Microsoft has a feature in their Azure stack called Conditional Access. This feature allows Azure customers to apply policies to either the log-in process to Office 365 or specific apps and tiles within Office 365/Azure. Using this feature, Azure customers can restrict access to applications, such as Outlook, SharePoint, and others, based on several different factors.
Recently, Microsoft added a function to Conditional Access called custom controls. Custom controls allow third-party integration into Conditional Access. This process involves having a registered application by the third party to be allowed globally by Microsoft and then providing OpenID Connect (OIDC) endpoints for use by the Azure customer to call out to the third party's authorization process.
This guide is intended for administrators who need to install and configure Microsoft Conditional Access for use with SecureAuth IdP.
You must ensure that you have the following items:
Create a SecureAuth IdP realm and configure it for use with Microsoft Conditional Access.
1. Log into your SecureAuth IdP Admin console.
2. Copy the ASPX and code-behind pages under the root of the newly-defined realm, which is located in D:\SecureAuth\SecureAuthRealm_number, for example, D:\SecureAuth\SecureAuth5
(Contact SecureAuth Support per the Prerequisites steps, if you did not already request the ASPX and code-behind pages.)
A custom pre-authentication page is used to retrieve the user ID from Microsoft for this request. Microsoft sends a HTTP POST with the OIDC parameters and an additional parameter called id_token_hint. This parameter includes a JSON web token (JWT) and a number of claims, including the unique ID for the user and their user principal name (UPN). SecureAuth IdP must obtain that information and validate the JWT.
3. Using the IIS Manager, create an inbound rule for Conditional Access in this new realm by completing the following steps:
The URL rewrite rule, shown in the following image, captures requests and places them on the custom page to decode the JWT that Microsoft sends over VIA POST.
For more information about the URL rewrite rule, see the Creating Rewrite Rules for the URL Rewrite Module article, on the Microsoft website.
4. Using the IIS Manager, change the query string setting for the SecureAuth realm number (for example, SecureAuth3).
1. Select the Data tab.
2. Create a connection based on the data store type, such as Active Directory or SQL Server.
a. In the Profile Fields section, set the following auxiliary values:
b. In the Global Aux Fields section, designate Global Aux ID 1 as Validated.
Select the Workflow tab.
1. In the Login Screen Options section, set the following values:
2. In the Customer Identity Consumer section, set the following values:
Select the Multi-Factor Methods tab.
1. In the Phone Settings section, configure the Multi-Factor Authentication methods that you want enabled. The following example shows how to set the email and text (SMS) methods.
2. In the Email Settings section, set Email Field 1 to One-Time Passcode via HTML Email.
Select the Post Authentication tab.
1. In the Post Authentication section, set the Authenticated User Redirect dropdown to OpenID Connect/OAuth2.
2. In the User ID Mapping section, set the following values:
Set Name ID Format to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
3. In the OpenID Connect/OAuth 2.0 – Settings section, set the following values:
Leave the following fields set to the default:
4. In the OpenID Connect/OAuth 2.0 – Scopes section, set the Discoverable check box for the openid scope.
5. In the OpenID Connect/OAuth 2.0 – Clients section, click the Add Client button and set the following values:
6. In the OpenID Connect/OAuth 2.0 - Client Details section, set the following values:
7. In the Allowed Flows section, set the following values:
8. In the OpenID Connect/OAuth 2.0 - Client Redirect URIs section, click the Add Redirect URI button and set the Client Redirect URI to
9. In the OpenID Connect/OAuth 2.0 – Claims section, set the following values:
10. In the OpenID Connect/OAuth 2.0 – Custom Claims section, click the Add Custom Claim button and set the following values:
Select the System Info tab.
1. In the Links section at the bottom of the screen, click Click to edit Web Config file to edit the web.config file.
2. Add the following key under the <appSettings> section:
<add key="MSConditionalAccess-ProfileField" value="AuxID5" />
For information about editing the web.config file, see the System Info Tab Configuration document.
Save all changes made to this configuration and exit.
Create and configure a new custom control for Microsoft Conditional Access.
7. Enter the JSON provided by SecureAuth Support, then click Save
Configure the JSON file as follows, using the above image as a guide:
For your convenience, copy the following code snippet into the JSON file and change values appropriately:
"Name": "Name for SecureAuth MFA",
"AppId": "Microsoft data App ID",
"ClientId": "SecureAuth ClientID",
Create a Microsoft Conditional Access policy.
4. Specify the users, apps, and controls that you want to assign the policy to.
5. Save your changes.
Test that Microsoft Conditional Access works with SecureAuth IdP. In this scenario, you will test with Microsoft Teams, but you could also test with Outlook or Skype for Business.