Azure AD conditional access and per app MFA is globally available starting today, as announced by Alex Simmons. This feature was in preview for some time, but now, that it is globally available, it can be used in production environments. Since this is a new feature, I played a little bit around with it and I would like to share some insights.
Azure AD per app MFA and conditional access allows administrators to set MFA requirements on applications that are registered in Azure AD. This enables interesting scenarios, like for example requiring MFA for Exchange Online, but not for SharePoint Online, if a request comes from outside the corporate network. In order for this to work, you would have to activate MFA first and define the IP ranges that define your corporate network in CIDR format. You should be able to do this by accessing following URL: https://account.activedirectory.windowsazure.com/usermanagement/mfasettings.aspx.
I have a basic lab in Azure (old version) so I provided the public IP address of the cloud service where most my machines reside:
Once this is set up, you can navigate to your Azure Active Directory. Available apps for the specific directory should be listed under “Applications”. In my case, I chose Exchange Online and under “Configure” I was able to define following settings:
This should require multi-factor authentication when requests for Exchange Online are coming from IPs that don’t fall into the defined range.
Logging in to portal.office.com will log you in normally. But when trying to access “Mail” I was prompted for MFA. So this was working as a charm. However, when I performed the same actions from my Windows 8.1 client hosted on Azure, I could access “Mail” without providing a second authentication factor.
I have tested this feature both with federated and managed accounts and in both cases, I had the same behavior.
Regarding ActiveSync devices and Outlook clients, they seem to work correctly, even if MFA is required when outside the corporate network. When trying to set up a nea ActiveSync profile on a Lumia 950, I was prompted also for the second authentication factor and everything worked fine. Trying to create a new Outlook profile on a workstation outside the corporate network was also a success, but in this case I was never prompted for the second authentication factor. So seems like MFA doesn’t apply in this case.
Another thing to notice is that if you have previously enabled per user MFA, this will overwrite the conditional access rules that you set up on application level. In this case you will be prompted for the second authentication factor already when you try to login to portal.office.com. However, if you then click on “Mail” you’re not prompted once again. So, if you want to use per app MFA and conditional access, then don’t enable per user MFA in Azure AD! I think this is very important.
I also tested Azure AD per app MFA and conditional access with other applications that are integrated with Azure AD, like Netflix and Yahoo Mail. In both cases, the behavior was consistent. Trying to login to myapps.microsoft.com went without MFA, but when accessing Netflix from outside, the second authentication factor came into play.
Overall, this is a great feature because it offers great flexibility to meet both security and end user requirements. Further, if you develop an application that interacts with Office 365 services as a user, you can now integrate this application with Azure AD let per app MFA disabled. To achieve this without Azure AD conditional access is very tricky. But now everything seems to be a lot easier.
If you’re trying to implement per app MFA and conditional access, let me know how it worked.