Conditional access is a capability of Azure Active Directory (Azure AD), enabling the implementation of automated access control decisions for accessing cloud apps based on specific conditions. Azure AD introduces two new features to public preview:

1. Baseline Protection

Baseline protection is a set of predefined conditional access policies. Users with access to privileged accounts have unrestricted access to the environment. Due to the power inherent in these accounts, they should be treated with special care. One common method to improve the protection of privileged accounts requires a stronger form of account verification when they are used to sign in. In Azure Active Directory, stronger account verification is achieved by requiring multi-factor authentication (MFA). These policies aim to ensure that there is at least the baseline level of security enabled in all editions of Azure AD.

2. Terms of Use

This allows organizations, on access for users accessing content/services integrated with Azure AD, to surface a disclaimer for legal or compliance requirements. Configuring terms of use in Azure AD requires licenses for Azure AD Premium P1/P2, which are available as standalone licenses or bundled in the EM+S E3/E5 licenses.

• Microsoft Office 365
• Azure Active Directory Baseline Protection
• Azure Active Directory Terms of Use
• Conditional Access Policy
• Baseline Protection
• Okta Classic Engine

• Case scenario #1: Enabling Baseline Policy: Require MFA for Admins

While baseline policies are in preview, they are, by default, not activated. A policy must be manually enabled to activate it. If explicitly enabling the baseline policies at the preview stage, they will remain active when this feature reaches general availability. The planned behavior change is the reason why, in addition to activating and deactivating, there is a third option for setting the state of a policy: Automatically enable the policy in the future. By selecting this option, leave the policies disabled during preview, but have Microsoft enable them automatically when this feature reaches general availability. If not explicitly enable baseline policies now, and do not select the Automatically enable policy in the future option, the policies will remain disabled when this feature reaches general availability (reference: Enable a baseline policy).

• Case scenario #2: Enabling Conditional Access Policies: Terms of Use
  The issue is that the terms of use policy creates a conditional access rule in Azure AD that applies to all users. That includes the service account used by Okta for federation services. The service account cannot accept the terms of use, so it fails to authenticate, breaking Office 365 federation in Okta (reference: Configuring Terms of Use for User Logins to Office 365 and Azure Active Directory).

NOTE: PLEASE READ BEFORE STARTING! This is just an example. The use of this information is at one's own risk, as the steps could change whenever a product update is released. Okta strongly advises against deploying this in production environments. It is highly recommended to test this in a test/preview environment. All instructions are provided as is without warranty of any kind. Okta disclaims all implied warranties, including, without limitation, any implied warranties for a particular purpose.

Mitigate the impact of inadvertent use of "Baseline Protection: Require MFA for admins" AND "Conditional Access Policies: Terms of Use" by excluding the Microsoft Office 365 Global administrator account used to enable the Okta federation.

How to determine the Microsoft Office 365 Global administrator account used in Okta:

1. Sign in to the Okta Administrator Dashboard as an administrator.
2. Go to Applications.
3. Search for the specific Microsoft Office 365 application.
4. Go to the Sign On sub-tab
5. Look for the Settings.
    

Case scenario #1: How to exclude the Microsoft Office 365 Global administrator account (Baseline Protection: Require MFA for admins)

1. Sign in to the Azure portal as a global administrator, security administrator, or conditional access administrator.

2. On the left navbar, click Azure Active Directory in the Azure portal.

3. On the  Azure Active Directory page, in the  Security section, click Conditional access.

4. In the list of policies, click a policy that starts with the Baseline policy.

5. To exclude the administrator account, select Exclude users.
   

6. Click  Save.

Case scenario #2: How to exclude the Microsoft Office 365 Global administrator account (Conditional Access Policies: Terms of Use)

1. Sign in to the Azure portal as a global administrator, security administrator, or conditional access administrator.

2. In the Azure portal, on the left navbar, click Azure Active Directory.
    

3. On the Azure Active Directory page, in the Security section, click Conditional access.

4. In the list of policies, click a policy that starts with Terms of Use.

5. To exclude the administrator account, click All Users, then select Exclude.

6. Click Save.

Related References

• Conditional access policies
• Enable a baseline policy
• Configuring Terms of Use for User Logins to Office 365 and Azure Active Directory
• Require MFA for Admins