What is a policy migration in Azure Active Directory conditional access?
Conditional access is a capability of Azure Active directory (Azure AD) that enables you to control how authorized users access your cloud apps. While the purpose is still the same, the release of the new Azure portal has introduced significant improvements to how conditional access works.
You should consider migrating the policies you have not created in the Azure portal because:
You can now address scenarios you could not handle before.
You can reduce the number of policies you have to manage by consolidating them.
You can manage all your conditional access policies in one central location.
The Azure classic portal will be retired.
This article explains what you need to know to migrate your existing conditional access policies to the new framework.
In the Azure portal, the Conditional access - Policies page is your entry point to your conditional access polices. However, in your environment, you might also have conditional access policies you have not created using this page. These policies are known as classic policies. Classic policies are conditional access policies, you have created in:
- The Azure classic portal
- The Intune classic portal
- The Intune App Protection portal
On the Conditional access page, you can access your classic policies by clicking Classic policies (preview) in the Manage section.
The Classic policies view provides you with an option to:
Filter your classic policies.
Disable classic policies.
Review the settings of a classic policies (and to disable it).
If you have disabled a classic policy, you can't revert this step anymore. This is why you can modify the group membership in a classic policy using the Details view.
By either changing the selected groups or by excluding specific groups, you can test the effect of a disabled classic policy for a few test users before disabling the policy for all included users and groups.
Azure AD conditional access policies
With conditional access in the Azure portal, you can manage all your policies in one central location. Because the implementation of how conditional access has significantly changed, you should familiarize yourself with the basic concepts before migrating your classic policies.
What is conditional access in Azure Active Directory to learn about the basic concepts and the terminology.
Best practices for conditional access in Azure Active Directory to get some guidance on deploying conditional access in your organization.
Require MFA for specific apps with Azure Active Directory conditional access to familiarize yourself with the user interface in the Azure portal.
In this article, Azure AD conditional access policies are also referred to as new policies. Your classic policies continue to work side by side with your new policies until you disable or delete them.
The following aspects are important in the context of a policy consolidation:
While classic policies are tied to a specific cloud app, you can select as many cloud apps as you need to in a new policy.
Controls of a classic policy and a new policy for a cloud app require all controls (AND) to be fulfilled.
In a new policy, you can:
Combine multiple conditions if required by your scenario.
Select several grant requirements as access control and combine them with a logical OR (require one of the selected controls) or with a logical AND (require all of the selected controls).
Office 365 Exchange online
If you want to migrate classic policies for Office 365 Exchange online that include Exchange Active Sync as client apps condition, you might not be able to consolidate them into one new policy.
This is, for example, the case if you want to support all client app types. In a new policy that has Exchange Active Sync as client apps condition, you can't select other client apps.
A consolidation into one new policy is also not possible if your classic policies contain several conditions. A new policy that has Exchange Active Sync as client apps condition configured does not support other conditions:
If you have a new policy that has Exchange Active Sync as client apps condition configured, you need to make sure that all other conditions are not configured.
App-based classic policies for Office 365 Exchange Online that include Exchange Active Sync as client apps condition allow supported and unsupported device platforms. While you can't configure individual device platforms in a related new policy, you can limit the support to supported device platforms only.
You can consolidate multiple classic policies that include Exchange Active Sync as client apps condition if they have:
Only Exchange Active Sync as condition
Several requirements for granting access configured
One common scenario is the consolidation of:
- A device-based classic policy from the Azure classic portal
- An app-based classic policy in the Intune app protection portal
In this case, you can consolidate your classic policies into one new policy that has both requirements selected.
In a new policy, you need to select the device platforms you want to support individually.
If you want to know how to configure a conditional access policy, see GRequire MFA for specific apps with Azure Active Directory conditional access.
If you are ready to configure conditional access policies for your environment, see the best practices for conditional access in Azure Active Directory.