Recently, Microsoft added a function to Conditional Access called custom controls. Custom controls allow third-party integration into Conditional Access. This process involves having a registered application by the third party to be white-listed globally by Microsoft and then providing OpenID Connect (OIDC) endpoints for use by the Azure customer to call out to the third party's authorization process.
This guide is intended for administrators who need to install and configure Microsoft Conditional Access for use with SecureAuth IdP.
- Install a SecureAuth IdP appliance version 9.1 or 9.2 and configured one or more realms for that appliance (refer to the SecureAuth IdP Realm Guide)
- Configure the following tabs in the Secure Auth IdP Web Admin console before configuring any other tabs:
- Overview: Define the description of the realm and SMTP connections.
- Data: An enterprise directory must be integrated with SecureAuth IdP.
- Workflow: Define how users access the target.
- Multi-Factor Methods: Define the Multi-Factor Authentication methods that are used to access the target, if any.
- Gain administrative access of Microsoft Azure.
- Install and configure Internet Information Services (IIS) for Windows Server.
- Set up Modern Authentication in your server environment. See the Hybrid Modern Authentication overview and prerequisites for using it with on-premises Skype for Business and Exchange servers article on the Microsoft website.
- Contact Contact email@example.com, open a support ticket, and mention "Tailoring - Conditional Access" if you will use this integration. Request the following items so you have them on hand during the configuration:
- ASPX and code-behind pages (in "Configure SecureAuth IdP," step 4)
- Import Rules (in "Configure SecureAuth IdP," step 5d)
- JSON file (in "Configure Microsoft Custom Control," step 7)
SecureAuth IdP configuration steps
For more information about the URL rewrite rule, see the the Creating Rewrite Rules for the URL Rewrite Module articlearticle, on the Microsoft website.
For information about editing the web.config file, see the the System Info Tab Configuration document.
10. Save all changes made to this configuration and exit.
Configure Microsoft Custom Control
7. Enter the JSON provided by SecureAuth Support, then click Save
Create a Policy
Create a Microsoft Conditional Access policy.
4. Specify the users, apps, and controls that you want to assign the policy to.
5. Save your changes.
Test Microsoft Conditional Access with SecureAuth IdP
- Log in to Microsoft Teams: https://teams.microsoft.com
- Enter your email address in the following screen:
- Enter your password in the following screen:
- Select the kind of two-factor authentication method to use to log into Microsoft Teams. The following example shows the text message (SMS) method.
- In the following screen, enter the one-time passcode that was sent to you:
- The following Microsoft Teams screen is displayed if the configuration between Microsoft Conditional Access and SecureAuth IdP is successful.
If you do not see this screen or if you receive an error message, contact SecureAuth Support.