Conditional Access in either a Cloud-only or Hybrid scenario is a great way to control data by saying we do not allow you to access Corporate Email without enrolling the device to a Corporate MDM solution where Data Protection Policies will be applied. This is in my opinion the best compromise where we let the user be productive where they get the ability to access corporate data on any device, anywhere, where we at the same time have control over the device, forcing security and compliance policies, encrypting data, deploy (LoB) apps and las but not least have the ability to have Asset Control and reporting!
Now Conditional Access works just the way it sounds, if certain conditions = true then you will gain access! Take a look at the following flowchart, when access email for instance, some processes will start behind the curtains checking and verifying that the conditions you as the IT-Pro have set, are met.
From Microsoft TechNet: https://technet.microsoft.com/en-us/library/dn919655.aspx
For now, these are the services that support Conditional Access. However, keep in mind that it may vary a bit depending if you are running a Cloud-only solution with Microsoft Intune or a Hybrid solution with Microsoft Intune and ConfigMgr together.
- Microsoft Exchange On-premises
- Microsoft Exchange Online
- Exchange Online Dedicated
- SharePoint Online
- Skype for Business Online
I suggest to read more about Conditional access here before you read further:
- ConfigMgr (Hybrid): https://technet.microsoft.com/en-us/library/dn919655.aspx
- Office 365 and Intune: https://technet.microsoft.com/en-us/library/dn818907.aspx
Now, in this blog we will focus on a Hybrid scenario where we have Microsoft Exchange On-Premises as Email service and ConfigMgr + Intune as MDM solution. If you have Office 365 everything is done in the Intune Portal even if you use ConfigMgr + Intune as MDM solution. But since we have Exchange On-Premise everything is done in ConfigMgr.
First off, we need to establish a connection between ConfigMgr and Exchange and I assume you already have established a Microsoft Intune Subscription which is tied to your ConfigMgr solution through the Service Connection Point. Why establish a connection between ConfigMgr and Exchange you might ask, well the reason is that ConfigMgr needs the ability to manage devises through Exchange in order to restrict or approve access to email with Conditional Access.
These are the requirements (from Microsoft TechNet https://technet.microsoft.com/en-us/library/dn919655.aspx)
Conditional access to Exchange On-premises supports:
To establish a connection to Exchange open up your ConfigMgr Console and go to Hierarchy Configuration –> Exchange Server Connectors and Click Add Exchange Server. For rest of the steps follow this guide on TechNet: https://technet.microsoft.com/en-us/library/gg682001.aspx
- Monitor EADIS.log to verify that all is good. The log file is located here: \Microsoft Configuration Manager\Logs
Next we need to create two collections. The first collection will be a User Collection for targeted users and the other will be for exempted users. These will be based on of two groups in Active Directory. Below is a list of the collections a groups plus two simple PowerShell scripts to create them. Why do we need this you may ask, well the reason is simple, there may be a situation where there is a user you do not want to apply this policy to and when first implementing Conditional Access it is always smart to start small and slowly but steadily apply the policy to your users by moving them to the Targeted group.
Active Directory Groups:
Run the following script on a Domain Controller in your domain to create the groups (You need to change the variables in the script):
<# p .NOTES =========================================================================== Created on: 24.04.2016 Created by: Marius A. Skovli Organization: Coretech Filename: CreateADGroups.ps1 =========================================================================== .DESCRIPTION Create Conditional Access Groups in Active Directory for use in System Center Configuration Manager #> ######-------------------------- #Prep variables ######-------------------------- $domain = "redd0g" $DC = "com" $OU1 = "SCTemp" $DomainController = "redd0g-dc01" $TargetedGroup = "G-SC-CM-ConAcc-AllTargetedUsers" $ExemtedGroup = "G-SC-CM-ConAcc-AllExemptedUsers" ######-------------------------- #Create OU ######-------------------------- New-ADOrganizationalUnit -Name $OU1 -Path "DC=$domain,DC=$DC" ######-------------------------- #Create Groups ######-------------------------- New-ADGroup ` -Path "OU=$OU1,DC=$domain,DC=$DC" ` -Name $TargetedGroup ` -GroupCategory Security ` -Description "SCCM Conditional Access All Targeted Users" ` -GroupScope Global New-ADGroup ` -Path "OU=$OU1,DC=$domain,DC=$DC" ` -Name $ExemtedGroup ` -GroupCategory Security ` -Description "SCCM Conditional Access All Exempted Users" ` -GroupScope Global
- Conditional Acces: All Targeted Users
- Conditional Acces: All Exempted Users
Run the following script on your ConfigMgr Server in order to create the collections:
<# .NOTES =========================================================================== Created on: 24.04.2016 Created by: Marius A. Skovli Organization: Coretech Filename: CreateCACollections.ps1 =========================================================================== .DESCRIPTION Create Conditional Access Collections in System Center Configuration Manager This will create the following: Collections, Folders, Query and Schedule for Membership Update. #> #---- #Import the ConfigMgr Module #---- Import-Module $env:SMS_ADMIN_UI_PATH.Replace("\bin\i386","\bin\configurationmanager.psd1") $SiteCode = Get-PSDrive -PSProvider CMSITE Set-Location "$($SiteCode.Name):\" #---- #Create Folder #---- New-Item -Path RED:\UserCollection -Name 'Conditional Access' #---- #Adding Collection refresh Schedule #---- $Schedule = New-CMSchedule -RecurCount 7 -RecurInterval Days #---- #Adding user collections #---- $Collection1 = New-CMUserCollection -LimitingCollectionName "All Users" ` -Name "Conditional Acces: All Targeted Users" ` -Comment "Users who are Targeted for Conditional Acces" ` -RefreshType Both -RefreshSchedule $Schedule Add-CMDeviceCollectionQueryMembershipRule ` -CollectionName "Conditional Acces: All Targeted Users" ` -QueryExpression ‘select * from SMS_R_User where SMS_R_User.UserGroupName like "%G-SC-CM-ConAcc-AllTargetedUsers%"’ ` -RuleName G-SC-CM-ConAcc-AllTargetedUsers $Collection2 = New-CMUserCollection -LimitingCollectionName "All Users" ` -Name "Conditional Acces: All Exempted Users" ` -Comment "Users who are exempted from Conditional Access" ` -RefreshType Both -RefreshSchedule $Schedule Add-CMDeviceCollectionQueryMembershipRule ` -CollectionName "Conditional Acces: All Exempted Users" ` -QueryExpression ‘select * from SMS_R_User where SMS_R_User.UserGroupName like "%G-SC-CM-ConAcc-AllExemptedUsers%"’ ` -RuleName G-SC-CM-ConAcc-AllExemptedUsers #---- #Move collections to Conditional Access folder #---- Move-CMObject ` -FolderPath '.\UserCollection\Conditional Access' ` -InputObject $Collection1 Move-CMObject ` -FolderPath '.\UserCollection\Conditional Access' ` -InputObject $Collection2
Next go to Assets and Compliance, locate Conditional Acces and go to On-Premises Exchange: Right Click and choose “Configure Conditional Access Policy”
Click Next on the first page
Specify the Targeted Collection: Conditional Access: All Targeted Users
Specify the Exempted Collection: Conditional Access: All Exempted Users
If you want, you can edit the text that the user will be presented with when they try to access email on their device and conditions = false as in the Intune Management Portal as missing for example.
Click Next, and then Close. You can now see that you have a Conditional Access Policy created. If you want to change it, just right-click and click Properties.
That’s it. You have now Conditional Access enabled for your On-Premises Exchange solution.
Do not forget to leave a comment if you have any questions!