Conditional Access policy used by Azure Active Directory enforces access control to keep an organization’s data secure.
When you define an Azure AD Conditional Access policy for your Microsoft 365 tenant, only authorized users can access requested resources as per the identity signals set in a policy.
For more information about Conditional Access policies, see Azure AD Conditional Access (Microsoft Documentation).
Support for Azure Active Directory (AD) Conditional Access policies
We support the Conditional Access policies enabled for your Microsoft 365 tenant to ensure the security policies are adhered to when configuring a Microsoft 365 app to backup or restore your data.
For example, if a conditional access policy grants access to users from a specific location, the Microsoft 365 app configuration step will validate this requirement to allow or deny access to resources.
Things to consider: The following standard grant access controls provided by Microsoft are supported:
- Require multi-factor authentication
- Require device to be marked as compliant
- Require approved client app
- Require app protection policy
- Require password change
If you are an existing customer, you must reconfigure your Microsoft 365 app.
Configuring Microsoft 365 app using Conditional Access policies
The following workflow applies when you configure a Microsoft 365 app for data protection using Conditional Access policies.
If you have configured Conditional Access policies for your Microsoft 365 tenant, the app authentication step will adhere to these policies during Microsoft 365 app configuration for data protection.
The app authentication step checks if token-based authentication can establish a connection with the Microsoft 365 tenant.
If the conditions in the access policies are not satisfied, the token-based authentication fails with the following error message.
Let’s try to understand this workflow with an example.
Scenario: Conditional Access policy using Multi-factor Authentication (MFA)
Consider a scenario wherein you want to implement MFA for specific cloud applications in your organization. If you have defined a policy that requires all users to authenticate using MFA, then the Microsoft 365 app configuration for data protection adheres to this policy using the following workflow.
A Conditional Access policy with the MFA authentication setting is enabled for all users in the Azure admin portal.
2. Configuration of Microsoft 365 app for data protection enforces this policy to implement an additional layer of security and authenticate the user using MFA.
3. The user must authenticate using the requested MFA method.
4. The user is allowed or denied access to the data protection services as per the MFA success or failure scenarios.