You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/conditional-access/concept-conditional-access-grant.md
+5-1Lines changed: 5 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ services: active-directory
6
6
ms.service: active-directory
7
7
ms.subservice: conditional-access
8
8
ms.topic: conceptual
9
-
ms.date: 06/29/2022
9
+
ms.date: 08/05/2022
10
10
11
11
ms.author: joflore
12
12
author: MicrosoftGuyJFlo
@@ -192,6 +192,10 @@ Restrictions when you configure a policy using the password change control.
192
192
193
193
If your organization has created terms of use, other options may be visible under grant controls. These options allow administrators to require acknowledgment of terms of use as a condition of accessing the resources protected by the policy. More information about terms of use can be found in the article, [Azure Active Directory terms of use](terms-of-use.md).
194
194
195
+
### Custom controls (preview)
196
+
197
+
Custom controls is a preview capability of the Azure Active Directory. When using custom controls, your users are redirected to a compatible service to satisfy authentication requirements outside of Azure Active Directory. For more information, check out the [Custom controls](controls.md) article.
Copy file name to clipboardExpand all lines: articles/active-directory/conditional-access/concept-conditional-access-policies.md
+16-11Lines changed: 16 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ services: active-directory
6
6
ms.service: active-directory
7
7
ms.subservice: conditional-access
8
8
ms.topic: conceptual
9
-
ms.date: 01/11/2022
9
+
ms.date: 08/05/2022
10
10
11
11
ms.author: joflore
12
12
author: MicrosoftGuyJFlo
@@ -29,18 +29,21 @@ If a policy where "Require one of the selected controls" is selected, we prompt
29
29
30
30
All policies are enforced in two phases:
31
31
32
-
- Phase 1: Collect session details
32
+
-**Phase 1**: Collect session details
33
33
- Gather session details, like network location and device identity that will be necessary for policy evaluation.
34
34
- Phase 1 of policy evaluation occurs for enabled policies and policies in [report-only mode](concept-conditional-access-report-only.md).
35
-
- Phase 2: Enforcement
35
+
-**Phase 2**: Enforcement
36
36
- Use the session details gathered in phase 1 to identify any requirements that haven't been met.
37
37
- If there's a policy that is configured to block access, with the block grant control, enforcement will stop here and the user will be blocked.
38
38
- The user will be prompted to complete more grant control requirements that weren't satisfied during phase 1 in the following order, until policy is satisfied:
39
-
- Multi-factor authentication
40
-
- Approved client app/app protection policy
41
-
- Managed device (compliant or hybrid Azure AD join)
- Once all grant controls have been satisfied, apply session controls (App Enforced, Microsoft Defender for Cloud Apps, and token Lifetime)
45
48
- Phase 2 of policy evaluation occurs for all enabled policies.
46
49
@@ -76,7 +79,7 @@ Location data is provided by IP geolocation data. Administrators can choose to d
76
79
77
80
#### Client apps
78
81
79
-
By default, all newly created Conditional Access policies will apply to all client app types even if the client apps condition isn't configured.
82
+
The software the user is employing to access the cloud app. For example, 'Browser', and 'Mobile apps and desktop clients'. By default, all newly created Conditional Access policies will apply to all client app types even if the client apps condition isn't configured.
80
83
81
84
The behavior of the client apps condition was updated in August 2020. If you have existing Conditional Access policies, they'll remain unchanged. However, if you select on an existing policy, the configure toggle has been removed and the client apps the policy applies to are selected.
82
85
@@ -104,7 +107,7 @@ Block access does just that, it will block access under the specified assignment
104
107
105
108
The grant control can trigger enforcement of one or more controls.
106
109
107
-
- Require multi-factor authentication (Azure AD Multi-Factor Authentication)
110
+
- Require multi-factor authentication
108
111
- Require device to be marked as compliant (Intune)
109
112
- Require Hybrid Azure AD joined device
110
113
- Require approved client app
@@ -123,7 +126,7 @@ Administrators can choose to require one of the previous controls or all selecte
123
126
124
127
- Use app enforced restrictions
125
128
- Currently works with Exchange Online and SharePoint Online only.
126
-
- Passes device information to allow control of experience granting full or limited access.
129
+
- Passes device information to allow control of experience granting full or limited access.
127
130
- Use Conditional Access App Control
128
131
- Uses signals from Microsoft Defender for Cloud Apps to do things like:
129
132
- Block download, cut, copy, and print of sensitive documents.
@@ -133,6 +136,8 @@ Administrators can choose to require one of the previous controls or all selecte
133
136
- Ability to change the default sign in frequency for modern authentication.
134
137
- Persistent browser session
135
138
- Allows users to remain signed in after closing and reopening their browser window.
