Conditional Access demystified, part 7: Modifying Conditional Access to suit your special needs

Now available: May 2020 update of the Conditional Access Demystified Whitepaper, Workflow cheat sheet, Implementation workflow and Documentation spreadsheet

This article is part 7 of a series, for which the following articles are available:

Conditional Access demystified, part 1: Introduction
Conditional Access demystified, part 2: What is Conditional Access?
Conditional Access demystified, part 3: How does Conditional Access work?
Conditional Access demystified, part 4: Designing a Conditional Access strategy
Conditional Access demystified, part 5: Implementing Conditional Access
Conditional Access demystified, part 6: Troubleshooting Conditional Access
Conditional Access demystified, part 8: Resources and further references

When you want to integrate other products into your Conditional Access environment you can use “Custom controls” to include products from other vendors into your Conditional Access conditions. If a custom control is used the browser is redirected to the external service, performs any required authentication or validation activities, and is then redirected back to Azure Active Directory. If the user was successfully authenticated or validated, the user continues in the Conditional Access flow. More information and some samples can be found here: Azure AD + 3rd party MFA = Azure AD Custom Controls – https://blogs.technet.microsoft.com/cbernier/2017/10/16/azure-ad-3rd-party-mfa-azure-ad-custom-controls/. This feature is still in preview but very promising for 3rd party vendors who want to integrate with Conditional Access.

Providers currently offering a compatible service for custom access controls include:

  • Duo Security
  • Entrust Datacard
  • GSMA
  • Ping Identity
  • RSA
  • SecureAuth
  • Silverfort
  • Symantec VIP
  • Thales (Gemalto)
  • Trusona

Another thing you can do to extend the grant control with Terms of Use which users must consent with before they can access the cloud app. More information about creating the terms of use can be found here: Azure Active Directory terms of use – https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/terms-of-use

In the example below I’ve created the terms of use for my tenant Insight24

Terms of use

Once created if I open any Conditional Access policy I have an extra control available which I can select in the Grant control. In this case the user is granted access to the cloud app if the I24 Terms of Use are accepted by the user.

Terms of use, Grant control

In the next, and last article of this series I’m going to provide some more information on used resources and further references.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.