The move to cloud services and an always increasing need for mobility are driving organizations to look for solutions that protect data while enhancing user productivity and device flexibility. Organizations require the ability to control user access to online services based on a variety factors such as device compliance or network location, and to better protect content that is accessed from these devices.
This document describes the Conditional Access (CA) features in Microsoft Office 365 and Microsoft Enterprise Mobility + Security (EMS) (formerly, Microsoft Enterprise Mobility Suite), and how they are designed with built-in data security and protection to keep company data safe, while empowering users to be productive on the devices they love. It also provides guidance on how to address common concerns around data access and data protection using Office 365 features.
With Office 365 and EMS, customers can meet their user productivity and device flexibility requirements, while keeping their data secured. Access to company data stored in Office 365 can be restricted to corporate computers and mobile devices that meet configurable security standards. Even when accessed from personal mobile devices such as mobile phones and tablets, customer data remains protected.
The features and products referenced in this document are described below.
Feature / Product
On-premises security token service (STS) that provides simplified, secure identity federation and Web single sign-on (SSO) capabilities for users who want to access applications within an AD FSsecured enterprise, in federation partner organizations, or in the cloud. Federated identities with Modern Authentication-enabled clients interoperate with EvoSTS, which is the Azure AD STS.
AD FS indirectly supports CA scenarios, as it offers a set of controls known as client access filtering that allow the creation of perimeter network-based policies for IP range filtering, accessed workload, or client type (browser vs rich client).
Protects access to data and applications by requiring a second form of authentication. Strong authentication is available through a range of verification options.
All CA scenarios that leverage Azure AD require Azure AD Premium. Azure AD Premium adds feature-rich enterprise-level identity management capabilities and enables hybrid users to seamlessly access on-premises and cloud capabilities. It includes everything you need for information worker and identity administrators in hybrid environments across application access, self-service identity and access management, identity protection and security in the cloud.
Uses encryption, identity, and authorization policies to protect files and email. Information protection that is applied by using Azure RMS stays with the files and emails independently of the location, allowing customers to remain in control of their data even when this data is in motion.
CA allows customers to selectively allow or disallow access to Office 365 based on attributes such as device enrollment, network location, group membership, etc.
Device-based CA restricts access to devices that are managed by the organization and are in a healthy state. Device-based CA is a feature of Intune. Users must enroll their devices in Intune and validate that the device meets the organization's access rules regarding device health and security.
There are other CA scenarios that do not require device enrollment, such as restrict access only from specific locations. These scenarios do not require Intune and are provided through Azure AD Premium access control features.
Helps identify and monitor sensitive information, such as private identification numbers, credit card numbers, or standard forms used in your organization. DLP Policies enable you to notify users that they are sending sensitive information and to block the transmission of sensitive information.
Provides identity and access management, MDM, MAM and Azure RMS. Intune is a part of EMS.
Intune is a cloud-based service that helps you manage Windows PCs, and iOS, Android, and
Windows mobile devices. Intune also helps protect corporate applications and data. You can use Intune alone or you can integrate it with Microsoft System Center Configuration Manager 2012 R2 to extend your management capabilities.
Controls how corporate-managed applications work and interact with other managed applications and unmanaged applications (e.g., provides the ability to restrict user actions such as copy, paste, download, etc.). Available through Intune.
Provides the ability to configure mobile device policies, such as enforcing complex PINs or passwords, blocking devices that have been jail broken or rooted from syncing email, disabling Bluetooth, etc. Available through Office 365 MDM and Intune.
Provides OAuth-based authentication for Office clients against Office 365 using Active Directory Authentication Library (ADAL). Replaces the Microsoft Office Sign-In Assistant. Allows for CA policies, so administrators can define granular applications and device-based controls for corporate resources.
Table 1 - Features and Products referenced in this document
Customer scenarios for CA vary. This document discusses the scenarios listed below. This is not a complete list; rather, these are the scenarios about which Microsoft is most commonly asked.
To understand the solutions for the above scenarios, it is important to be familiar with Microsoft EMS, Office 365 MDM, Intune MDM, CA policies, and MAM. For an overview of security architecture for Office 365 and managed apps, see Architecture guidance for protecting company email and documents.
