Microsoft yesterday announced the availability of Azure AD Conditional Access per app MFA and Network Location policies. The new Conditional Access policy engine allows admins maintain control. Conditional Access policy evaluation can be based on device health, MFA, location and detected risk. It supports the following policies to be set per-application:
- Always require MFA
- Require MFA when not at work
- Block access when not at work.
The MFA and Network Location policies are applied across all devices. Admins can now create a Conditional Access policy for SharePoint that requires users to be on their corporate network to access the service. If a user tries to access SharePoint from outside their iPhone when they are off of the corporate network their authorization fails and they get blocked.
Conditional Access is an Azure AD premium feature, requiring per-user licenses for users accessing apps that have had policy applied. Find more info about it here.