Let’s Get Conditional – Part 3: macOS Conditional Access Policy and Registration with Microsoft Azure and Addigy

Using Addigy’s Compliance Engine for your macOS devices will help ensure that the devices meet your organization’s security requirements. If a device doesn’t meet security rules, it can be automatically fixed and become compliant using Addigy’s remediation feature. Once the device is compliant, Addigy will send that information to Microsoft Azure. Azure will then use a Conditional Access Policy to decide whether to allow or deny access to an end-user’s device.

The Conditional Access Policy is the key to allowing or denying access within Azure AD. A best practice for some organizations might be to build out a platform-specific method of prescribing a Conditional Access policy. This way, end users can get specific application access depending on their device type. For example, the more portable the device, the more data is restricted. Or, you can enforce end users to sign in to apps more frequently, if those applications contain sensitive data.

To create a Conditional Access Policy, navigate to the Conditional Access Policy service blade in portal.azure.com.

Once you are in the Azure AD Conditional Access portal, you will see a list of your existing policies, if any exist. Or, if you are just starting out, you can build your very first policy.

There are two areas of policy settings: Assignments and Access Controls. In Assignments, you will choose which users fall under the policy, what apps users in scope will have the Conditional Access policy applied to, and the conditions that will invoke the Conditional Access policy protection. These conditions could include the device platform, as mentioned above, where you can choose separate rules for different platforms, or you can specify different behavior for web apps versus desktop clients of Microsoft apps. 

In Access Controls, you can specify what conditions allow or deny access based on criteria like compliance state or as part of the login action itself, such as multi-factor authentication (MFA).

Example of iOS platform:

Example of macOS Platform:

Example of Grant controls for MFA and Compliance:

Example of sign-in timeout:

Together, these configurations in Azure AD, along with the settings discussed in the previous blog posts in the series, work together to give a secure access experience to end users.