Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

From private repo #1936

Merged
merged 228 commits into from
Jun 2, 2017
Merged

From private repo #1936

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
228 commits
Select commit Hold shift + click to select a range
8c417ee
updates to access log
Apr 27, 2017
d939469
M4758: Possible typo mistake: "backing"
carolinacmoravia May 3, 2017
4c5fe40
M4794: Possible error in: 'change open a secure channel dialog'
carolinacmoravia May 10, 2017
eb452c6
M4807: Incomplete sentence: "Then users and/or groups are provisioned…
carolinacmoravia May 10, 2017
a5a7d39
resized pictures
May 24, 2017
cff6857
added other log properties
May 24, 2017
8e4b7fe
updating mysql draft in progress
rloutlaw May 24, 2017
b23d73f
edit pass: Two Active Directory articles
ktoliver May 25, 2017
eeec032
revision based on new samplecode
rloutlaw May 25, 2017
fd7c1be
working through feedback
rloutlaw May 25, 2017
46667cf
toc update
bwren May 30, 2017
ead72e5
First draft of new topic with new images.
douglaslMS May 30, 2017
582dc6b
Merge branch 'master' of https://github.com/Microsoft/azure-docs-pr
MandiOhlinger May 30, 2017
7f059b6
added in appservice settings configuration for the mysql db
rloutlaw May 31, 2017
f796998
Acrolinx improvements.
douglaslMS May 31, 2017
1253771
Fixed 1 more new Acrolinx issue.
douglaslMS May 31, 2017
afe55ea
Removed a working note.
douglaslMS May 31, 2017
ff7cd23
Fixed some typos and blurred some personal info in images.
douglaslMS May 31, 2017
5688261
updating ToC with pending Oracle Docs
RicksterCDN May 31, 2017
f390e81
updates to diagnostic article
May 31, 2017
87e1d0a
incorporating more of cephas' comments
rloutlaw May 31, 2017
3b3875e
Merge branch 'master' of https://github.com/Microsoft/azure-docs-pr
bwren May 31, 2017
8573d89
Merge branch 'master' of https://github.com/Microsoft/azure-docs-pr
bwren May 31, 2017
8f00c37
Merge branch 'master' of https://github.com/Microsoft/azure-docs-pr
bwren May 31, 2017
4314d45
Merge branch 'master' of https://github.com/Microsoft/azure-docs-pr
bwren May 31, 2017
80290f4
add sections missing from tutorial
rloutlaw Jun 1, 2017
3c1cd21
fix terrible formatting of azure mysql database steps
rloutlaw Jun 1, 2017
62cc4d0
updated screenshots to conform with PHP tutorial
rloutlaw Jun 1, 2017
4cccb40
add spring boot update steps
rloutlaw Jun 1, 2017
c4743bf
Update data-lake-analytics-get-started-portal.md
Jun 1, 2017
d7443e3
Update data-lake-analytics-get-started-powershell.md
Jun 1, 2017
da1e491
acrolinx fixes
rloutlaw Jun 1, 2017
76bba47
fixed copy illusion
rloutlaw Jun 1, 2017
c4582af
add governance folder.
Jun 1, 2017
05e80a5
Create governance-in-azure.md file.
Jun 1, 2017
14314a9
update clone to published sample
rloutlaw Jun 1, 2017
7e532b6
updated heading.
Jun 1, 2017
41320a4
retire experiment page
Jun 1, 2017
c1de4bc
Removing references to classic portal; updated screenshots for new po…
mikepope-ms Jun 1, 2017
52415d6
Removing references to classic portal; new screenshots
mikepope-ms Jun 1, 2017
dec4004
Removing reference to classic portal
mikepope-ms Jun 1, 2017
39a7107
Removing reference to classic portal
mikepope-ms Jun 1, 2017
db3f7e6
Removing references to classic portal; updated screenshots
mikepope-ms Jun 1, 2017
f121c4c
Removing references to classic portal
