Set Up Conditional Access with Microsoft Search in Bing

August 13, 2019
The original article is published on the Microsoft Tech Community Delve Blog.

Have you ever needed a way to allow some users to access Microsoft Search in Bing, while excluding others? Perhaps you want to exclude users who haven’t yet taken an orientation session, or perhaps you want to roll out this feature in stages. Well, you’re in luck! In this article, you’ll learn how to do exactly that, using a feature known as Conditional Access.  With it, you can easily deploy Microsoft Search in Bing to any set of users you choose.

Assuming that you have administrative permissions and a licensing option that enables Conditional Access to Microsoft Search, here’s how to use it to limit access to Microsoft Search in Bing to a specific subset of users. If you haven’t done this before, now is a good time to review best practices for conditional access to ensure that you don’t accidentally lock yourself out.

Verify Access

You should start by assigning a test user. Once you have a test account prepared, the first step is to verify that the test account can access Microsoft Search in Bing.

Open your browser and sign in with your test account to bing.com using the “Work or school account” option.

IMAGE1.pngFigure 1 – Sign in with the “Work or school account” option

Type “my files” into the Bing search box to verify that Microsoft Search in Bing is working. You should see a result that looks something like this:

IMAGE2.pngFigure 2 – Verify that Microsoft Search in Bing is working

Success! You now know your test account can access Microsoft Search in Bing. Now, let’s exclude this account via Conditional Access.

Enable Conditional Access

Start by signing into the AAD admin center as a global admin, via the Microsoft Search in Bing – Getting Started From the Security menu, choose Conditional Access.

IMAGE3.pngFigure 3 – Use the guidance in the Get started section to create your first policy.

Tip: You can place Conditional Access (or any other frequently used resource) in the “Favorites” area of the left column by selecting “All services” and searching for the word “conditional”, then clicking the star next to the search result

IMAGE4.pngFigure 4 – To add Conditional Access to Favorites, select All Services (1), search for Conditional (2), and click the star (3).

Click New policy and give it a name.

  1. Let’s include our test user.
  2. Click Assignments > Users and groups
  3. Then, on the Include tab, Select Users and groups
  4. Select ‘test user’
  5. Then, switch to the Exclude tab and select your admin account
  6. Click Done when both selections have been made

Figure5.pngFigure 5 – On the Include tab, add Test user. On the Exclude tab, add your admin user account. (This would be a critical step if you applied Conditional Access to “All users.”) Then name your new policy.

In the screenshot on the right of Figure 5, we’ve chosen to exclude the administrative account from this test policy—you don’t want to lock yourself out if you apply a policy like this to all users! Remember, a policy designed to block access won’t affect anyone who is excluded from the policy.

  1. The next step is to include the app or service we want our conditional access policy to apply to. In this case, it’s Microsoft Search in Bing. Verify that it is included under “Cloud apps or actions.”

Figure6.pngFigure 6 – The system will warn you if you try to exclude administrative roles—but be careful!

You’re almost there! Now that you’ve selected the users who will and won’t be affected, and the app this policy applies to, you just have to tell the policy what to do when it’s in effect. In this case, you want it to “Block.” So, select Block from Access controls > Grant, then click Select.

Figure7.pngFigure 7 – Set the Grant value to “Block access” for the user(s) you want to block.

  1. When all of these steps are completed, click Enable policy ‘on’ and then click Create to create the new policy.
  2. After a brief validation step, you should see a “Validation Successful” message and the new policy appears under Policies. It’s time to test your new policy!

Test with the “What If” tool

The “What If” tool tests the impact of conditional access on a user when signing in under certain conditions. As the policy you created is designed to block access for “test user”, you start by selecting that user. Then, click “What If” to see what policies, if any, will affect this user.

Figure8.png

If you’ve done everything right, you should see something like this:

Figure81.pngFigure 8 – The ‘What If’ tool

Congratulations! You have successfully enabled conditional access. You can verify this by attempting to access Microsoft Search in Bing with the test user account. You will find that it is indeed blocked from signing in at the Bing sign-in screen. (Regular web searches with Bing still work, however.)

Figure9.pngFigure 9 – It works!

After any sign-in attempt has been made, the event is captured in the Sign-in events log. As an admin, you can access a complete list of sign-in events by clicking on the graph on the main Overview screen.

Figure10.pngFigure 10 – Click the graph on the Overview screen to see this list of sign-in events.

Figure11.pngFigure 11 – The list of sign-in events can be filtered by user. Here, we see the results of searching for “test”

Let’s take a closer look at that ‘Failure’ event:

Figure12.pngFigure 12 – The Failure event details screen includes error codes, failure reasons, and other details.

Deploy the Policy

Now you are ready to setup Conditional Access for actual users in your organization by applying this policy to their account.

If you run into trouble, try typing a query such as “how to configure conditional access” into the “Virtual assistant” found in the Azure Active Directory admin center under Troubleshooting + Support.

Figure13.pngFigure.13 – The Virtual Assistant can provide guidance on many different topics. Try it if you get stuck.

For more information

See https://docs.microsoft.com/azure/active-directory/conditional-access/ for additional details.

Discuss this article in the Microsoft Technical Community.