Skip to main content

How can we help you?

Druva Documentation

Support for Azure Active Directory (AD) Conditional Access policies

Overview

Druva validates the Conditional Access policies enabled for your Microsoft 365 tenant during the Microsoft 365 app configuration to authenticate and provide conditional access to users.  For example, if a conditional access policy grants access to users from a specific location. In that case, the Microsoft 365 app configuration step will validate this requirement to allow or deny access to those resources.

For a list of supported policy settings, see Supported Conditional Access policy settings

►Learn more about Conditional Access policies

Conditional Access policy used by Azure Active Directory (Azure AD) enforces access control to keep an organization’s data secure. Policies enabled for your Microsoft 365 tenant ensure adherence to security policies when configuring a Microsoft 365 app to back up or restore your data.

A policy created on the Microsoft Azure portal includes assignments and access controls. Assignments define the who, what, and where of a policy. Access controls define how to enforce a policy. For more information, see Building a Conditional Access policy.

conditional-access-blank-policy.png

When you define an Azure AD Conditional Access policy for your Microsoft 365 tenant, only authorized users can access requested resources as per the identity signals set in a policy.
For more information, see Azure AD Conditional Access (Microsoft Documentation)

Support matrix for Conditional Access policy

Review the following table to understand the support for Conditional Access policy assignments and access controls.

Assignments Actions, signals, or access enforcement Additional settings Admin action required
All cloud apps None
User actions Register security information None
Register or join devices
Authentication context (preview) None
Conditions User risk  None
Sign-in risk
Device platforms
Locations Any location, All trusted locations, or selected locations
Client apps Other clients
Device state (Preview)
Filter for devices
Access controls Block access Disable policy if it is blocking access during app configuration
Grant access Require multi-factor authentication (MFA) Must meet the MFA requirements
Require device to be marked as compliant None
Require Hybrid Azure AD joined device Not supported
Require approved client app None
Require app protection policy
Require password change
Custom grant type Not supported
Session Use app enforced restrictions None
Use Conditional Access App Control
Sign-in frequency
Persistent browser session
Customize continuous access evaluation
Disable resilience defaults (Preview)

Configure Microsoft 365 app with Conditional Access policies

The following workflow applies when you configure a Microsoft 365 app for data protection using Conditional Access policies. If you are an existing customer, you must reconfigure your Microsoft 365 app.

Conditional_Access_policies_app_configuration.png

  • If you have configured Conditional Access policies for your Microsoft 365 tenant, the app authentication step will adhere to these policies during Microsoft 365 app configuration for data protection.

  • The app authentication step checks if token-based authentication can connect with the Microsoft 365 tenant.

  • If the conditions in the access policies are not satisfied, the token-based authentication fails with the following error message.

Microsoft_365_Conditional_Access_Failure_Message.png

Let’s try to understand this workflow with an example.

Scenario: Conditional Access policy using Multi-factor Authentication (MFA)

Consider a scenario wherein you want to implement MFA for specific cloud applications in your organization. If you have defined a policy that requires all users to authenticate using MFA, then the Microsoft 365 app configuration for data protection adheres to this policy using the following workflow.

  1. You have defined a Conditional Access policy with the MFA authentication setting for all users in the Azure admin portal.

M365_Azure_AD_Conditional_Access_Policy_Sample.png

2. Configuration of Microsoft 365 app for data protection enforces this policy to implement an additional layer of security and authenticate the user using MFA.

3. The user must authenticate using the requested MFA method.

Microsoft_365_MFA_method.png

4. The user is allowed or denied access to the data protection services as per the MFA success or failure scenarios.