There are a few new updates around Conditional access in Intune which I want to inform you about:
- Exclude devices based on the device state (in preview)
- Conditions based on the use of legacy authentication (in preview)
Reading-time: 2 minutes
The fist one is to exclude devices based on the device state.
With this new feature we can exclude devices that are Hybrid Aure AD joined and/or compliant on a conditional access rule. This means we can create rules for unmanaged devices only. Maybe you noticed this is already an existing option, but with other settings in the conditional access rule. For example we can grant access only for compliant or hybrid devices. So the results are almost the same, but it makes some rules easier to manage.
How can we configure this?
- Lets start to open the Azure Portal and the Intune conditional access page
- We are going to create a new policy, we are going to name it SharePoint restrictions
- Select the usergroup you want to add to this rule
- We are going to select the SharePoint Online cloud app
- At the conditions settings we are going to use the Device State and set configure to Yes
- Choose exclude and select the both options
- We are going to block this access and leave all options empty
- We leave the sessions empty
- Enable and save the policy
Short recap: we create a conditional access rule that restricts access to SharePoint from unmanaged devices.
The second thing I want to explain is the conditional access based on the use of legacy authentication
For now the newest Office2016 applications are using modern authentication so they can use options like Multi factor authentication. There are still applications such like POP/IMAP and Office2010 that are using legacy authentication. This can be a security risk, so we want to avoid this kind of authentications.
Let’s configure it!
- We are going to open the Intune portal again and create a new conditional access rule
- Lets name it Block legacy auth
- Select a usergroup you want to add to this rule. I think you want to enable this for all the users
- Because we want to avoid this authentication for all of our apps we choose all cloud apps
- In the conditions page we want to setup the client apps setting, so enable this
- Select the mobile apps and desktop clients.
- Select only the Other clients option.
We want to block all access, so select the Block Access at the grant options
- Enable this Policy and save it.
Recap: with this rule we block access from all apps that are using legacy authentication. This can be for example Office2010 or accounts such like POP/IMAP