Tag Archives: conditional access

Conditional access – third party apps

This post will show how you can add a third party app to Azure AD that supports SAML, and then create a conditional access policy so that only compliant devices can access the third party cloud resource.

In my example I have signed up for a GoToMeeting trial. I will add GoToMeeting app to Azure AD and configure the single sign-on options to use SAML, and then on the GoToMeeting side I will configure Azure AD to be the Identity Provider. Once this is set up, I will create a Conditional Access policy that will require devices to be compliant in order for them to access GoToMeeting. When logging in with a work account to GoToMeeting, GoToMeeting will then redirect me to sign in through Azure AD, and then the conditional access policy will kick in.

Always test conditional access with test users, and plan thoroughly for any changes in a Production environment. The information below is for testing purposes.

Recommended reading:

Single Sign-On SAML protocol
https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol

Single sign-on to applications in Azure Active Directory
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-single-sign-on

Tutorial: Azure Active Directory integration with GoToMeeting
https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/citrix-gotomeeting-tutorial

What is conditional access in Azure Active Directory?
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview

Tutorial: Configure GoToMeeting for automatic user provisioning
https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/citrixgotomeeting-provisioning-tutorial

In Azure Active Directory, go to Enterprise applications then click on New application.

01

Search for the application. Note that it says it supports SAML based sign-on for the Single Sign-On Mode. Click on Add.

02

Once the application has been added, I will give access to my test users by clicking on Users and groups, and then Add user.

011

Now I will configure SAML for the single sign-on mode. Click on Single-Sign-On on the left hand side, then select SAML.

04

In the Identifier (Entity ID) I have put in https://authentication.logmeininc.com/saml/sp and Reply URL (Assertion Consumer Service URL) https://authentication.logmeininc.com/saml/acs and Relay State
https://global.gotomeeting.com

05.jpg

Now I am going to download the Federation Metadata XML and upload it to the GoToMeeting site.

06

When logging in with my admin account in https://organization.logmeininc.com/ on the Identity provider section, I have selected to Upload SAML metadata file. This will contain all the Azure AD information and then configure Azure AD as the identity provider.

07

Now with a user I will login to https://www.gotomeeting.com/meeting/sign-in and select My Company ID so it can redirect me to my identity provider (Azure AD)

08

As expected, it has redirected me to Azure AD. I can confirm that the the SAML single sign-on mode has been configured successfully.

09

Next I will add the conditional access policy.

10

For the Cloud apps, you can see that GoToMeeting now appears because we added it earlier. I will select this as the Cloud app.

11

I will configure it to apply to all device platforms.

12

I have configured it to apply to Browser, and mobile apps etc.

13

In this test example, I have configured it to require only Intune enrolled compliant devices to access GoToMeeting.

14

Now lets login to https://www.gotomeeting.com/meeting/sign-in with the My Company ID

08

It will redirect us to Azure AD as we configured Azure AD as the identity provider earlier (and the domain used in my UPN was also added and confirmed in GoToMeeting)

15

Now because my device is not enrolled into Intune, I am blocked from accessing the GoToMeeting cloud resource as expected.

16

I have installed the GoToMeeting app on an Android phone, and it is the same expected user experience.

IMG_1295

On an Intune enrolled compliant device I can login fine as expected (or you can launch the app from myapps.microsoft.com

17

Advertisements

Intune – Require users to use Outlook app on iOS and Android devices

This post will go into how you can use Intune preview in the Azure Portal to set a Conditional Access policy to require iOS and Android users to use the Outlook app, rather than the native iOS mail and Android mail applications. It will also show the user experience for a user using an iOS device and an Android device. To use the Outlook app once the policy has applied, the iOS device needs the Microsoft Authenticator app installed, and Android users need the Company Portal app installed.

In portal.azure.com click on More Services then search for Intune and click on Intune App Protection (you can click the Star to pin it to your list)

IntuneCA1

Intune App Protection

Now click on Exchange Online under Conditional Access.

IntuneCA2

Exchange Online – Conditional Access

Click on Allowed Apps, I have selected Allow apps that support Intune app policies

IntuneCA3

Allowed apps – Conditional Access, Exchange Online

Restricted Groups is where you will choose who to deploy the policy to. In Azure Active Directory, I have created a group called Intune which has my users in there with an Intune license assigned. Its a good idea to deploy this to some test users first, and not to a group with all your users in there.

IntuneCA4

Restricted user groups – Conditional Access, Exchange Online

On an Android device, I have updated the gmail application to support Office 365. I have added my account. When I check the inbox I can see an email saying that the IT department requires me to use the Outlook app.

IntuneCA5

On an iOS device, the user experience is very similar. When using the iOS native mail application, as soon as you check the inbox you will see a very similar email stating again that you require to use the Outlook app for Exchange Online.

IntuneCA6

Like I was saying earlier in the post, for Android you need the Company Portal App, and for iOS you need the Microsoft Authenticator App to register the devices in Azure AD (not enroll, only register). On an Android device, if you do not have the Company Portal app, you will see the following screen

IntuneCA7

Android – Company Portal app required

And this is the user experience for iOS without the Microsoft Authenticator app

 

IntuneCA8

Once the apps are installed you can then login to Exchange Online using the Outlook app.

 

Intune Conditional Access with Exchange Online for Windows PC’s – User Experience

This post will show the end user experience for when Conditional Access is configured to prevent non-domain joined Windows 7 and Windows 10 PC’s from accessing Exchange Online either from the Outlook client, or OWA web mail.If you would like more information on how to configure Conditional Access and for different scenario’s, see¬†Use conditional access with Intune and Configuration Manager

In a ConfigMgr Current Branch 1610 Intune Hybrid environment, I have configured the Conditional Access in the ConfigMgr console which will then open up the Intune admin console

condacc1

I have enabled conditional access policy.

condacc3

Now on a non-domain joined Windows 7 machine when trying to access OWA, the user is presented with the “You can’t get there from here” screen below

nondomainjoined

And on the same Windows 7 machine, if a user tries to configure their Exchange Online account in Outlook application, they will get the same “You can’t get there from here” screen

nondomainjoined2

This looks the same on Windows 10

nondomainjoined3

The same screen when accessing OWA on a Windows 10 machine

nondomainjoined4

What happens if a machine had Outlook configured and working before the Conditional Access policies were put in place? In my testing, when opening the Outlook app, the same screen was displayed when it tried to connect to Exchange Online

condacc2