EMS is a Microsoft cloud solution that provides identity and access management for mobile devices. Many scenarios discussed in this document require EMS, which includes the following services:
While customers can purchase each of the above services individually (based on their requirements), it is usually more cost-effective to purchase EMS. For more information, visit the Microsoft Enterprise Mobility + Security Web site.
Office 365 includes native MDM capabilities with commercial subscriptions. MDM helps organizations manage their mobile device security and control access to Office 365 data across a diverse range of mobile phones and tablets.
With Office 365 MDM, organizations can restrict access to Exchange Online and SharePoint Online to mobile devices that are both managed and compliant with security policies:
Once policies are configured and scoped to users, devices that are not enrolled or are not policycompliant will not be authorized or able to access Office 365 email and documents.
When trying to access Exchange Online or SharePoint Online data from an unregistered mobile device, users will be prompted to enroll their mobile devices to be granted access by installing and signing in to the Intune Company Portal app.
Throughout this process, compliance policies will be enforced on the device. Compliance policies help organizations keep data safe on mobile devices. Such policies may include:
With these policies in place, even if a device is lost or stolen, data on the device remains protected. In addition, company data can be wiped from the device—either locally (when too many incorrect PINs are entered), or remotely (as initiated by the user or administrator).
Note: Policies and access rules created through Intune or Office 365 MDM override Exchange ActiveSync mobile device mailbox policies and device access rules created in the Exchange admin center.
With Office 365 MDM, organizations can apply security policies to user mobile devices, manage access to corporate resources, and perform a selective wipe of Office 365 data from mobile devices. These capabilities are powered by Microsoft Intune. Office 365 MDM features are described in Capabilities of built-in Mobile Device Management for Office 365.
Intune MDM provides all of the features available in Office 365 MDM, along with some extra features. Organizations that require advanced controls can purchase an Intune subscription, either in standalone form or as part of EMS.
Note: As customers use Office 365 and start shaping their data access and security requirements, they will need to determine whether the native Office 365 MDM capabilities are sufficient for their needs, or whether they require a more advanced solution. Customers can start with Office 365 MDM and upgrade to Intune MDM later.
From an MDM standpoint, Office 365 MDM provides standard features that will suit most organizations. Specifically, a subscription to Microsoft Intune is optional if all of the customer's devices are managed and domain-joined. However, Intune is required to manage PCs in addition to mobile devices, manage application security through MAM, or provide more granular control on CA policies.
With CA policies, customers can control access to Office 365, based on various attributes such as group membership, authentication strength, device registration, device compliance, client platform, network location, and more. CA policies are configured per application, allowing customers to enforce different access rules for separate applications. They can also be scoped to specific groups or users.
It is important to understand that access controls are managed at multiple layers today (both of which require Azure AD Premium):
The following table provides a high-level summary of the features, scope, and licensing requirements:
Office 365 services in scope
Client platforms in scope
Device-based CA (Intune)
Restrict access to managed and compliant devices, or domainjoined devices.
OneDrive for Business Skype for Business
Basic features available with Office 365 MDM; Intune or EMS required for advanced features
Azure Access Control
Require MFA when not at work,
Block access when not at work
OneDrive for Business
Skype for Business
All (not scoped by platform)
Requires clients that support Modern Authentication. For more information, see How modern authentication works for Office 2013 and Office 2016 client apps.
Requires Azure AD Premium or EMS
Table 2 - Conditional access management summary
For services or platforms that are not explicitly listed in scope in the above table, CA is not available and cannot be configured. For example:
CA supports several scenarios such as (not a complete list):
CA does not support some scenarios such as (not a complete list):
In addition to CA, organizations using a federated identity model with Office 365 may also configure AD FS rules to further control access. This is outside of the scope of this document, but for more information, see Limiting Access to Office 365 Services Based on the Location of the Client.
Intune MAM provides application-level management for organizations seeking more protection for corporate data. MAM helps organizations who use the same devices and applications for both work and personal use. Users want to be able to access both their company and personal data from the same device, but organizations need to prevent users from transferring company data to personal applications or to personal data storage locations, such as personal e-mail, third-party cloud solutions, or locally on the device. For example, Intune MAM policies can dictate that data copied from a managed application (e.g., Outlook) can only be copied to another managed application (e.g., Word), but cannot be copied to an unmanaged application.
