Secure on-premises resources with simalar technology to Azure AD Conditional Access

Dan Porter 1 Reputation point
2020-06-12T08:43:51.997+00:00

Currently working with a client who are looking at introducing the Microsoft Managed Desktop service (so devices are AAD joined), we have some requirements for on-premises infrastructure so there will be a small AD DS environment, file print etc.

The client has some data classifications that can't be stored in the cloud due to geo-restrictions and so will be utilizing some on-premises shares.

Is there a technology set that will allow us to translate Conditional Access policies defined in Azure down to shares on a local Windows Server (or HP Nimble)?

The estate will be greenfield other than the use of HP Nimble, design principle is Microsoft First to make use of M365 E5.

Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,455 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shashi Shailaj 7,581 Reputation points Microsoft Employee
    2020-06-12T11:29:56.84+00:00

    Hello @DanPorter ,

    You have mentioned that you are going to setup file , print server on-premise with a small Active Directory environment . The file and print server on-premise use Kerberos and NTLM as a authentication protocol. Conditional access depends on many components in Azure and is dependent on oAuth protocol on which Azure Identity system is based which on-premise AD does not support out of the box. As far as I know there is no way to translate conditional access policies defined in Azure to apply during file share access. Any request to map the share by any user will always use NLTM/kerberos protocol which will go to the local domain controller for authentication and there is no native way to translate this NTML/Kerb to Oauth and send to azure for authentication/authorization.

    Hope the information helps. In case you have any further queries , please let us know and we will be happy to help . If the provided information is useful , please do accept the post as answer so that its helpful to others in the community.

    Thank you.

    0 comments
  2. Jamie Sabbatella 646 Reputation points
    2021-11-06T20:16:20.787+00:00

    You could look at using Azure VPN to control access to the local resources, Azure VPN supports conditional access.

    Just a thought : )

  3. Rolstead, John A 0 Reputation points
    2023-12-09T15:46:25.0466667+00:00

    Look up product called Silverfort. It installs an agent on domain controller to intercept authentication events and send them to policy server. Policy can be configured to require Azure MFA. It can integrate with Azure Conditional Access.

    0 comments