mikepope-ms Jun 1, 2017
5c65581
minor updates to two articles and TOC
MGoedtel Jun 1, 2017
237bdf8
USER STORY 1010958 SaaS App Tutorial: Jobbadmin
v-nagta Jun 1, 2017
1b105b8
added updated Update Module article
MGoedtel Jun 1, 2017
e5b4692
Final updates for June 1s announcement.
douglaslMS Jun 1, 2017
b781514
Fixed 3 Acrolinx issues.
douglaslMS Jun 1, 2017
87cf7aa
Freshness update
Jun 1, 2017
f5f561a
Merge branch 'master' of https://github.com/Microsoft/azure-docs-pr i…
Jun 1, 2017
0315bbb
update TOC and authentication articles
MGoedtel Jun 1, 2017
305c14a
Removing references to classic portal
mikepope-ms Jun 1, 2017
797f501
Freshness update
sethmanheim Jun 1, 2017
b37f170
Removed unannounced service, added supported service
cristy Jun 1, 2017
733e092
Merge branch 'master' of https://github.com/Microsoft/azure-docs-pr i…
Jun 1, 2017
5830917
corrected warnings
MGoedtel Jun 1, 2017
84247fd
Freshness update
Jun 1, 2017
f313518
Merge branch 'master' of https://github.com/Microsoft/azure-docs-pr
MandiOhlinger Jun 1, 2017
4a0ea45
corrected list formatting and image format
MGoedtel Jun 1, 2017
71f1070
Freshness update
Jun 1, 2017
05a4032
Merge branch 'master' of https://github.com/Microsoft/azure-docs-pr i…
Jun 1, 2017
855c8ce
Update data-lake-analytics-manage-use-powershell.md
Jun 1, 2017
62e0886
add retire note to hC; remove from toc
MandiOhlinger Jun 1, 2017
54b6675
update screenshots
cherylmc Jun 1, 2017
87093a1
Freshness update
Jun 1, 2017
2d296e2
Merge branch 'master' of https://github.com/Microsoft/azure-docs-pr i…
Jun 1, 2017
61baeb9
draft of draft acs
squillace May 31, 2017
6f61a9b
more work done with dns entries
squillace May 31, 2017
637f922
almost finished with the configuration
squillace May 31, 2017
68a2b8a
done for staging
squillace Jun 1, 2017
5f97f59
final version
squillace Jun 1, 2017
34a6b5f
formatting
squillace Jun 1, 2017
0d61034
more formatting
squillace Jun 1, 2017
638e9c8
formatting.
squillace Jun 1, 2017
15bf07d
formatting
squillace Jun 1, 2017
917140f
final?
squillace Jun 1, 2017
6552fed
adding toc
squillace Jun 1, 2017
e6c4577
typo
squillace Jun 1, 2017
297b5dd
sigh
squillace Jun 1, 2017
f639473
formatting staging
squillace Jun 1, 2017
c969d6d
acrolynx, command fixes
squillace Jun 1, 2017
6086840
more style fixes
squillace Jun 1, 2017
5ac9efe
final
squillace Jun 1, 2017
8634d7b
final again final
squillace Jun 1, 2017
8e3d55e
typo fix
squillace Jun 1, 2017
34b3a87
addressing concerns
squillace Jun 1, 2017
ec8b5c7
link typo
squillace Jun 1, 2017
4e5dcf7
update
cherylmc Jun 1, 2017
cc5894e
Final updates for this PR
Jun 1, 2017
9f3e299
fix formatting
cherylmc Jun 1, 2017
22d7f49
format
cherylmc Jun 1, 2017
6464251
Update toc.md
RicksterCDN Jun 1, 2017
96ffb03
Merge pull request #14449 from cristy/fixheaders
PRMerger-2 Jun 1, 2017
8e2b0f9
Merge pull request #14402 from mikepope-ms/Jun1-vm-guybo
PRMerger-2 Jun 1, 2017
b0fe1f8
Merge pull request #14400 from mikepope-ms/Jun1-vm-jroth
PRMerger-2 Jun 1, 2017
0bf64a7
bumped date after review
gatneil Jun 1, 2017
eaef7c6
Merge pull request #14397 from mikepope-ms/May31-vm-ningk
GitHubber17 Jun 1, 2017
4884ae6
Merge branch 'master' of https://github.com/Microsoft/azure-docs-pr
bwren Jun 1, 2017
56dd730
Log Analytics arm template fix
bwren Jun 1, 2017
af66361
change over update to ordered list
rloutlaw Jun 1, 2017
3c8df24