Some applications, such as Outlook, can be configured to access both company and personal resources. With the MAM multi-identity management feature, users are able to access both their personal and work email accounts in the same application, but with MAM applied only to their company account. For example, Intune MAM settings can dictate that corporate data can only be shared within the corporate identity boundaries (e.g., within a single corporate email profile, or within OneDrive for Business and SharePoint Online locations), but may not be transferred to other mailboxes or data storage locations, even within the same application (e.g., Outlook or OneDrive for Business). At the same time, users are permitted to access their personal email or documents on their device without IT controls, providing an optimal user experience.
With Intune, organizations can protect against data leakage through MAM, with or without a MDM solution (MAM without enrollment or device management).
With MAM policies, organizations can both protect access to company data and control how data is used on the user device, by enforcing policies such as:
While MAM can be used without MDM, there are benefits to using MDM with MAM policies, and companies can use both MAM with and without MDM at the same time. For example, an employee can use a company-issued phone as well as a personal tablet. In this case, the company phone is enrolled in MDM and protected by MAM policies, while the personal device is not enrolled in MDM and protected by MAM policies only.
For organizations that want to keep company data in control, but do not want to enroll and manage their users' devices, Intune MAM is a great solution to the challenges of "bring your own device" (BYOD). Intune MAM is also an effective solution for organizations that have already deployed a thirdparty MDM solution and want greater control of their company data.
Intune MAM provides many advanced features designed for data protection, including the ability to:
For more information about these features, see Announcing New Microsoft Enterprise Mobility Capabilities.
With MAM policies in place, data remains protected on user devices:
MAM policies allow organizations to customize settings to achieve the protection level that meets the organization's needs with respect to:
For more information on Intune MAM, see Protect app data using mobile app management policies with Microsoft Intune.
This section uses scenarios to illustrate how to address common security concerns associated with user mobility.
Organizations want their users to remain productive from anywhere using their mobile devices, while retaining control of corporate data. Ensuring that data is safe on mobile devices is a common customer concern. To meet this challenge, Microsoft provides the following options that may be used together or independently:
Deployment considerations for Office 365 MDM
This scenario can be achieved using Office 365 MDM. The deployment steps involve:
To support this scenario, the customer must:
For more information on the end-user enrollment process, see What to tell your users about using Microsoft Intune. For more information on how to create and deploy Office 365 MDM policies, see Create and deploy device security policies.
Note: Access control may be provided through Office 365 MDM as discussed above, or through Intune. Customers that have purchased Intune should use the Intune Management Portal to configure MDM and CA policies, instead of using Office 365 security policies.
Deployment Considerations for Intune MAM
You can use Intune MAM to prevent data leakage. Unlike other Intune policies, MAM policies are not deployed directly to users and devices. Instead, policies must be associated with applications. The settings take effect when application is deployed and installed.
MAM policies can be applied to:
To support this scenario, the customer must:
For more information, see Configure and deploy mobile application management policies in the Microsoft Intune console.
Most organizations expect their users to be able to access corporate data from their corporate-issued desktop or laptop computers at any time and from any location, as long as user credentials are valid and the device remains trusted. At the same time, these organizations may want to prevent access from untrusted computers, even if valid user credentials are used, to protect against scenarios such as access from unprotected computers (kiosk PCs, shared family PCs, etc.) and the use of compromised credentials from unknown computers.
By default, any user withy valid credentials can access Office 365 from any computer. Microsoft Intune provides CA policies that enable customers to restrict access to Exchange Online, SharePoint Online, and Skype for Business from computers that are either domain-joined to the customer's on-premises Active Directory or enrolled in Intune and compliant with policies:
Domain-joined computers do not need to enroll in Intune, but must be registered in Azure AD.
Computers that are not domain-joined, or that do not meet compliance policies after enrollment, will be denied access to services configured in the scope of the CA policies.
Note: Currently, CA policies cannot be configured to only allow access from computers that are domain-joined, while denying access from computers that are not domain-joined, but enrolled and compliant.
