Overview
Druva validates the Conditional Access policies enabled for your Microsoft 365 tenant during the Microsoft 365 app configuration to authenticate and provide conditional access to users. For example, if a conditional access policy grants access to users from a specific location. In that case, the Microsoft 365 app configuration step will validate this requirement to allow or deny access to those resources.
For a list of supported policy settings, see Supported Conditional Access policy settings.
Learn more about Conditional Access policies
Conditional Access policy used by Azure Active Directory (Azure AD) enforces access control to keep an organization’s data secure. Policies enabled for your Microsoft 365 tenant ensure adherence to security policies when configuring a Microsoft 365 app to back up or restore your data.
A policy created on the Microsoft Azure portal includes assignments and access controls. Assignments define the who, what, and where of a policy. Access controls define how to enforce a policy. For more information, see Building a Conditional Access policy.
When you define an Azure AD Conditional Access policy for your Microsoft 365 tenant, only authorized users can access requested resources as per the identity signals set in a policy.
For more information, see Azure AD Conditional Access (Microsoft Documentation).
Support matrix for Conditional Access policy
Review the following table to understand the support for Conditional Access policy assignments and access controls.
Assignments | Actions, signals, or access enforcement | Additional settings | Admin action required |
All cloud apps | None |
|
|
User actions | Register security information | None |
|
Register or join devices |
|
|
|
Authentication context (preview) | None |
|
|
Conditions | User risk | None |
|
Sign-in risk |
|
|
|
Device platforms |
|
|
|
Locations | Any location, All trusted locations, or selected locations |
|
|
Client apps | Other clients |
|
|
Device state (Preview) |
|
|
|
Filter for devices |
|
|
|
Access controls | Block access | Disable policy if it is blocking access during app configuration |
|
Grant access | Require multi-factor authentication (MFA) | Must meet the MFA requirements |
|
Require the device to be marked as compliant | None |
|
|
Require Hybrid Azure AD joined device | Not supported |
|
|
Require approved client app | None |
|
|
Require app protection policy |
|
|
|
Require password change |
|
|
|
Custom grant type | Not supported |
|
|
Session | Use app-enforced restrictions | None |
|
Use Conditional Access App Control |
|
|
|
Sign-in frequency |
|
|
|
Persistent browser session |
|
|
|
Customize continuous access evaluation |
|
|
|
Disable resilience defaults (Preview) |
|
|
|
Configure the Microsoft 365 app with Conditional Access policies
The following workflow applies when you configure a Microsoft 365 app for data protection using Conditional Access policies. If you are an existing customer, you must reconfigure your Microsoft 365 app.
If you have configured Conditional Access policies for your Microsoft 365 tenant, the app authentication step will adhere to these policies during Microsoft 365 app configuration for data protection.
The app authentication step checks if token-based authentication can connect with the Microsoft 365 tenant.
If the conditions in the access policies are not satisfied, the token-based authentication fails with the following error message.
Let’s try to understand this workflow with an example.
Scenario: Conditional Access policy using Multi-factor Authentication (MFA)
Consider a scenario wherein you want to implement MFA for specific cloud applications in your organization. If you have defined a policy that requires all users to authenticate using MFA, then the Microsoft 365 app configuration for data protection adheres to this policy using the following workflow.
You have defined a Conditional Access policy with the MFA authentication setting for all users in the Azure admin portal.
Configuration of the Microsoft 365 app for data protection enforces this policy to implement an additional layer of security and authenticate the user using MFA.
The user must authenticate using the requested MFA method.
The user is allowed or denied access to the data protection services as per the MFA success or failure scenarios.