
Conditional Access is an Azure AD capability that can be used with many others for example in our case we use conditional access with app protection policies, and there are many other use cases as well, let’s see how this will work with our use case. Adding conditional access to the App Protection policy will help the organization to secure and protect organizational data that is available on devices used by the employees, and the best part is that this will work for both managed and unmanaged, managed devices are devices that are enrolled to Intune and unmanaged devices are devices which are not enrolled to Intune but still access organization data using listed applications.
As a prerequisite, we need either EMS (Enterprise Mobility and Security) or an Azure AD Premium Subscription. A list of Apps that support app-based conditional access list can be found in this Link, and support Line of business applications which is using Microsoft modern authentication
How to create an app-based conditional access policy.
Before you create app-based conditional access please make sure you have an Intune App protection policy applied to the apps, how to create an App Protection policy can be found in Create and assign an App protection Policy for iOS/iPadOS (Intune).
Step 1: Sign in to the Microsoft Endpoint Manager, and navigate to endpoint security from the left side of the admin center, this will take you to endpoint security overview, and tap on conditional access to select that.
This will take you to the conditional access page tap on New Policy to create a new one
You can access conditional access from the Azure ad by signing in to Azure Ad, navigating to Security, tapping on security which will take you to the next page, and tapping on conditional access.
Step 2: On this page provide a name for the conditional access, and tap on assignments to select the users or group of users to which the policy need to be assigned, by default it will be none, you can assign the policy to all users or selected users and group, in this example I will be assigning the policy to a set of users
I provided the policy name as App-based CA and under assignments, I selected the group to which I need to assign the policy, as mentioned you can assign the policy to all users by selecting all users, once the group is selected from the select users and group option the group will be visible under select
You can exclude the users who don't want to be part of the policy as a practice it is recommended to exclude one glass break account with Global admin access from the policy to reduce the risk of locking out.
Note: If a user is part of a selected group and part of excluded list then the policy won't get applied to the user
You can use What If to test the impact of Conditional Access on a user when signing in under certain conditions.
Step 3: Select the Cloud apps or action to apply the policy to cloud apps if you need to include the policy to all cloud apps select All cloud apps, or tap on Select apps to select the application on which the policy needs to be applied in my case I had selected teams application, multiple apps can also be selected you can exclude apps from the policy by selecting exclude option
Step 4: Tap on Conditions and select the device platform and toggle to Yes under configure this will allow you to select the device platform to which the policy is to be deployed, tap on select device platform and tick Android and iOS, and tap on Done to add the condition
Note MAM policy can only be applied to Android or iOS client platforms, if you are selecting any other platforms then you will see this notification while creating the conditional access policy at the end
Step 5: Here we will grant access to the application according to the control access selection, select Grant from access controls, and select Grant access since we need to allow users to access organization data using the App protection policy, select Require approved client app and Require app protection policy, under multiple controls select Require all the selected controls and tap on select
Once this is completed you can see the policy is ready and by default, the Enable policy option will be in Report-Only
Toggle the option to On to enable the policy and tap on Create
How app-based conditional access works
Now let's see how app-based conditional access works, in this example we applied an app protection policy on the Microsoft Teams application adding conditional access rule that adds the Teams app to an approved list of apps to access organization data.
This diagram represents how the request is passed when a user sign-in into an application that is protected by a conditional access policy.
This work flow was explained using the Teams application, where each step is represented with numbers
Step 1: The user signs in to the Teams application which will initiate an authentication to Azure AD from the Teams application
Step 2: The user will redirect to the app store or play store according to the OS to install a broker app ( if the broker app is already available on the device then the process will identify that ) during the initial authentication to the Teams app, a broker app needs to register the device in Azure ad to fetch the polices and other functions in MAM policies. The broker app for iOS devices is Microsoft Authenticator and for Android device Company Portal.
Step 3: The broker app will get installed from App Store for iOS and Play store for Android devices.
Step 4: The broker app will start registering the device to Azure AD and creates a device record in Azure AD, this is necessary so the conditional Access policies can be enforced on the device.
Step 5: A broker app confirms the Azure AD device ID, the user, and the application. To validate access to the requested service, this information is passed to the Azure AD sign-in servers.
Step 6: During user authentication, the broker app sends the App Client ID to Azure AD to see if it is on the list of approved apps.
Step 7: Based on the policy-approved list, Azure AD allows the user to authenticate and use the app. Microsoft Azure AD denies access if the app does not appear on the list.
Step 8: The Teams app communicates with Teams Cloud Service to initiate communication with Teams cloud services
Step 9: To retrieve the user's service access token, the Teams Cloud Service communicates with Azure AD.
Step 10: Teams app communicates with Teams Online to retrieve chat information
Step 11: Teams chat messages are received in the Teams app on the user's device.
In this article, you learned how to use the Conditional Access policy to protect MAM policy / App protection policy managed applications on devices that are not managed by Intune or any other MDM and workflow.