Merge pull request #14470 from gatneil/6-1-17-date-bump
PRMerger-2 Jun 1, 2017
3c18cc8
OMS TOC update
bwren Jun 1, 2017
2a0e0be
fix indentation
rloutlaw Jun 1, 2017
494a997
Adding PS quick start
SnehaGunda Jun 1, 2017
a3542a4
Update data-lake-analytics-get-started-portal.md
Jun 1, 2017
4bb6f34
Merge pull request #14399 from mikepope-ms/May31-vm-huvalo
GitHubber17 Jun 1, 2017
2fd31fd
Adding PS quick start
SnehaGunda Jun 1, 2017
1d606cd
updating TOC entry
SnehaGunda Jun 1, 2017
b61ad7c
Merge pull request #14401 from mikepope-ms/Jun1-vm-danlep
GitHubber17 Jun 1, 2017
ab319b4
Fixed numbered list issues identified by reviewer.
douglaslMS Jun 1, 2017
2b45bbd
small clean up before sign off
rloutlaw Jun 1, 2017
90ae1a4
Re-fixed my fixes for numbered lists.
douglaslMS Jun 2, 2017
6128149
Fixed one last image indented at the wrong level.
douglaslMS Jun 2, 2017
2307f34
Update concepts-limits.md
JasonWHowell Jun 2, 2017
e600a79
Corrected items per PR reviewer
MGoedtel Jun 2, 2017
1d7b22b
Added files back to TOC, in their own h2
MandiOhlinger Jun 2, 2017
81adcf6
Update quickstart-create-server-database-azure-cli.md
JasonWHowell Jun 2, 2017
d8f54da
Adding PS quick start
SnehaGunda Jun 2, 2017
7c436ec
Merge pull request #14475 from JasonWHowell/patch-2
PRMerger-2 Jun 2, 2017
072754c
Merge pull request #14272 from rloutlaw/spring-boot-tutorials
v-thepet Jun 2, 2017
2dd6feb
toc fix
bwren Jun 2, 2017
9e4e929
Merge pull request #14295 from douglaslMS/release-datasync-junepreview
v-thepet Jun 2, 2017
3686002
Merge pull request #14409 from MGoedtel/Updates612017
v-thepet Jun 2, 2017
4715625
Merge pull request #14459 from MandiOhlinger/hc0601
v-thepet Jun 2, 2017
efc1932
Merge pull request #14411 from v-nagta/jobbadmin
v-thepet Jun 2, 2017
47b759e
Merge pull request #14433 from Minewiskan/aas0601
v-thepet Jun 2, 2017
7b2cf10
toc fix
bwren Jun 2, 2017
e8d062a
Merge pull request #14458 from saveenr/patch-37
v-thepet Jun 2, 2017
b5f3f9d
Merge pull request #14460 from cherylmc/s2supdate
v-thepet Jun 2, 2017
cadd29e
Merge pull request #14474 from JasonWHowell/patch-1
v-thepet Jun 2, 2017
0c0dce6
Update the iot hub toc with better structure
Jun 2, 2017
2553896
commit
Jun 2, 2017
7e75b7f
Merge branch 'master' of https://github.com/shizn/azure-docs-pr
Jun 2, 2017
3c56d3e
redirection
Jun 2, 2017
2e96f23
update agent link and fix some parameters
kyliel Jun 2, 2017
38ffb88
Updated.
Jun 2, 2017
c4bedad
Update data-lake-analytics-get-started-portal.md
Jun 2, 2017
0b6cbb4
update the title and add ref for managed disk
kyliel Jun 2, 2017
ccb7c8f
Update data-lake-analytics-analyze-weblogs.md
Jun 2, 2017
8b51f97
Update data-lake-analytics-data-lake-tools-get-started.md
Jun 2, 2017
f13ca97
Update data-lake-analytics-monitor-and-troubleshoot-jobs-tutorial.md
Jun 2, 2017
16751ea
Minor edits after removing references to classic portal
mikepope-ms Jun 2, 2017
75c2e85
Merge pull request #14484 from saveenr/patch-40
PRMerger-2 Jun 2, 2017
76f9121
Merge pull request #14483 from saveenr/patch-39
PRMerger-2 Jun 2, 2017
02b1e4c
Merge pull request #14482 from saveenr/patch-38
PRMerger-2 Jun 2, 2017
831d1fe
Merge pull request #14480 from KylieLiang/master
PRMerger-2 Jun 2, 2017
34bceeb
Resolving merge conflicts
mikepope-ms Jun 2, 2017
c6f9769
Update TOC.md
Juliako Jun 2, 2017
661d713
Add endpoint protocol note
