Home » Blog » Azure Active Directory Conditional Access Policies and the Office 365 Portal

Azure Active Directory Conditional Access Policies and the Office 365 Portal

Microsoft is rolling out a change from August 9th August 24th 2017 for Azure Active Directory conditional access policies. Before this change rolls out any user logins to the Office 365 portal are not subject to conditional access requirements (e.g. enforcing multi-factor authentication or other conditions). It is only after the user clicks on a tile to access an application such as Outlook on the web, OneDrive, or Planner that they will be prompted to meet the requirements of your conditional access policies.

From August 9th this behavior will change, and conditional access policies that you apply to Exchange Online and SharePoint Online will also apply to the Office 365 portal. This is a positive change in that it levels the field for securing access to online portals, however it does introduce one potential issue. If a user wants to install the Office 365 ProPlus applications on a computer, they would normally log in to the portal to download the installer. If your conditional access policies require domain-joined or Intune-compliant devices, the user may not be able to login at all (e.g. from an unmanaged home PC).

To get around this, Microsoft advises that the user can still download the Office 365 ProPlus installer from this URL.

Update: Message Center now has this change occuring on the 24th of August in the tenants where I have been notified so far.

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Blog


  1. Mark Freeman says:

    Paul, when I go to the ‘Conditional Access’ page on the Azure AD blade for my tenant, it prompts me to start a trial of AD Premium (don’t have) so this change seems to be specific to tenants where AD Premium is active. However, in all the tech info I could find on this, there is no explicit mention of how the change impacts those without AD Premium. Can you offer any clarification on this?

  2. JOD says:

    What if you have different settings between your Conditional Access policies for Exchange Online and SharePoint Online? What if one doesn’t require the endpoint to be domain-joined or Intune-enrolled? I assume the strongest CA policy will take precedent?

    eg, We want to use app-enforced restrictions for SharePoint Online that allow limited access to SPO files (browser-only, with download/print/sync switched off). The endpoint does not need to be domain-joined or Intune-enrolled. However, our EXO CA policy does require either domain-joined or Intune-enrolled.

    • The EXO policy will apply when accessing EXO services, and the SPO policy will apply when accessing SPO services. For apps that use both EXO and SPO, access will only be granted when the user or device satisfies the conditions of *all* policies that have been targeted at that user.

Leave a Reply

Your email address will not be published. Required fields are marked *