Microsoft Azure Active Directory Conditional Access and Dynamics 365: Enforce multi-factor authentication

January 4 2019

With Azure Active Directory Conditional Access, you can control how authorized users can access your cloud applications. Multi-factor authentication (MFA) is a method of authentication that requires more than one verification method and adds a second layer of security to sign-ins.

Azure AD is Microsoft's cloud-based identity and access management service. It is intended for app developers and Microsoft 365, Azure, or Dynamics 365 subscribers. So, each Dynamics 365 tenant is automatically an Azure AD tenant.

No setup is required from the D365 administrator side. However, while logging in, users need to provide authentication credentials, for example providing a contact number to receive a message or phone call.

We had a client requirement that whenever any user tries to access D365 or Office 365 services from the outside company network, they needed to be prompted for MFA. By contrast, if the services are being accessed from within company network it shouldn't prompt for MFA because the network is trusted.

Solution

In this article, we will see how to create conditional access to enforce MFA, if the user is accessing services from the untrusted location (outside of the company's network).

Pre-requisites

  1. You will require an Azure AD Premium license for users
  2. Create a security group and add the users you need to specify in the policy
  3. Set the company's public static IP in CIDR format, for example – 15.250.0.89/24. You can contact your network team to get this detail.

No other IT considerations are required except the pre-requisites.

Trusted locations

1. Configure MFA trusted IPs in Azure AD.

 2. Provide your company's public static IP in CIDR format.

 set_public_static_ip_in_cidr_format

Conditional access

1. Go to Azure AD-->Conditional Access-->+New Policy

set_new_conditional_access_policy2. Name the policy as UntrustedLocation_PromptMFA and the first thing to configure is Assignments in which you need to mention the User & Groups to be included in this policy.

name_the_untrustedlocation_policy3. Select Dynamics CRM Online under Cloud Apps. Similarly, you can choose other applications as well.

select_dynamics_crm_online_under_cloud_apps4. Under conditions you need to configure the device state and client apps as per your requirements.  In Location include any locations.

configure_device_state_and_client_apps

 Exclude selected locations and then select MFA trusted IPs.

select_mfa_trusted_ips5. In access control-->grant access and then set to require multi-factor authentication.

grant_access_in_access_control6. Finally, enable the policy and save.

enable_the_policy_and_save

 

7. You can see in the below image that the user has been asked to provide more details. After clicking on next, the user will be redirected to the authenticate credentials page.

redirect_to_authenticate_credential_page8. Except for the authentication credentials, nothing else is required.

additional_security_verification

9. The user specified in the group will be asked for MFA when accessing services from outside the company network.

user_specified_in_group-mfa

While Microsoft Dynamics 365 is a fully secured system, equipping it with Azure AD MFA further enhances the security level and ensures a nearly fool-proof setup.

FREE Membership Required to View Full Content:

Become a MemberLogin
Joining MSDynamicsWorld.com gives you free, unlimited access to news, analysis, white papers, case studies, product brochures, and more, and it’s all FREE. You’ll also have the option to receive periodic email newsletters with the latest relevant articles and content updates. Learn more about us here
About Abhishek Kumar

Abhishek Kumar is an Office 365 Administrator, Consultant and expert in CloudFronts Technologies. He has executed and led several corporate large scale implementation projects. While he is engrossed most of the times in delivering projects, he consistently takes out time of his busy schedule to write blogs and conduct webinars regarding Microsoft 365. Abhishek has also made numerous contributions to the online portals and discussions related to his field.

CloudFronts is a Microsoft Certified Gold Partner which offers complete Dynamics 365 (CRM, Operations and Financials) implementations, Power BI Analytics, Office 365 and Azure Infrastructure services. The team has deep expertise in delivering and supporting the customers through all aspects of their implementation from strategic technology consulting and roadmap, requirements assessments, project implementation, training, migration to post go live managed services and support. CloudFronts’ commenced its operations in the year 2012 to empower organizations around the world, do more with technology.

Check out our customer success story here. 

More about Abhishek Kumar