Currently, CA policies are not available for Mac computers. Customers using Mac computers have the following options:
Corporate computers often store data locally. This can be a combination of content stored by the user, such as cached Outlook data, or synchronized OneDrive for Business or SharePoint Online content.
For domain-joined computers, locally-stored data can be protected through policies enforced by the customer at the Active Directory domain level, which include at minimum:
For Windows 8.1 and later computers that are enrolled in Intune (whether they are domain-joined or not), locally-stored data may be protected through Intune PC management functionalities (patch management, antivirus and antimalware protection, Windows Firewall settings, etc.), as well as compliance policies.
Compliance policies must include:
Note: Compliance policies are only applicable to devices that are MDM-enrolled with Intune. They cannot be enforced on Windows 7 PCs (since they cannot be enrolled), or on devices not enrolled in Azure AD (even if they are registered or domain-joined).
Intune MDM also supports the management of Mac OS X 10.9 or later devices with compliance policies. For more information, see Introducing Intune support for Mac OS X management.
For a complete list of policies that may be applied to computers, see:
Deployment Considerations for CA policies on Windows computers. For this scenario, the following requirements apply:
It is also recommended that AD FS be deployed for this scenario. This is required to support automatic registration of domain-joined computers in Azure AD and to block non-Modern Authentication protocols. To configure AD FS, follow the instructions in Scenario 3: Block all access to Office 365 except browser-based applications in the Enabling Client Access Policy section of Configuring Client Access Policies.
Once corporate computers are successfully registered with Azure AD, CA policies can be configured to control access to Office 365. For information about creating policies in Intune, see Manage settings and features on your devices with Microsoft Intune policies.
Note: Currently, CA policies only apply to Modern Authentication rich clients. Preventing access from non-Modern Authentication clients must be addressed through AD FS configuration. Preventing access from Web browsers from Windows computers is currently in preview.
Conditional Access policies are available to protect Exchange Online and SharePoint Online content accessed from Web browsers on iOS and Android. When configured, users who try to sign in to Outlook on the web and SharePoint Online sites from unregistered iOS and Android devices will be prompted to enroll their device with Intune and to fix any non-compliance issues before they can complete sign-in.
Many large companies expect to prevent access to Office 365 from networks outside their perimeter for all services or for a subset of clients only. For example, some customers want to prevent access to Office 365 from rich clients only, or from clients on external networks, while allowing browser access.
Therefore, some customers implement client access policies at the AD FS level to implement common scenarios, such as:
Note Blocking all external access to Office 365, except browser-based applications, cannot be done using AD FS rules for customers that have enabled Modern Authentication on their tenant because rich clients (Outlook and other Office apps) bypass the client-access-filtering policies. For more information, see Office 2013 and Office 365 ProPlus modern authentication and client access filtering policies: Things to know before onboarding.
As an alternative to client access policies, consider using the following options:
Many customers block external access to Office 365 to reduce the risk of data leakage from external clients such as kiosk devices or home PCs that are not appropriately protected and therefore constitute a security risk. Microsoft recommends that customers manage access to Office 365 through MDM and device-based CA, rather than through location-based access rules. This is a better solution because:
Deployment Considerations for Location-based Access Control
For customers that choose to implement location-based access control, Azure AD Premium must be purchased for all users, in standalone form or as part of EMS. Location-based access control is configured using the Azure Management Portal. It must be configured separately for each Office 365 service (e.g., Exchange Online, SharePoint Online, Skype for Business, Yammer Enterprise, etc.).
It is important to note that access control policies apply only to clients that are enabled for Modern Authentication. Other rich clients that are not affected by these policies can be blocked through AD FS claim-based rules. This is achieved by following instructions in Scenario 3: Block all access to Office 365 except browser-based applications in the Enabling Client Access Policy section of Configuring Client Access Policies.
Some organizations in retail and other sectors have requirements to restrict hourly workers or vendors from logging into corporate resources based on criteria such as time, group membership, etc.
To restrict access based on the time of day for a user with federated credentials, the tenant admin can define login hour policies on the user's AD account. However, note that login restrictions are enforced only at the time of authentication; they do not revoke an existing session once it falls outside the defined login hour policy. This can be addressed by limiting the session token lifetime so that the client will need to refresh the token on a more frequent basis.