dominicbetts Jun 2, 2017
6849671
Fix links in Hosting Options Comparison
ssemyan May 30, 2017
feb83ea
Git commit link fixes and merge
ssemyan May 30, 2017
16e77a1
merge
bradygaster Jun 1, 2017
c2c6f11
Few updates
SnehaGunda Jun 2, 2017
e2dc4d9
Update azure-stack-powershell-configure-quickstart.md
SnehaGunda Jun 2, 2017
adbf9ab
Update azure-stack-powershell-configure-quickstart.md
SnehaGunda Jun 2, 2017
8da694c
Adding known issues"
SnehaGunda Jun 2, 2017
5d53765
Update azure-stack-connect-cli.md
SnehaGunda Jun 2, 2017
3102ef8
updating name
SnehaGunda Jun 2, 2017
cf93aff
Merge pull request #14491 from SnehaGunda/namingfixes
PRMerger-2 Jun 2, 2017
5e7502c
Merge pull request #14489 from SnehaGunda/quickstart
PRMerger-2 Jun 2, 2017
75a84ab
removing offending items
squillace Jun 2, 2017
a545696
final for now
squillace Jun 2, 2017
c5ae2a7
Update data-lake-analytics-overview.md
Jun 2, 2017
b220b76
Update data-lake-analytics-use-window-functions.md
Jun 2, 2017
1868916
Update data-lake-analytics-use-u-sql-catalog.md
Jun 2, 2017
32ef082
Update data-lake-analytics-analyze-weblogs.md
Jun 2, 2017
f358d09
Update data-lake-analytics-use-window-functions.md
Jun 2, 2017
ff5c20c
Merge pull request #14497 from saveenr/patch-45
PRMerger-2 Jun 2, 2017
df2956e
Merge pull request #14496 from saveenr/patch-44
PRMerger-2 Jun 2, 2017
3abc8c8
Merge pull request #14493 from saveenr/patch-41
PRMerger-2 Jun 2, 2017
05ea44e
Merge pull request #14495 from saveenr/patch-43
PRMerger-2 Jun 2, 2017
05d5926
replace runstep8.png with an updated version and updating freshness date
barclayn Jun 2, 2017
4e9c65c
Update vpn-gateway-gwsku-include.md
cherylmc Jun 2, 2017
fae0c10
Add curated get started lists
dominicbetts Jun 2, 2017
d80ee86
toc
CarlRabeler Jun 2, 2017
d420987
updates to docs
Jun 2, 2017
2ea4c79
Tidy up
dominicbetts Jun 2, 2017
d87112f
Fix links
dominicbetts Jun 2, 2017
b525826
toc2
CarlRabeler Jun 2, 2017
f7b6858
Update sql-database-security-tutorial.md
CarlRabeler Jun 2, 2017
275f82e
Cleanup Cognitive Bing APIs; added client-server change
Jun 2, 2017
762f9f4
Update sap-hana-backup-guide.md
carolinacmoravia Jun 2, 2017
f738bba
[stg] replace invalid sample access key with valid (but retired) key
mmacy Jun 2, 2017
2562ed0
Merge pull request #14499 from cherylmc/patch-2
PRMerger-2 Jun 2, 2017
8189748
adding some info about spark thrift server
Blackmist Jun 2, 2017
3b759f9
Specify original SKUs
cherylmc Jun 2, 2017
2a19e3c
formatting
CarlRabeler Jun 2, 2017
367aa02
Merge branch 'master' of https://github.com/Microsoft/azure-docs-pr i…
CarlRabeler Jun 2, 2017
d4b4778
Update vpn-gateway-table-gwtype-aggtput-include.md
cherylmc Jun 2, 2017
4edc067
one more
CarlRabeler Jun 2, 2017
c5e57ea
cli
CarlRabeler Jun 2, 2017
ec3e43e
consistency
CarlRabeler Jun 2, 2017
c4e24f0
acro
CarlRabeler Jun 2, 2017
c73dc94
Merge pull request #14504 from mmacy/stg-key-fix
PRMerger-2 Jun 2, 2017
60202bb
Merge pull request #14502 from CarlRabeler/patch-259
PRMerger-2 Jun 2, 2017
5324de5
Merge pull request #11964 from carolinacmoravia/patch-122
PRMerger-2 Jun 2, 2017
ff8f069
more
CarlRabeler Jun 2, 2017
560acd5
typo
CarlRabeler Jun 2, 2017
3b8b4a6
Merge pull request #14505 from swhite-msft/master
ktoliver Jun 2, 2017
e409341
Merge pull request #14501 from dominicbetts/getstarted
ktoliver Jun 2, 2017
4488926
