News

Azure AD Conditional Access Adds Features for Settings Management

• By Kurt Mackie
• 05/07/2020

Three new features for assessing policy settings on Azure AD Conditional Access, a Microsoft service that checks that certain policies on client devices have been set before granting network access, became generally available (GA) this week.

One of the features, report-only mode for Azure AD Conditional Access, was earlier announced with a bunch of other Azure AD features that also reached the GA stage. The report-only mode lets IT pros see the effects of Conditional Access policies before making them go live. Azure AD Conditional Access users will now get their policies "created in report-only mode by default," Microsoft indicated.

Microsoft's example on using the report-only mode is seeing the effects in advance when setting a block on the use of "legacy authentication" methods. It's a somewhat timely example, as Microsoft is planning to disable Basic Authentication when it gets used with the Exchange Online e-mail service. The end of Basic Authentication was originally scheduled for October, but Microsoft recently pushed that deadline out to the second half of 2021. That said, the ability to use so-called "modern authentication" instead (meaning the use of OAuth 2.0) with the IMAP and SMTP AUTH protocols in Exchange Online only just got rolled out last month.

Microsoft's announcement indicated that report-only mode has been a popular feature, with more than "26M users" over the "past few months."

Insights and Reporting Workbook
Another Azure AD Conditional Access feature reaching GA status is the Insights and Reporting Workbook, which is accessed via the Azure Monitor portal. It offers a time-scale view of how Conditional Access policies have worked across the organization, which can be set from four hours to 90 days in the past. It'll show details in a dashboard summary under the categories of "Success," "Failure," "User action required" and "Not applied." It shows details for all users, or it's possible to drill down into specific end user data.

The prerequisites to use the Insights and Reporting Workbook feature involve having the proper IT role and the proper licensing. The Log Analytics service is used to store the log data. IT pros have to stream the sign-in logs from Azure AD service to Azure Monitor to use the Insights and Reporting Workbook feature and get data in a dashboard. Organizations need to have a Log Analytics workspace set up, and they'll need "Azure AD Premium P1 or P2 licenses to use Conditional Access," Microsoft explained in a document on the topic.

Policy Details
Lastly, Microsoft announced the GA release of a new Policy Details "blade" in the Azure AD Admin Center portal for better troubleshooting of Conditional Access policies. Microsoft added this Policy Details view to the portal because "customers want to know exactly why a policy resulted in success, failure, or wasn't applied." It offers more "granular information," the announcement indicated.