To restrict access based on group membership, some customers may require enforcing restrictions for vendor access to Office 365. To achieve this requirement, the vendor accounts can be placed in specific AD groups that prevent access from external networks or enforce other restrictions through either AD FS claim-based rules or CA policies.
On personal computers running Windows or Mac OS, users typically have full control over corporate content they are authorized to access once the content is downloaded locally. Therefore, users can compromise data safety by sharing sensitive documents via email or by storing information in unsafe locations, such as personal cloud storage or unencrypted USB devices.
Office 365 and Azure include features that provide solutions to protect content on corporate computers and to prevent data leakage, even when accessed from a trusted user on a trusted device. These features are Azure RMS and DLP, and these solutions also apply to mobile devices, and can be combined with other mobile data safety solutions, such as MAM, to provide additional security.
To use Azure RMS, customers must purchase it, either in standalone form or as part of EMS. With Azure RMS, customers can apply persistent protection to content. Content protection remains with the data, even when the data is saved to an unsecure location or sent by email. Protection can be applied to any data type providing different levels of access (e.g., read, edit, print, etc.). Through encryption, identity, and authorization policies, customers can ensure that only authorized parties can access the content. In addition, auditing features allow the customer to control whether protected content was accessed and when, and whether unauthorized people attempted to access the content. For more information on using Azure RMS with Office 365, see How applications support Azure Rights Management.
Office 365 provides DLP features for Exchange Online and SharePoint Online, which enable customers to protect sensitive information whether in email, a document library, a OneDrive for Business folder, or an actual Office file itself. DLP features help enforce compliance policies by detecting and protecting sensitive data in real time. Organizations can define policies to detect sensitive information based on a custom set of rules, and to take appropriate actions, such as:
For more information, see Data Loss Prevention and Find sensitive data stored in SharePoint Online sites.
Usernames and passwords can be compromised in a variety of ways including through malware, keystroke loggers, phishing attacks, and others. Microsoft has services like Exchange Online Advanced Threat Protection that protect against the attacks themselves, as well as provide solutions to mitigate the organizational risk resulting from an attack.
These solutions include:
MFA for Office 365 mitigates risks by providing an extra authentication layer in addition to user credentials, which ensures that compromised credentials do not gain access to Office 365. Users enabled with MFA are prompted to acknowledge a phone call or text message after entering their credentials. MFA is included at no additional charge with most Office 365 subscriptions.
In an event where credentials are compromised, whether by interception, malware, etc., an attacker is unable to use these credentials to access Office 365. Customers may also leverage an existing onpremises MFA solution to protect access to Office 365. For more information about enabling MFA for Office 365, see Set up multi-factor authentication for Office 365 users.
Customers can also elect to prevent the transmission of usernames and passwords with basic authentication by enabling Modern Authentication. Office 2013 and 2016 client applications can use the ADAL to engage in browser-based authentication. This transition enforces claim-based authentication, which reduces the risk of credentials being compromised and enables enhanced features such as smart card and MFA.
Deployment considerations for MFA-based Access Control
For this scenario, Azure AD Premium must be purchased for all users, in standalone form or as part of EMS. MFA-based access control is configured using the Azure Management Portal. It must be enabled separately for each application.
Multiple solutions are available to customers, to help detect and handle security events associated with compromised user accounts, including:
For additional information about the audit and reporting features in Office 365, see Auditing and Reporting in Office 365.
If an account is detected to be compromised, the tenant admin must take several actions to limit the potential damage as a result. Changing the user's password will immediately invalidate the access token for the session and terminate any existing sessions to force the user to re-authenticate. The account may also be disabled to prevent any new sessions.
With increasing BYOD trends and more employees conducting business on personal devices, device theft exposes company-owned data to risk of being compromised. Native Office 365 MDM features can help secure data on stolen devices. When a device is compromised, Office 365 admins, or the affected user, can initiate a selective wipe of data owned by the organization. Further, mobile device policies can be created that automatically take effect when a device is suspected to be lost or stolen. For example, tenant admins can define policies that lock devices after a certain time of inactivity or locally wipe the device when an incorrect password is tried over a set amount of times in sequence.
