One of the scenario’s we can build with Conditional Access, is the scenario where we restrict access inside the web application itself. By doing so, you could for example limit the functionality of the web applications on non-managed devices, or when accessing the web application from a country where your company normally doesn’t operate. The web applications can be configured to behave differently if the user is applicable for a Conditional Access policy where App Enforced restrictions are configured.
Within the Office 365 suite of applications, the following web applications are supported for App Enforced Restrictions:
Outlook Web Access
SharePoint and OneDrive
In this post I will go into detail on how to setup these app enforced restriction and what the expected behavior will be from an end-user perspective.
In August last year, I published eight articles in a series on Conditional Access, and later when finished I decided to bundle those articles in a paper which I made available on the TechNet Gallery. In March this year, Microsoft decided to retire the TechNet Gallery, so I had to find another solution to host this paper and some of the additional workflows and spreadsheets I posted as well. For now I’ve decided to host these on GitHub since that is an easy accessible location as well.
The articles I wrote at that time, will remains as is, and I’ve decided to update the paper once in a while to reflect the current status of Conditional Access. Even though some of the information in the articles is outdated, I still think that they can be of value.
Below I’ve summarized the articles I published last year:
While disabling this option for the end-users is recommended by Microsoft, and having a workflow in place to review any requests and approve if found valid is a more secure solution it introduced an administrative burden since each request must be reviewed by one of the defined users in the list of users to review admin consent requests.
In order to address this, Microsoft made some changes to the way the Admin consent workflow is working which allows an Azure AD administrator more control over which requests must be approved and which are allowed automatically.
Note: This post reflects the status of Admin consent as of May 22, 2020. Functionality may change, even right after this post has been published.
I’m very proud to announce that I will be speaking at the Workplace Ninja Virtual Edition 2020 event. The Workplace Ninja Virtual Edition 2020 event will take place from Tuesday 25th till Thursday 27th of August 2020 and will contain 45 sessions, spread across 3 days. Each day will provide 3 tracks, with 5 timeslots. The event can be attended for free, the only thing you need to do is register via the website.
The goal of the Workplace Ninja Virtual Edition is to share knowledge and learn together. This covers topics around management of endpoints with SCCM and Intune, as well virtual desktop and the complete security stack of Microsoft. Since the event is virtual, we can’t see each other personally but we will provide a NinjaZone, where we can connect with each other.
Wednesday April 1st, I have the opportunity to present at the RDW Techday. RDW Techday is a community
event organized by the RDW, the goal is to stimulate knowledge sharing within
the company and between companies in the same region. I had the pleasure to
present at earlier events already and received some really positive feedback.
the Netherlands Vehicle Authority in the mobility chain. RDW has developed
extensive expertise through its years of experience in executing its statutory
and assigned tasks. Tasks in the area of the licensing of vehicles and vehicle
parts, supervision and enforcement, registration, information provision and
licensing is tough and vague but something we must deal with while implementing
our solutions. I’m also aware that some of the features I describe on my blog
are only available in the most expensive licensing options Microsoft provides,
making some of the features I describe not usable for some of my readers.
administer Microsoft 365 services like Azure Active Directory (AzureAD),
Exchange Online (EXO), SharePoint Online (SPO), Intune and many other products
the license requirements for your administrative accounts are extra vague. I’ve
Microsoft in December last year to clarify this, but until now no response
some fragmented information available in the Microsoft documentation, that in
combination with some other information to be found on the internet, like on
twitter concludes that the license requirements are indeed very vague and could
really use some official documentation from Microsoft to clear things up.
in known, is that when asked about licensing requirements for the online
services provided by Microsoft the statement returned is: “When the user benefits from
the service, a license is required”
see what I found available online and see if it makes sense in some way…
7, 2018 the Microsoft Exchange Team announced
that on October 13, 2020 it would stop the support for Basic Authentication
(also called Legacy authentication) for Exchange Web Services (EWS) in Exchange
Online (EXO), the version of Exchange offered as a service part of Office 365.
EWS is a web service which can be used by client applications to access the EXO
environment. The team also announced that EWS would not receive any feature
updates anymore, and suggests customers to transition towards using Microsoft
Graph to access EXO.
One and a
half year later, on November 20, 2019 the Exchange Team also announced
to stop supporting Basic Authentication for Exchange ActiveSync (EAS), Post
Office Protocol (POP), Internet Message Access Protocol (IMAP) and Remote
PowerShell on October 13 2020 as well. Authenticated Simple Mail Transfer
Protocol (SMTP) will stay supported when used with Basic Authentication.
of supporting Basic/Legacy authentication Microsoft will move towards only
supporting Modern Authentication for most of the methods used to connect to
At our last Windows
Management User Group Netherlands meeting, we had the honor to have Sami Laiho, one of the world’s leading
professionals in the Windows OS and Security flying over to the Netherlands and
present for our user group. In his presentation titled: “Securing Windows
in 2020 and forward”, Sami made us aware that by implementing some simple
Applocker policies on our Modern Workplace and by making sure that the user
working on the device has no
admin rights, we can seriously improve our security. In his presentation
Sami referred to a quote from Mikko Hyppönen (Chief Research Officer at
F-Secure): “Make your security better than your
blogpost I will share my experience with implementing Applocker policy within
my own tenant, and how I started to use these principles myself which
eventually led by removing my account from the local administrator group.
Disclaimer: This blogpost provides a very
simplistic way of enabling Applocker policies, in the real world there are some
caveats which must be addressed when implementing Applocker. I will
address those caveats later in this post
In Q1 2017 Microsoft
released the Pass Through Authentication (PTA) functionality as part of Azure
AD connect. With the release of Azure Active Directory (Azure AD) Pass-through
Authentication allowed for your users to sign in to both on-premises and cloud-based
applications using the same passwords without the need to implement a Active
Directory Federation Services (ADFS) environment.
With this options we
now have the following authentication options available when setting up a hyrid
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.