Merge pull request #13865 from georgewallace/appgatewaydiag
MattGLaBelle Jun 2, 2017
85b72c2
Merge pull request #14507 from Blackmist/freshness
PRMerger-2 Jun 2, 2017
e43a2c5
Merge pull request #14506 from cherylmc/patch-3
PRMerger-2 Jun 2, 2017
6c462d4
Merge pull request #14440 from mikepope-ms/Jun1-vm-szark
PRMerger-2 Jun 2, 2017
b43af36
Merge pull request #12945 from carolinacmoravia/patch-144
PRMerger-2 Jun 2, 2017
ca9a89a
Merge pull request #14498 from barclayn/gsql-reference-bug
ktoliver Jun 2, 2017
9a7aec2
Update toc.yml
CarlRabeler Jun 2, 2017
ccbc54b
Merge pull request #14487 from ggailey777/ssemyan
ktoliver Jun 2, 2017
f49b02a
Merge pull request #14508 from CarlRabeler/20170602-cli
PRMerger-2 Jun 2, 2017
1396d44
Merge pull request #14500 from CarlRabeler/20170531-TOC
ktoliver Jun 2, 2017
cd55db4
Merge pull request #14486 from dominicbetts/portinfo
ktoliver Jun 2, 2017
a838ff6
Merge pull request #14485 from Juliako/patch-1
ktoliver Jun 2, 2017
df45ef3
Merge pull request #13962 from ktoliver/TFS-71654
ShawnJackson Jun 2, 2017
c177fb9
Merge pull request #14472 from bwren/arm
ktoliver Jun 2, 2017
862f9ee
Merge pull request #14395 from shizn/master
ktoliver Jun 2, 2017
5acaa73
Merge pull request #14375 from saveenr/patch-35
ktoliver Jun 2, 2017
d989cbf
Merge pull request #14448 from sethmanheim/work6-1
PRMerger-2 Jun 2, 2017
10cbd7f
Merge pull request #12951 from carolinacmoravia/patch-146
PRMerger-2 Jun 2, 2017
502baed
Update azure-stack-powershell-configure-quickstart.md
SnehaGunda Jun 2, 2017
7e033fc
removed gif
squillace Jun 2, 2017
9236398
Merge pull request #14378 from unifycloud/unifycloud-patch-5
ktoliver Jun 2, 2017
aad0d5b
Merge branch 'master' of https://github.com/Microsoft/azure-docs into…
v-alje Jun 2, 2017
1259b27
Merge pull request #14373 from saveenr/patch-34
ktoliver Jun 2, 2017
10bba2e
Merge pull request #14287 from squillace/draftup-acr
MattGLaBelle Jun 2, 2017
ff0dba8
Merge pull request #14473 from SnehaGunda/imagesynd
ktoliver Jun 2, 2017
f75dacb
Merge pull request #14516 from Microsoft/FromPublicRepo
v-alje Jun 2, 2017
a94eca3
Merge pull request #14314 from RicksterCDN/OracleToCUpdate
ktoliver Jun 2, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 16 additions & 13 deletions articles/active-directory/active-directory-conditional-access-device-policies.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
title: Conditional access device policies for Office 365 services | Microsoft Docs
description: Details on how device-based conditions control access to Office 365 services. While Information Workers (IWs) want to access Office 365 services like Exchange and SharePoint Online at work or school from their personal devices, their IT admin wants the access to be secure.IT admins can provision conditional access device policies to secure corporate resources, while at the same time allowing IWs on compliant devices to access the services.
title: Azure Active Directory conditional access device policies for Office 365 services | Microsoft Docs
description: Learn about how to provision conditional access device policies to help make corporate resources more secure, while maintaining user compliance and access to services.
services: active-directory
documentationcenter: ''
author: MarkusVi
Expand All @@ -17,25 +17,28 @@ ms.date: 05/18/2017
ms.author: markvi

