Conditional Access Policies in Intune

**DISCLOSURE: While I am contracted to Microsoft Corporation, I am not an employee. The articles that I write are not meant to represent the company, nor are they meant to represent me as an employee or spokesman for the company. As has always been the case, all articles on this website represent me and nobody else.

IntuneFirst and foremost, I am sorry for the confusion, but I assure you that it is not of my own making. What was once Windows Intune and then became Microsoft Intune is now Microsoft Endpoint Manager. If it confuses you, let’s make it easy… whatever the proper name for it may be, everyone will know what you are talking about if you call it Intune. Oddly enough, a year into the new name, most people will not know what you are talking about if you call it Microsoft Endpoint Manager; fewer will know what you mean if you call it MEM.

Do you remember the good old days when information workers worked in an office on a computer that weighed enough to anchor a small ship? Those days are gone. Even before the Coronapocalypse, people were taking their laptops home, to clients, on airplanes, to coffee shops and working from wherever they wanted to. If you are an information worker, you probably read the first sentence of this paragraph thinking that I was being facetious, calling that the good old days. If you are an IT Professional tasked with maintaining the security for your organization’s network and information, then you know I was serious.

Of course, there are plenty of common sense steps that every remote worker can take to maintain security and data integrity. I have never been afraid that anyone was going to hijack my data (or my WiFi signal) when working at Starbucks… or on an airplane, or even at a sidewalk café in Havana. The problem is that common sense is not very common anymore, and despite all of the warnings that people like you and me have been giving for the past decade, too many people are unwilling to follow the basic steps required to stay safe when they are out and about. We still have to protect them though. You would not look at a child running into traffic and say ‘It’s not my problem if he or she did not listen when they were told not to run into traffic. Likewise, we as IT Professionals still have to protect our end users, even when they refuse to use common sense.

Intune has a functionality called Conditional Access Policies that allow you to control behaviour when outside of a trusted environment. Let’s create a simple CAP to require Multi-Factor Authentication (MFA) when working from outside North America. For the sake of this article, we will include Canada, the United States, and Mexico.

Creating the Named Location

You cannot create a location policy before defining the named location, so we have to do that first.

1) Log in to the Intune portal (https://endpoint.microsoft.com).
2) In the navigation pane, click on Devices. In the Devices | Overview navigation pane, under Policy, click Conditional Access

3) In the Conditional Access | Policies page, click Named locations in the navigation bar.
4) In the Conditional Access | Named locations screen, click +Countries location in the menu along the top.
5) In the New location (Countries) sidebar, enter the name North America in the Name dialog box. We will leave the determination by IP address, although the functionality to determine by GPS is in preview.
6) From the listed countries, select Canada, United States, and Mexico. Click Create.

Your new policy may take a minute or two to appear, but it is done.

Now let’s create the actual policy based on this location.

1) Log in to the Intune portal (https://endpoint.microsoft.com).
2) In the navigation pane, click on Devices. In the Devices | Overview navigation pane, under Policy, click Conditional Access.
3) In the Conditional Access | Policies page, click +New Policy in the menu bar.
4) In the New screen, enter the name ‘External MFA Required’ in the Name dialog box.
5) Under Assignments click 0 users and groups selected. In the sidebar that appears, select the radio button Select users and groups; then click Users and groups below. Click 0 users and groups selected.
6) In the sidebar, select the users or groups you want to apply this CAP to. Once done, click Select.

image

7) Back in the New screen, under Conditions, click 0 conditions selected. In the sidebar that appears, click ‘Not configured for each, and configure them as follows, clicking Done for each one:

User risk: YES (High, Medium)
Sign-in risk: YES (High, Medium)
Device platforms: YES (Android, iOS, Windows, macOS)
Locations: YES (Include Any location, Exclude North America)
Client apps: YES (leave all options checked)
Device state: YES (All device state)

8) On the New screen, click No cloud apps or actions selected. In the sidebar that appears, select the radio button next to All cloud apps.
9) Still on the New screen, under Access controls / Grant click 0 controls selected. Select Grant access, then select the check box Require multi-factor authentication. Under For multiple controls leave the default selected. Click Select.
10) At the bottom of the New screen, switch the option for Enable policy to On.
11) Click Create.

You will now be returned to the Conditional Access | Policies page, where after a few seconds the policy will appear.

At this point, you now have a Conditional Access Policy that will require anyone using their device outside of Canada, the US, and Mexico to use multi-factor authentication to connect to their data. Of course, you can do much more with CAPs, but this is a simple one that should be a good way to get you started.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s