ENow Exchange & Office 365 Solutions Engine Blog (ESE)

Explaining Conditional Access and Azure Pass-Through Authentication

Posted by Jeff Guillet MVP, MCSM on Jan 3, 2017 3:51:33 PM

Find me on:

I recently wrote an article about the new Azure AD pass-through authentication feature introduced in the latest version of Azure Active Directory Connect (build 1.1.371.0).

There have been some questions on the Office 365 and Microsoft Azure LinkedIn forum regarding conditional access and pass-through authentication. Will it work? What are the requirements? Some confusion comes from this article, that implies pass-through authentication by itself allows for conditional access. Conditional access will work with pass-through authentication if your client applications support modern authentication and you have Azure AD Premium. Let’s break it down further.

Background on Conditional Access

Conditional access controls how and when clients can access Office 365 resources, including email or SharePoint Online. Allowing employees to access their email only within the corporate network is one example of conditional access.

There are two types of conditional access. The first (and older) way is to use claims rules — it requires a claims-based authentication solution, such as AD FS on-premises, Azure AD Premium or a third-party claims-based solution like Okta or Ping Identity. For example, using AD FS, the administrator can create a claims rule generating a valid SAML token only when the client is accessing the resource from the internal corporate network. The type of client application, such as Outlook, OWA or ActiveSync device, can be specified in the rule. Claims rules are used to develop complex requirements for access control. See an AD FS Claims Rules Adventure on the Ask Directory Services Team blog for real-world examples.

The second option is to use Azure AD Conditional Access. Conditional access policies for Exchange Online and SharePoint Online allow you to easily configure things like multi-factor authentication (MFA) or allowing access based on network location. These policies are much easier to configure than claims rules since you can use a simple GUI in the Azure management portal that doesn’t require scripting. Microsoft will be making the most investments in conditional access, but you should know the requirements, prerequisites and capabilities.

Prerequisites for Conditional Access and PTA

Azure AD Conditional Access requires that organizations have an Azure AD Premium license for each user who has a conditional access policy applied to them. As of November 2016, there are two types of Azure AD Premium licenses – P1 and P2. Both work for conditional access. If your users are licensed for Enterprise Mobility + Security (EM+S) E3 or E5, they already have licenses for Azure AD Premium.

With Office 365, conditional access only works for clients that support modern authentication (ADAL). This includes Office 2016 (Outlook, Word, Excel, PowerPoint and OneNote), Office 2013 (with modern authentication enabled), the OneDrive sync client (with modern authentication) and most modern mobile apps such as Outlook, Word, Excel, PowerPoint and Skype for Business for iOS and Android.

There are no plans for Office 2010, Office 2007 or other legacy applications to support modern authentication. ActiveSync also does not support modern authentication. These limitations mean that unless you block these applications, or configure your tenant to only use modern authentication, legacy applications will be able to connect and bypass conditional access rules. If you block legacy applications, ActiveSync devices will no longer connect and your users will need to use Outlook Mobile (iOS or Android) instead.

You should also understand that conditional access only works when accessing Office 365 resources. For hybrid customers, conditional access rules will not apply to on-premises users accessing on-premises applications like Exchange or SharePoint.

Configuring Conditional Access and Modern Authentication

You configure modern authentication and conditional access in your tenant using a combination of the Azure management portal and PowerShell.

  1. Start by signing into the Azure management portal (http://portal.azure.com)
  2. Under the Azure Active Directory section, select Conditional Access
  3. Click the +Add button to add a new conditional access policy

Explaining Conditional Access and Azure Pass-Through Authentication 1.png

4. Configure your new conditional access policy:
  1. Give the policy a meaningful name
  2. Configure who the new policy applies to (all users, select users and groups and exceptions)
  3. Configure the apps the policy applies to (all cloud apps, select apps and exclusions)
  4. Configure conditions, such as device platforms, locations and client apps (for example, browsers or mobile apps and desktop clients)
  5. Configure the controls to be enforced, such as block access or allow access and require MFA, require a compliant device and/or require a domain-joined device
Explaining Conditional Access and Azure Pass-Through Authentication2.png


Additional resources:

Next, you need to enable modern authentication in your Office 365 tenant because it's required for conditional access. Modern authentication is enabled by default on Office 2016 clients and is currently rolling out for Exchange Online and SharePoint Online. To enable modern authentication for Office 2013, install the March 2015 Office Update Release.

Additional resources:

To enable modern authentication for Exchange Online in your tenant:

  1. Connect to Exchange Online using remote PowerShell
  2. Run the following command:

               Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

      3. Verify that the change was successful by running the following:

               Get-OrganizationConfig | ft name, OAuth*

To enable modern authentication for Skype for Business Online in your tenant:

  1. Connect to Skype for Business Online using remote PowerShell
  2. Run the following command:

               Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

      3. Verify that the change was successful by running the following:

               Get-CsOAuthConfiguration

Use the following cmdlet in Office 365 to prevent Office clients that use nonmodern authentication protocols from accessing SharePoint Online resources:

               Set-SPOTenant -LegacyAuthProtocolsEnabled $false

Now that you’ve configured your tenant, users with client apps that support modern authentication have conditional access policies applied to them. Remember that currently, legacy applications and clients like ActiveSync will not be affected by conditional access policies.

You can block ActiveSync access to Exchange Online by configuring Mobile Device Access in the Exchange Admin Center. From the Mobile section, select Mobile Device Access and edit Exchange ActiveSync Access Settings. Set the Connection Settings to Block access and save.

Explaining Conditional Access and Azure Pass-Through Authentication3.png

Preventing other legacy clients like Outlook 2010 or IMAP clients from accessing Exchange Online resources is more difficult. You either need to use a claims rule using a claims-based authentication solution like AD FS, or use Intune, which has its own set of requirements.

Additional Resources:

Summary

Here are a few takeaway points to summarize the hefty topic we covered above.

  • If you use conditional access with pass-through authentication, clients with modern authentication will have those policies applied while legacy apps bypass conditional access policies.
  • To block legacy clients, use Intune or AD FS.
  • If you want to block access to Exchange Online from legacy applications, you will need to do that using claims-based rules in your claims-based authentication solution (AD FS, the Azure Web Portal, Okta, etc.).

The following table shows the requirements, pros and cons for conditional access and claims-based rules.

Explaining Conditional Access and Azure Pass-Through Authentication 4.png 

The cloud is always changing. Developments are constantly being made to improve and overcome previous obstacles, but there are only so many things that can be done for legacy applications.

My bet is that Microsoft will continue to reduce the number of "supported" clients until only the latest and greatest clients and applications are supported — ones easily updated with fixes and new features that provide the best experience with Office 365.

Topics: Azure active directory, azure ad, azure active directory premium, Azure pass-through authentication

Gain visibility into your Office 365 Deployment

See why monitoring makes sense in a cloudy world.