---
# Conditional access device policies for Office 365 services
# Active Directory conditional access device policies for Office 365 services

The term, “conditional access” has many conditions associated with it such as multi-factor authenticated user, authenticated device, compliant device etc. This topic primarily focusses on device-based conditions to control access to Office 365 services. While Information Workers (IWs) want to access Office 365 services like Exchange and SharePoint Online at work or school from their personal devices, their IT admin wants the access to be secure. IT admins can provision conditional access device policies to secure corporate resources, while at the same time allowing IWs on compliant devices to access the services. Conditional access policies to Office 365 may be configured from Microsoft Intune conditional access portal.
Conditional access requires multiple pieces to work. It involves a multi-factor authenticated user, an authenticated device, and a compliant device, among other factors. In this article, we primarily focus on device-based conditions that your organization can use to help you control access to Office 365 services.

Azure Active Directory enforces conditional access policies to secure access to Office 365 services. An administrator can create a conditional access policy that blocks a user on a non-compliant device from accessing an O365 service. The user must conform to company’s device policies before access can be granted to the service. Alternately, the admin can also create a policy that requires users to just enroll their devices to gain access to an O365 service. Policies may be applied to all users of an organization, or limited to a few target groups and enhanced over time to include additional target groups.
Corporate users want to access Office 365 services like Exchange and SharePoint Online at work or school from their personal devices. You want the access to be secure. You can provision conditional access device policies to help make corporate resources more secure, while granting access to services for users who are using compliant devices. You can set conditional access policies to Office 365 in the Microsoft Intune conditional access portal.

A prerequisite for enforcing device policies is for users to register their devices with Azure Active Directory Device Registration service. You can opt to enable Multi-factor authentication (MFA) for registering devices with Azure Active Directory Device Registration service. MFA is recommended for Azure Active Directory Device Registration service. When MFA is enabled, users registering their devices with Azure Active Directory Device Registration service are challenged for second factor authentication.
Azure Active Directory (Azure AD) enforces conditional access policies to help secure access to Office 365 services. You can create a conditional access policy that blocks a user who is using a noncompliant device from accessing an Office 365 service. The user must conform to the company’s device policies before access to the service is granted. Alternately, you can create a policy that requires users to enroll their devices to gain access to an Office 365 service. Policies can be applied to all users in an organization, or limited to a few target groups. You can add more target groups to a policy over time.

## How does conditional access policy work?
When a user requests access to O365 service from a supported device platform, Azure Active Directory authenticates the user and device from which the user launches the request; and grants access to the service only when the user conforms to the policy set for the service. Users that do not have their device enrolled are given remedial instructions on how to enroll and become compliant to access corporate O365 services. Users on iOS and Android devices will be required to enroll their devices using Company Portal application. When a user enrolls his/her device, the device is registered with Azure Active Directory, and enrolled for device management and compliance. Customers must use the Azure Active Directory Device Registration service in conjunction with Microsoft Intune to enable mobile device management for Office 365 service. Device enrollment is a pre-requisite for users to access Office 365 services when device policies are enforced.
A prerequisite for enforcing device policies is that users must register their devices with the Azure AD device registration service. You can opt to turn on multi-factor authentication for devices that register with the Azure AD device registration service. Multi-factor authentication is recommended for the Azure Active Directory device registration service. When multi-factor authentication is turned on, users who register their devices with the Azure AD device registration service are challenged for second-factor authentication.

