Your corporate and sensitive data is being shared everywhere and you may not realize it’s happening. How do you prevent it from being opened by unauthorized individuals? Well, of course, permissions are one effective way. However, requiring the file to be opened on a device the organization manages is another. Enter, Azure Information Protection (AIP) and Azure Active Directory Conditional Access.

Summary: What you will see below, is the capability to govern access files that have been classified and protected by Azure Information Protection (AIP) then requiring the devices accessing the files to be managed by Active Directory or Microsoft Intune in order to access. If the devices are not managed, then they will not allowed access to the data. The data is thus encrypted using AES (more info here) and rendered unusable without meeting the requirement.

What exactly does “managed” mean?

  • Joined to a Windows Server Active Directory Domain Services environment that is synchronized to Azure Active Directory. This is considered Azure AD Hybrid Join
  • Joined to Azure Active Directory and managed by Microsoft Intune (MDM)
  • Managed by Microsoft Intune MDM (iOS/Android)
  • Not only managed, but also compliant with Microsoft Intune’s compliance policy.

Why is this important?

After the protection of identities such as Multi-Factor Authentication (MFA) and risk based protection, requiring the device to be managed provides yet another security layer (defense in depth) to further protect data.

Defense in Depth aka mult-layered tinfoil hat

Here’s a good visualization of Azure Active Directory Conditional Access:

Requirements:

  • Azure Information Protection (P1 or P2) included in EMS E3 or E5 or Microsoft 365 Business or E3 or E5
  • Azure AD Conditional Access (P1 or P2) included in EMS E3 or E5 or Microsoft 365 Business or E3 or E5

End-User Experience (Outcome)

Here are screenshots of what the user will see, if they attempt to open the AIP protected document on a device that is not managed.

User attempts to open the file on a non-managed device and is prompted to sign in:

User is then prompted for Multi-Factor Authentication:

After the user authenticates and responds to the MFA challenge, they are presented with the following screen:

Closer look:

If the device is managed and compliant, when the end user opens the document they will see the document protected by AIP with an AIP label applied. In my example below you can see the AIP label (yellow bar) with a mandatory header and watermark on the document.

How to configure

To configure, launch the Azure Portal (www.portal.azure.com) and browse to the Azure Active Directory Blade -> click Security -> then click Conditional Access:

Next, click New Policy. For Name we’ll use AIP w/ MFA & Managed Device. For Users I’m going to add Megan Bowen (but you can configure per your business requirements) then click Done

CAUTION: Don’t lock yourself out. If in production, consider adding users to security groups, then adding those groups to the include tab, excluding administrators.

For Cloud Apps or actions I will choose Microsoft Azure Information Protection and click Done

Next click Grant under Access Controls and click the radio button for Grant Access. Next, check the boxes for Require mult-factor authentication and Require device to be marked as compliant. Scroll to the bottom and choose Require All The Selected Controls Then click Select then click Create to create the policy.

IMPORTANT: If you check the box Require Hybrid Azure AD joined device this will require the device is joined to a Windows Server Active Directory Domain. Here’s an example of what this will look like from the end-user experience:

That’s it! Congrats! Time to go test!