Organizations require the ability to control user access to online services based on a variety factors such as device compliance or network location, and to better protect content that is accessed from mobile devices. Office 365 includes native MDM capabilities which help organizations manage mobile device security and control access to Office 365 data across a diverse range of mobile phones and tablets. Access to company data stored in Office 365 can be restricted to corporate computers and mobile devices that meet configurable security standards. Even when accessed from personal mobile devices such as mobile phones and tablets, data remains protected.
With Office 365 and EMS, customers can meet their user productivity and device flexibility requirements, while keeping their data secure. In addition, with CA policies, customers can control access to Office 365, based on various attributes such as group membership, authentication strength, device registration, device compliance, client platform, network location, etc. CA policies are configured per application, allowing customers to enforce different access rules for separate applications. They can also be scoped to specific groups or users.
In the context of CA, computers must be either domain-joined or compliant to be allowed access to services:
A hybrid environment allows an on-premises environment to work seamlessly with a cloud environment. In Office 365, all plans that support Azure AD sync can deploy a hybrid environment.
In addition to supporting Office 365, CA policies can apply to on-premises Exchange servers. To learn more about CA support in Exchange Server on-premises, see The New and Improved Quarantine Experience in Conditional Access for On-Premises Exchange using Microsoft Intune.
Yes. After acquiring Intune, administrators can switch MDM capabilities to Intune by resetting the MDM Authority from Office 365 MDM to Intune. Mobile devices already enrolled in Office 365 MDM will have to be re-enrolled in Intune. For more information, see Enroll devices for management in Intune.
MAM without enrollment allows you to protect company data at the application level with MAM, without enrolling a device in Intune MDM. Reasons to choose MAM without enrollment include:
A list of applications that include Intune MAM functionality can be found in the Microsoft Intune mobile application gallery.
CA policies are enforced each time the user is required to authenticate to the application. How often that occurs is governed by the access and refresh token lifetimes for the OAuth protocol:
In practices, this means that:
Organizations can control how many devices a user may enroll, and the minimum operating system required for enrollment. There is no way to restrict enrollment to specific devices, (e.g., block all tablets but allow mobile phones). Office 365 also does not recognize whether a device is personal or corporate-owned. For more information, see Set up Mobile Device Management (MDM) in Office 365.
A Remote Wipe allows a customer to erase data from a device remotely (through the cloud) without having physical access to the device. A customer can perform either a Selective or Full Wipe. Reasons to perform a Remote Wipe can be that the device is stolen or lost, the employee leaves the company, etc.
Local Wipe is when the device automatically wipes itself when certain conditions occur. Customers can set a policy on the device that states that when a certain action is performed the device will wipe itself to mitigate a threat like an unauthorized user. For example, a device can be configured to perform a Local Wipe if more than five consecutive incorrect passwords are entered.
When Remote Wipe is performed, it erases data from the targeted device. A Selective Wipe erases company data and apps, but does not erase personal data (e.g., photos, personal email, etc.). A Full Wipe erases all data (personal and company) and returns the phone to its factory out-of-the-box state.
Choosing Selective Wipe or Full Wipe is typically based on whether the device is personal or corporate-owned and the individual situation.
With Office 365 MDM, customers can remotely initiate either a Selective Wipe or a Full Wipe on managed devices. Selective Wipe applies only to data managed by apps that support MDM for Office 365 access control (currently Outlook and OneDrive for Business) and for email profiles that were created by MDM for Office 365. For more information, see Wipe a mobile device in Office 365.
With Intune MDM, customers can remotely initiate either a Selective Wipe or Full Wipe on managed devices. Selective Wipe applies to all managed applications, e.g., apps that an Intune admin publishes and deploys using the Intune admin console. Selective Wipe does not apply to unmanaged applications. For more information, see Understanding the capabilities of unmanaged apps, managed apps, and MAM-protected apps.
With MAM, only Selective Wipe is available. When issuing a wipe request for a specific device, separate wipe requests will actually be issued and tracked for each protected application on the device.
Policy Tips are a DLP feature. Policy Tips display notices to end-users, as they try to share sensitive content (sending an e-mail, sharing a document library, etc.) that may be in violation with established policies, enabling users to make informed decisions. For more information, see Policy Tips.