Eariler in the day, Microsoft Azure AD Conditional Access Policies for iOS, Android and Windows Preview was announced.
The device-based policies help you stay in control of your organization's data by restricting access to enterprise managed devices. Policies can be applied on a per-application basis to require that devices be managed by your company and be correctly configured.
This is particularly useful to protect you from unknown devices and those that don't meet security policies.
The new capability supports iOS, Android, Windows 10 Anniversary Update, Windows 7 and Windows 8.1.
And another cool thing about the policies is that it supports every application authenticated by Azure AD including: Office 365, Azure and Microsoft CRM as well as all other apps in the Microsoft app gallery.
Additionally, on-premises applications published through the Azure AD Application Proxy are also supported.
Of course, you can check off criteria of what a device meets before they have access to the application—as detailed in the Azure Active Directory for conditional access.
Please note: Conditional Access is a feature of Azure AD Premium.
The participating devices need to be first registered with Azure AD in any of following ways:
- Windows domain joined devices (in on-premises Active Directory) can be easily registered with Azure AD in an automatic manner. This includes both Windows 10 and down-level Windows devices.
- iOS and Android devices are registered with Azure AD when they get enrolled into Microsoft Intune, our MDM service.
- Windows 10 Azure AD joined devices are registered upon join to Azure AD.
- Windows 10 personal devices (BYOD) are registered when the work account is added to Window
Want to give it a spin,
- "First, you go to the Azure Management Portal and select that application.
- Under the 'configure' tab you will find the control to enable device base access rules.
- When you enable these rules, you can select which users or groups the policy applies to, which devices are covered and which type of client applications are covered (browser and native apps or native apps only).
- After creating and saving the policy, any all access attempts from a device that doesn't meet the policy to an Azure AD protected resource will be denied," explained TechNet blog post.
Microsoft have worked together to enable these policies across all the apps and services listed here. You can also see in detail how to setup automatic registration of domain joined devices in Azure AD here, and how to setup Azure AD for device compliance here.