I see Azure Information Protection is listed as an available cloud app for conditional access—how does this work?
I see Azure Information Protection is listed as an available cloud app for conditional access—how does this work?
Hello,
Yes, as a preview offering, you can now configure Azure AD conditional access for Azure Information Protection.
When a user opens a document that is protected by Azure Information Protection, administrators can now block or grant access to users in their tenant, based on the standard conditional access controls. Requiring multi-factor authentication (MFA) is one of the most commonly requested conditions. Another one is that devices must be compliant with your Intune policies so that for example, mobile devices meet your password requirements and a minimum operating system version, and computers must be domain-joined.
For more information and some walk-through examples, see the following blog post: Conditional Access policies for Azure Information Protection.
Additional information:
For Windows computers: For the current preview release, the conditional access policies for Azure Information Protection are evaluated when the user environment is initialized (this process is also known as bootstrapping), and then every 30 days.
You might want to fine-tune how often your conditional access policies get evaluated. You can do this by configuring the token lifetime. For more information, see Configurable token lifetimes in Azure Active Directory.
We recommend that you do not add administrator accounts to your conditional access policies because these accounts will not be able to access the Azure Information Protection blade in the Azure portal.
If you use MFA in your conditional access policies for collaborating with other organizations (B2B), you must use Azure AD B2B collaboration and create guest accounts for the users you want to share with in the other organization.
With the Azure AD December 2018 preview release, you can now prompt users to accept a terms of use before they open a protected document for the first time. For more information, see the following blog post announcement: Updates to Azure AD Terms of Use functionality within conditional access
If you use many cloud apps for conditional access, you might not see Microsoft Azure Information Protection displayed in the list to select. In this case, use the search box at the top of the list. Start typing "Microsoft Azure Information Protection" to filter the available apps. Providing you have a supported subscription, you'll then see Microsoft Azure Information Protection to select.
Thanks @Grmacjon-MSFT
I want to request you to clarify one point in your answer.
You said that "If you use MFA in your conditional access policies for collaborating with other organizations (B2B), you must use Azure AD B2B collaboration and create guest accounts for the users you want to share with in the other organization."
So if I do not want to protect my document under MFA while sharing it with user from other tenant, does that user be required to be present in my tenant as B2B user.
Let’s say a user from one tenant ( john@sender-tenant.com) protects a WORD document and authorize a user from other tenant (mike@receiver-tenant.com)
So when Mike opens WORD app , the RMS-client employed by WORD app to open the protected document will try to collect the access-token/id-token before hitting the RMS-service in the cloud.
Which tenant would be the issuer of this token ? Would it be John’s tenant (who labeled the document) or Mike’s tenant ?
Thanks.
2 people are following this question.
