Azure AD Premium Conditional Access and Session Controls

 

Whether your end users are using Windows, MacOS, Chromebook, iOS/Android, etc. Azure Active Directory Premium conditional access with session control will limit access to data for SharePoint Online.

What are Session controls?

“Session controls enable limiting experience within a cloud app. The session controls are enforced by cloud apps and rely on additional information provided by Azure AD to the app about the session.”

Source: /en-us/azure/active-directory/active-directory-conditional-access-azure-portal#session-controls

Requirements:

  • Azure Active Directory Premium
  • O365 – SharePoint Online

Getting started

  1. Navigate to portal.azure.com and sign in with the admin account that associated with O365.
  2. Find and select Azure Active Directory
  3. Select Conditional Access
  4. Select “New policy” to create a new conditional access policy with session controls

 

Proceed through each item/option in the policy:

User and groups

For my purposes I applied this policy to all users, however in production it’s advisable to start with a pilot group and scale from there.

Cloud apps

Search for and select “SharePoint Online”

Conditions for the policy

Sign-in risk (if available with your current licensing)

This evaluates risk of the account the user is signing in with.

Device platforms

I’ve selected all device platforms; however, you can be selective an apply to individual platforms, including MacOS.

Locations

IP based location targeting, for the purposes of this post I have all locations selected, however in production we’ll want to target those, so users are able to access and download content.

Client Apps

Select the type of apps the policy will affect, for the purposes of session control the Browser should at least be selected.

Access Controls

For access controls there are a few options including require multi-factor auth (MFA), device compliance, domain joined, or approved client app. Some environments may want to only allow devices to access if they’re domain joined, etc. However, for the session control policy I selected MFA.

Session

This is where we turn on session control for SharePoint online.

clip_image002

Once comfortable with the settings, turn on the policy and save.

clip_image004

Configuring SharePoint Online for session control

There’s one more step in SharePoint online that needs to be configured.

Navigate to the SharePoint admin center and select “device access” from the left-hand menu. From here select the appropriate settings to further control access to SharePoint.

For example, a conditional access policy may be configured to challenge users for MFA if they’re out of scope of the defined location (i.e. IP range) and if the device is not compliant or domain joined. In addition when session control is enabled, anyone who signs into SharePoint online who falls into those parameters will have read only access as configured in the settings below.

UPDATE October 2017

There’s an update to the UI in the SharePoint Admin Center to adjust sessions controls. 

Previous admin experience

clip_image006

 

Current Admin Experience

image

Testing the session control policy

The following images show session control for SharePoint Online in action across Windows, Mac, and Chrombook. To test, make sure the device will fall into the parameters of the conditional access policy, then navigate to yourdomain.sharepoint.com and select a document library. The yellowish bar shown in the images below state what is allowed.

Windows

clip_image008

MacOS

clip_image010

Google Chromebook

clip_image012

 

To conclude, Azure Active Directory Premium provides many options to secure and control access to corporate resources. Add on Enterprise Mobility + Security and or Microsoft 365 we have a cohesive end-to-end solution to protect, monitor, and control access.