Question

How do you configure conditional access policies within Azure Active Directory to require multi-factor authentication (MFA) specifically when users access SharePoint Online from unmanaged devices?

Accepted Answer

To configure conditional access policies in Azure Active Directory (Azure AD) to require multi-factor authentication (MFA) specifically when users access SharePoint Online from unmanaged devices, follow these steps: First, access the Azure portal and navigate to Azure Active Directory > Security > Conditional Access. Create a new policy. Give the policy a descriptive name. Under &#x27;Assignments&#x27;, select &#x27;Users and groups&#x27; and specify the users or groups to which the policy will apply. This can be all users, specific groups, or a combination. Next, under &#x27;Assignments&#x27;, select &#x27;Cloud apps or actions&#x27; and choose &#x27;Select apps&#x27;. Search for and select &#x27;SharePoint Online&#x27;. This ensures the policy applies only when accessing SharePoint Online. Then, under &#x27;Conditions&#x27;, select &#x27;Device state&#x27;. Configure this condition to target &#x27;Not configured&#x27;. Set &#x27;Include&#x27; to &#x27;Yes&#x27; for &#x27;Device is Hybrid Azure AD joined&#x27; and &#x27;Device is marked as compliant&#x27;. Set &#x27;Exclude&#x27; to &#x27;Yes&#x27; for both &#x27;Device is Hybrid Azure AD joined&#x27; and &#x27;Device is marked as compliant&#x27;. This configuration effectively targets devices that are not managed by your organization (i.e., not Hybrid Azure AD joined or marked as compliant via Intune). Finally, under &#x27;Access controls&#x27;, select &#x27;Grant&#x27;. Choose &#x27;Grant access&#x27; and select the &#x27;Require multi-factor authentication&#x27; option. You can also choose to require one or more other controls, such as requiring a compliant device or a Hybrid Azure AD joined device, but for this scenario, only MFA is required. Ensure the policy is set to &#x27;On&#x27; to enable it. This policy will now require MFA for any user accessing SharePoint Online from a device that is not managed by your organization, adding an extra layer of security for accessing sensitive data from untrusted devices.

Home → All Courses → Engineering and Technology Courses → Office.com: Microsoft 365 Business Visibility and Communication Tools Certification → Flashcard

How do you configure conditional access policies within Azure Active Directory to require multi-factor authentication (MFA) specifically when users access SharePoint Online from unmanaged devices?