Adaptive access for apps

MaaS360® supports adaptive access for apps through the Block access and Require Multi-Factor Authentication (MFA) quarantine actions.

The adaptive access restrictions are applicable to SSO-enabled apps that are made available to users. These restrictions ensure that only trusted users and devices can access Single Sign-On (SSO) apps in your organization.

MaaS360 supports the following adaptive access restrictions for SSO apps.
  • Block access: Blocks the user from accessing SSO-enabled apps from all the devices owned by that user. You can use this option to enforce strict access restrictions for the SSO-enabled apps.
  • Require Multi-Factor Authentication (MFA): Requires users to complete an MFA challenge before accessing an SSO-enabled app. The MFA challenge typically involves additional authentication factors such as entering a code sent to their phone, using a fingerprint or face recognition, or using a hardware token. The user gains access to the SSO-enabled app up on successful completion of the MFA challenge. However, if the MFA challenge fails, the user is denied access to the app.

Prerequisites

Ensure that the following requirements are met before applying quarantine actions.

MaaS360 Quarantine action workflow

Administrators identify the risky users or devices and then apply a Quarantine action from the Security Dashboard.
  1. MaaS360 uses Entra ID Conditional Access policies to enforce access restrictions for SSO-enabled apps on the end-user devices.
  2. Depending on the quarantine action issued by the administrator, users are blocked from accessing the SSO-enabled app or users are required to go through a Multi-Factor Authentication (MFA) challenge before they can access the app.
  3. Administrators review the risk posture of the quarantined users. If the impacted users are restored to a secure state, administrators issue the Revoke Quarantine action to retain normal access to the SSO-enabled app for users.

Configuring Conditional Access policies in Entra ID

Configure separate Conditional Access policies for grant and block access in Entra ID. When you apply the quarantine action, MaaS360 uses the corresponding Entra ID Conditional Access policy to enforce access restrictions for Single Sign-On apps.

Block access

To configure the Conditional Access policies for block access in Entra ID, complete the following steps.

  1. Sign in to the Microsoft Entra portal as a Conditional Access Administrator, Security Administrator, or Global Administrator.
  2. Go to Microsoft Entra ID > Security > Conditional Access.
  3. Click New policy.
  4. Give your policy a name. For example, Block access to quarantined users in MaaS360.
  5. Under Users, select users or groups. The conditions and access controls specified in this policy are enforced for the selected users or groups. These restrictions do not affect other users who are not included in the policy.
  6. Under Cloud apps or actions, select apps that are configured for SSO by using Entra ID. The conditions and access controls specified in this policy are enforced for the selected SSO-enabled apps.
    CAUTION:
    You should not select All Cloud apps because this setting might inadvertently disrupt legitimate access to the critical services.
  7. Under Conditions, configure the following settings.
    • Device platforms: Select Any device to apply this policy to all devices regardless of the platform they are running on or select a specific operating system based on your requirements.
    • Filter for devices: Set Configure to Yes. Select Include filtered devices in policy and then specify the criteria as shown in the following table.
      Table 1. Criteria to include filtered devices in policy
      Property Operator Value
      ExtensionAttribute1 Equals BLOCK
  8. Under Access controls, select Block access.
  9. Note: This step is optional.
    Under Session, select Sign-in frequency > Periodic reauthentication and then select 1 Hours. If this setting is configured, the user's sign-in is evaluated and the policy is applied to devices within one hour. Otherwise, the sign-in frequency configured at the app level is used.

Require Multifactor authentication

To configure the Multifactor authentication (MFA), complete the following steps.

  1. Sign in to the Microsoft Entra Portal as a Conditional Access Administrator, Security Administrator, or Global Administrator.
  2. Go to Microsoft Entra ID > Security > Conditional Access.
  3. Click New policy.
  4. Give your policy a name. For example, Require MFA for quarantined devices in MaaS360.
  5. Under Users, select users or groups. The conditions and access controls specified in this policy are enforced for the selected users or groups. These restrictions do not affect other users who are not included in the policy.
  6. Under Cloud apps or actions, select apps that are configured for SSO using Entra ID. The conditions and access controls specified in this policy are enforced for the selected SSO-enabled apps.
    CAUTION:
    You should not select All Cloud apps because this setting might inadvertently disrupt legitimate access to the critical services.
  7. Under Conditions, configure the following settings.
    • Device platforms: Select Any device to apply this policy to all devices regardless of the platform they are running on or select a specific operating system based on your requirements.
    • Filter for devices: Set Configure to Yes. Select Include filtered devices in policy and then specify the criteria as shown in the following table.
      Table 2. Criteria to configure MFA in policy
      Property Operator Value
      ExtensionAttribute1 Equals MFA
  8. Under Access controls, click Grant access and then select Require multifactor authentication.
  9. Note: This step is optional.
    Under Session, select Sign-in frequency > Periodic reauthentication and then select 1 Hours. If this setting is configured, the user's sign-in is evaluated and the policy is applied to devices within one hour. Otherwise, the sign-in frequency configured at the app level is used.