When a user enrolls his/her device successfully, the device becomes trusted. Azure Active Directory provides Single-Sign-On to access company applications and enforces conditional access policy to grant access to a service not only the first time the user requests access, but every time the user requests to renew access. The user will be denied access to services when sign-in credentials are changed, device is lost/stolen, or the policy is not met at the time of request for renewal.
## How does a conditional access policy work?

## Deployment considerations:
When a user requests access to an Office 365 service from a supported device platform, Azure AD authenticates the user and the device. Azure AD grants access to the service only if the user conforms to the policy set for the service. Users on devices that are not enrolled are given instructions on how to enroll and become compliant to access corporate Office 365 services. Users on iOS and Android devices are required to enroll their devices by using the Intune Company Portal application. When a user enrolls a device, the device is registered with Azure AD and it's enrolled for device management and compliance. You must use the Azure AD device registration service with Microsoft Intune for mobile device management for Office 365 services. Device enrollment is required for users to access Office 365 services when device policies are enforced.

You must use Azure Active Directory device registration service to register devices.
When a user successfully enrolls a device, the device becomes trusted. Azure AD gives the authenticated user single sign-on access to company applications. Azure AD enforces a conditional access policy to grant access to a service not only the first time the user requests access, but every time the user renews a request for access. The user is denied access to services when sign-in credentials are changed, the device is lost or stolen, or the conditions of the policy are not met at the time of request for renewal.

When users are about to be authenticated on premises, Active Directory Federation Services (AD FS) (1.0 and above) is required. Multi-factor authentication (MFA) for Workplace Join fails when the identity provider is not capable of MFA. For example, AD FS 2.0 is not MFA capable. Your administrator must ensure that the on-premises AD FS is MFA capable and a valid MFA method is enabled, before enabling MFA on the Azure Active Directory device registration service. For example, AD FS on Windows Server 2012 R2 has MFA capabilities. You must also enable an additional valid authentication (MFA) method on the AD FS server before enabling MFA on the Azure Active Directory device registration service. For more information on supported MFA methods in AD FS, see Configure Additional Authentication Methods for AD FS.
## Deployment considerations

You must use the Azure AD device registration service to register devices.

When on-premises users are about to be authenticated, Active Directory Federation Services (AD FS) (version 1.0 and later versions) is required. Multi-factor authentication for Workplace Join fails when the identity provider is not capable of multi-factor authentication. For example, you can't use multi-factor authentication with AD FS 2.0. Ensure that the on-premises AD FS works with multi-factor authentication, and that a valid multi-factor authentication method is in place before you turn on multi-factor authentication for the Azure AD device registration service. For example, AD FS on Windows Server 2012 R2 has multi-factor authentication capabilities. You also must set an additional valid authentication (multi-factor authentication) method on the AD FS server before you turn on multi-factor authentication for the Azure AD device registration service. For more information about supported multi-factor authentication methods in AD FS, see [Configure additional authentication methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs).

## Next steps

See the [Azure Active Directory Conditional Access FAQ](active-directory-conditional-faqs.md) for more answers to common questions.
* For answers to common questions, see [Azure Active Directory conditional access FAQs](active-directory-conditional-faqs.md).
44 changes: 18 additions & 26 deletions articles/active-directory/active-directory-conditional-faqs.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
title: Azure Active Directory Conditional Access FAQ | Microsoft Docs
description: 'Frequently asked questions about conditional access '
title: Azure Active Directory conditional access FAQs | Microsoft Docs
description: Get answers to frequently asked questions about conditional access in Azure Active Directory.
services: active-directory
documentationcenter: ''
author: MarkusVi
Expand All @@ -16,51 +16,43 @@ ms.date: 05/25/2017
ms.author: markvi

---
# Azure Active Directory Conditional Access FAQ
# Azure Active Directory conditional access FAQs

## Which applications work with conditional access policies?

**A:** Please see [Applications and browsers that use conditional access rules in Azure Active Directory](active-directory-conditional-access-supported-apps.md).

---
For information about applications that work with conditional access policies, see [Applications and browsers that use conditional access rules in Azure Active Directory](active-directory-conditional-access-supported-apps.md).