Copy file name to clipboardExpand all lines: articles/active-directory/conditional-access/concept-conditional-access-users-groups.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ services: active-directory
6
6
ms.service: active-directory
7
7
ms.subservice: conditional-access
8
8
ms.topic: conceptual
9
-
ms.date: 06/01/2022
9
+
ms.date: 08/05/2022
10
10
11
11
ms.author: joflore
12
12
author: MicrosoftGuyJFlo
@@ -33,9 +33,9 @@ The following options are available to include when creating a Conditional Acces
33
33
- All users that exist in the directory including B2B guests.
34
34
- Select users and groups
35
35
- All guest and external users
36
-
- This selection includes any B2B guests and external users including any user with the `user type` attribute set to `guest`. This selection also applies to any external user signed-in from a different organization like a Cloud Solution Provider (CSP).
36
+
- This selection includes any [B2B guests and external users](../external-identities/external-identities-overview.md) including any user with the `user type` attribute set to `guest`. This selection also applies to any external user signed-in from a different organization like a Cloud Solution Provider (CSP).
37
37
- Directory roles
38
-
- Allows administrators to select specific built-in Azure AD directory roles used to determine policy assignment. For example, organizations may create a more restrictive policy on users assigned the global administrator role. Other role types aren't supported, including administrative unit-scoped roles and custom roles.
38
+
- Allows administrators to select specific [built-in Azure AD directory roles](../roles/permissions-reference.md) used to determine policy assignment. For example, organizations may create a more restrictive policy on users assigned the global administrator role. Other role types aren't supported, including administrative unit-scoped roles and custom roles.
39
39
- Users and groups
40
40
- Allows targeting of specific sets of users. For example, organizations can select a group that contains all members of the HR department when an HR app is selected as the cloud app. A group can be any type of user group in Azure AD, including dynamic or assigned security and distribution groups. Policy will be applied to nested users and groups.
Copy file name to clipboardExpand all lines: articles/active-directory/conditional-access/overview.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ services: active-directory
6
6
ms.service: active-directory
7
7
ms.subservice: conditional-access
8
8
ms.topic: overview
9
-
ms.date: 04/15/2022
9
+
ms.date: 08/05/2022
10
10
11
11
ms.author: joflore
12
12
author: MicrosoftGuyJFlo
@@ -55,8 +55,8 @@ Common signals that Conditional Access can take in to account when making a poli
55
55
- Application
56
56
- Users attempting to access specific applications can trigger different Conditional Access policies.
57
57
- Real-time and calculated risk detection
58
-
- Signals integration with Azure AD Identity Protection allows Conditional Access policies to identify risky sign-in behavior. Policies can then force users to change their password, do multi-factor authentication to reduce their risk level, or block access until an administrator takes manual action.
59
-
- Microsoft Defender for Cloud Apps
58
+
- Signals integration with [Azure AD Identity Protection](../identity-protection/overview-identity-protection.md) allows Conditional Access policies to identify risky sign-in behavior. Policies can then force users to change their password, do multi-factor authentication to reduce their risk level, or block access until an administrator takes manual action.
59
+
-[Microsoft Defender for Cloud Apps](/defender-cloud-apps/what-is-defender-for-cloud-apps)
60
60
- Enables user application access and sessions to be monitored and controlled in real time, increasing visibility and control over access to and activities done within your cloud environment.
Azure AD organizations can use External Identities cross-tenant access settings to manage how they collaborate with other Azure AD organizations and other Microsoft Azure clouds through B2B collaboration and [B2B direct connect](cross-tenant-access-settings-b2b-direct-connect.md). [Cross-tenant access settings](cross-tenant-access-settings-b2b-collaboration.md) give you granular control over how external Azure AD organizations collaborate with you (inbound access) and how your users collaborate with external Azure AD organizations (outbound access). These settings also let you trust multi-factor authentication (MFA) and device claims ([compliant claims and hybrid Azure AD joined claims](../conditional-access/howto-conditional-access-policy-compliant-device.md)) from other Azure AD organizations.
20
20
21
-
This article describes cross-tenant access settings, which are used to manage B2B collaboration and B2B direct connect with external Azure AD organizations, including across Microsoft clouds. Additional settings are available for B2B collaboration with non-Azure AD identities (for example, social identities or non-IT managed external accounts). These [external collaboration settings](external-collaboration-settings-configure.md) include options for restricting guest user access, specifying who can invite guests, and allowing or blocking domains.
22
-
23
-
21
+
This article describes cross-tenant access settings, which are used to manage B2B collaboration and B2B direct connect with external Azure AD organizations, including across Microsoft clouds. More settings are available for B2B collaboration with non-Azure AD identities (for example, social identities or non-IT managed external accounts). These [external collaboration settings](external-collaboration-settings-configure.md) include options for restricting guest user access, specifying who can invite guests, and allowing or blocking domains.
