Secure Office 365 Access from Unmanaged devices with Multi-Factor Authentication
Today we live in a gray area where you now have the unregulated and unknown such as files on cloud storage services and advanced threats targeting users’ email. Today, data is stored everywhere it’s on-premises, on PCs, on phones, and in the cloud. In an on-premises environment you have firewalls, gateways and proxies that can perform content inspection.To secure Office 365 access from unmanaged device with Multi-Factor authentication is a step forward to ensure security of your data stored in Office 365. Microsoft has invested to help organizations to secure data access across range of devices.
Microsoft has provided multiple options to secure Office 365 and Azure application access with multi-factor Authentication (MFA). MFA is available for Office 365 and Azure based on license your organization have available:
- MFA for Office 365 provides basic MFA functionality for Office 365 applications only and managed through Office 365 admin portal.
- Azure MFA also referred as full version of MFA that provides more advanced functionality and reporting capabilities that includes the option to configure trusted IP range. Azure MFA can be used to protect on-premises and cloud applications.
Trusted IP feature of Azure MFA is attractive as it allows you to define corporate IP space from where you will “trust” the logins and not prompt for MFA to end users when the authentication request is coming from one of those trusted IPs.
Configuring trusted IPs help increase end user experience with minimal prompt for authentication within trusted IP range.
Trusted IP is helpful when the authentication request is coming from one of the corporate office location but at times it’s not useful for organizations with remote workforce like sales team that travel to different customer locations. It’s becoming more common for corporate network to not exist at all for a company.
To secure Office 365 access while ensuring a pleasant end user experience, we can leverage device and users health like if we can leverage azure ad domain-joined device to bypass MFA and force MFA when authentication request is coming from unmanaged device.
Managed Vs unmanaged Devices
The devices that users connect from are either managed or unmanaged. A managed device is secured by way of being domain joined or by being enrolled with MDM solution like Intune, which provides the organization with visibility of what is running on the machine, whether it complies with security and compliance policies. With enrolled managed devices you can apply restrictions to block rooted devices and ensure Windows machines connecting to your Office 365 services have appropriate security controls implemented. Unmanaged devices are ususally the personal devices of the users to allow them to access corporate services and data leveraging their personal device like tablet, home pc, web browser or mobile device.
Secure Office 365 Access from Unmanaged devices with MFA
For this blog post we are going to configure a conditional access policy to enforce MFA for unmanaged devices with Azure MFA. We will configure the policy that requres users with unmanaged devices prompted for MFA when they login to Office 365 workload. Users with managed/enrolled devices will not be prompted for Multi-factor authentication when accessing Office 365 workload regardless of user location.
Configuring Azure Conditional Access
To secure Office 365 access from unmanaged devices with MFA, you need to configure a conditional access policy leveraging Azure AD Premium. Follow the steps mentioned below to configure a conditional access policy.
- Go to the Azure portal and navigate to Azure Active Directory, then choose Conditional Access.
- Click on “New Policy” and give it a name. Configure the assignments for the policy. As part of the pilot for policy testing, it’s recommended to apply this policy to subset of the users unless you are ready to deploy this to everyone in the organization.
- Select the cloud applications that the policy will apply to. Microsoft recommends avoid policies that apply to all user and apps and require specific conditions that might result in completely locking yourself out of Office 365 and Azure.
- For the conditions, I’ve chosen all platforms, all locations and all client apps.
- Once the conditions are setup, last step is to define the access controls based on conditions. I have setup the policy to grant access if any of the following conditions are met:
- The user successfully go through the MFA process.
- The user is logging in from a device that is marked as compliant. Which means the device must be enrolled with Intune and meet the compliance policy setup in Intune.
- The user is logging in from a domain joined device.
- User is accessing the service from approved applications. Approved client apps include Intune managed browser, Microsoft PowerBI, Microsoft Invoicing, Microsoft Launcher, Microsoft AIP, Excel, OneDrive, OneNote, Planner, PowerPoint, SharePoint, StaffHub, Teams, Visio, Skype for Business, Microsoft Kaizala and outlook.
- Once done, enable the policy and save it. It can take up to 1 hour for conditional access to apply.
Test Conditional Access Policy
A simple way to test conditional access policy is to log in to the Office 365 portal. If you’re trying to login from unmanaged device you will be prompted for Multi-factor authentication a shown below.
Also published on Medium.