## Are conditional access policies enforced for B2B collaboration and guest users?
**A:** Policies are enforced for B2B collaboration users. However, in some cases, a user might not be able to satisfy the policy requirement if, for example, an organization does not support multi-factor authentication.
The policy is currently not enforced for SharePoint guest users. The guest relationship is maintained within SharePoint. Guest users accounts are not subject to access polices at the authentication server. Guest access can be managed at SharePoint.

---
Policies are enforced for business-to-business (B2B) collaboration users. However, in some cases, a user might not be able to satisfy the policy requirements. For example, a guest user's organization might not support multi-factor authentication.

Currently, conditional access policies are not enforced for SharePoint guest users. The guest relationship is maintained in SharePoint. Guest user accounts in SharePoint are not subject to access polices at the authentication server. You can manage guest access in SharePoint.

## Does a SharePoint Online policy also apply to OneDrive for Business?
**A:** Yes.

---
Yes. A SharePoint Online policy also applies to OneDrive for Business.

## Why can’t I set a policy on client apps, like Word or Outlook?
**A:** A conditional access policy sets requirements for accessing a service and is enforced when authentication happens to that service. The policy is not set directly on a client application; instead, it is applied when it calls into a service. For example, a policy set on SharePoint applies to clients calling SharePoint and a policy set on Exchange applies to Outlook.

---
A conditional access policy sets requirements for accessing a service. It's enforced when authentication to that service occurs. The policy is not set directly on a client application. Instead, it is applied when a client calls a service. For example, a policy set on SharePoint applies to clients calling SharePoint. A policy set on Exchange applies to Outlook.

## Does a conditional access policy apply to service accounts?
**A:** Conditional access policies apply to all user accounts. This includes user accounts used as service accounts. In many cases, a service account that runs unattended is not able to satisfy a policy. This is, for example the case, when MFA is required. In these cases, services accounts can be excluded from a policy, using conditional access policy management settings. Learn more about applying a policy to users here.

---
Conditional access policies apply to all user accounts. This includes user accounts that are used as service accounts. Often, a service account that runs unattended can't satisfy the requirements of a conditional access policy. For example, multi-factor authentication might be required. Service accounts can be excluded from a policy by using conditional access policy management settings.

## Are Graph APIs available to configure configure conditional access policies?
**A:** not yet.
## Are Graph APIs available for configuring conditional access policies?

---
Currently, no.

## Q: What is the default exclusion policy for unsupported device platforms?
## What is the default exclusion policy for unsupported device platforms?

**A:** At the present time, conditional access policies are selectively enforced on users on iOS and Android devices. Applications on other device platforms are, by default, unaffected by the conditional access policy for iOS and Android devices. Tenant admin may, however, choose to override the global policy to disallow access to users on unsupported platforms.
Currently, conditional access policies are selectively enforced on users of iOS and Android devices. Applications on other device platforms are, by default, not affected by the conditional access policy for iOS and Android devices. A tenant admin can choose to override the global policy to disallow access to users on platforms that are not supported.

---

## Q: How do conditional access policies work for Microsoft Teams?
## How do conditional access policies work for Microsoft Teams?

**A:** Microsoft Teams relies heavily on Exchange Online and SharePoint Online for core productivity scenarios such as meetings, calendars, and files. Conditional access policies set up for these cloud apps apply to Teams during the sign-in experience.
Microsoft Teams relies heavily on Exchange Online and SharePoint Online for core productivity scenarios, like meetings, calendars, and file sharing. Conditional access policies that are set for these cloud apps apply to Microsoft Teams when a user signs in.

Microsoft Teams is also supported separately as a Cloud App in Azure AD Conditional Access policies and CA policy set up for this cloud app will apply to Teams during the sign-in experience.
Microsoft Teams desktop clients for Windows and Mac support modern authentication, which brings sign-on based on the Azure Active Directory Authentication Library (ADAL) to Microsoft Office client applications across platforms.
Microsoft Teams also is supported separately as a cloud app in Azure Active Directory conditional access policies. Certificate authority policies that are set for a cloud app apply to Microsoft Teams when a user signs in.

---
Microsoft Teams desktop clients for Windows and Mac support modern authentication. Modern authentication brings sign-in based on the Azure Active Directory Authentication Library (ADAL) to Microsoft Office client applications across platforms.
Loading