24
22
25
23
## Manage external access with inbound and outbound settings
26
24
25
+
The external identities cross-tenant access settings manage how you collaborate with other Azure AD organizations. These settings determine both the level of inbound access users in external Azure AD organizations have to your resources, and the level of outbound access your users have to external organizations.
26
+
27
+
The following diagram shows the cross-tenant access inbound and outbound settings. The **Resource Azure AD tenant** is the tenant containing the resources to be shared. In the case of B2B collaboration, the resource tenant is the inviting tenant (for example, your corporate tenant, where you want to invite the external users to). The **User's home Azure AD tenant** is the tenant where the external users are managed.
28
+
29
+
30
+
27
31
By default, B2B collaboration with other Azure AD organizations is enabled, and B2B direct connect is blocked. But the following comprehensive admin settings let you manage both of these features.
28
32
29
33
-**Outbound access settings** control whether your users can access resources in an external organization. You can apply these settings to everyone, or specify individual users, groups, and applications.
@@ -36,7 +40,7 @@ By default, B2B collaboration with other Azure AD organizations is enabled, and
36
40
37
41
The default cross-tenant access settings apply to all Azure AD organizations external to your tenant, except those for which you've configured organizational settings. You can change your default settings, but the initial default settings for B2B collaboration and B2B direct connect are as follows:
38
42
39
-
-**B2B collaboration**: All your internal users are enabled for B2B collaboration by default. This means your users can invite external guests to access your resources and they can be invited to external organizations as guests. MFA and device claims from other Azure AD organizations aren't trusted.
43
+
-**B2B collaboration**: All your internal users are enabled for B2B collaboration by default. This setting means your users can invite external guests to access your resources and they can be invited to external organizations as guests. MFA and device claims from other Azure AD organizations aren't trusted.
40
44
41
45
-**B2B direct connect**: No B2B direct connect trust relationships are established by default. Azure AD blocks all inbound and outbound B2B direct connect capabilities for all external Azure AD tenants.
42
46
@@ -73,7 +77,7 @@ Microsoft cloud settings let you collaborate with organizations from different M
73
77
To set up B2B collaboration, both organizations configure their Microsoft cloud settings to enable the partner's cloud. Then each organization uses the partner's tenant ID to find and add the partner to their organizational settings. From there, each organization can allow their default cross-tenant access settings apply to the partner, or they can configure partner-specific inbound and outbound settings. After you establish B2B collaboration with a partner in another cloud, you'll be able to:
74
78
75
79
- Use B2B collaboration to invite a user in the partner tenant to access resources in your organization, including web line-of-business apps, SaaS apps, and SharePoint Online sites, documents, and files.
76
-
- Use B2B collaboration to [share Power BI content to a user in the partner tenant](https://docs.microsoft.com/power-bi/enterprise/service-admin-azure-ad-b2b#cross-cloud-b2b).
80
+
- Use B2B collaboration to [share Power BI content to a user in the partner tenant](/power-bi/enterprise/service-admin-azure-ad-b2b#cross-cloud-b2b).
77
81
- Apply Conditional Access policies to the B2B collaboration user and opt to trust device claims (compliant claims and hybrid Azure AD joined claims) from the user’s home tenant.
78
82
79
83
> [!NOTE]
@@ -92,7 +96,7 @@ To collaborate with a partner tenant in a different Microsoft Azure cloud, both
92
96
93
97
- To configure cross-tenant access settings in the Azure portal, you'll need an account with a Global administrator or Security administrator role.
94
98
95
-
- To configure trust settings or apply access settings to specific users, groups, or applications, you'll need an Azure AD Premium P1 license.
99
+
- To configure trust settings or apply access settings to specific users, groups, or applications, you'll need an Azure AD Premium P1 license. The license is required on the tenant that you configure. For B2B direct connect, where mutual trust relationship with another Azure AD organization is required, you'll need an Azure AD Premium P1 license in both tenants.
96
100
97
101
- Cross-tenant access settings are used to manage B2B collaboration and B2B direct connect with other Azure AD organizations. For B2B collaboration with non-Azure AD identities (for example, social identities or non-IT managed external accounts), use [external collaboration settings](external-collaboration-settings-configure.md). External collaboration settings include B2B collaboration options for restricting guest user access, specifying who can invite guests, and allowing or blocking domains.
98
102
@@ -159,7 +163,7 @@ If your organization exports sign-in logs to a Security Information and Event Ma
159
163
160
164
The Azure AD audit logs capture all activity around cross-tenant access setting changes and activity. To audit changes to your cross-tenant access settings, use the **category** of ***CrossTenantAccessSettings*** to filter all activity to show changes to cross-tenant access settings.
:::image type="content" source="media/cross-tenant-access-overview/cross-tenant-access-settings-audit-logs.png" alt-text="Screenshot of the audit logs for cross-tenant access settings." lightbox="media/cross-tenant-access-overview/cross-tenant-access-settings-audit-logs.png":::
0 commit comments