Secure on-premises resources with simalar technology to Azure AD Conditional Access

Dan Porter 1 Reputation point

Currently working with a client who are looking at introducing the Microsoft Managed Desktop service (so devices are AAD joined), we have some requirements for on-premises infrastructure so there will be a small AD DS environment, file print etc.

The client has some data classifications that can't be stored in the cloud due to geo-restrictions and so will be utilizing some on-premises shares.

Is there a technology set that will allow us to translate Conditional Access policies defined in Azure down to shares on a local Windows Server (or HP Nimble)?

The estate will be greenfield other than the use of HP Nimble, design principle is Microsoft First to make use of M365 E5.

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,847 questions
Azure Active Directory Domain Services
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. ShashiShailaj-MSFT 7,466 Reputation points Microsoft Employee

    Hello @DanPorter ,

    You have mentioned that you are going to setup file , print server on-premise with a small Active Directory environment . The file and print server on-premise use Kerberos and NTLM as a authentication protocol. Conditional access depends on many components in Azure and is dependent on oAuth protocol on which Azure Identity system is based which on-premise AD does not support out of the box. As far as I know there is no way to translate conditional access policies defined in Azure to apply during file share access. Any request to map the share by any user will always use NLTM/kerberos protocol which will go to the local domain controller for authentication and there is no native way to translate this NTML/Kerb to Oauth and send to azure for authentication/authorization.

    Hope the information helps. In case you have any further queries , please let us know and we will be happy to help . If the provided information is useful , please do accept the post as answer so that its helpful to others in the community.

    Thank you.

    0 comments No comments

  2. Jamie Sabbatella 646 Reputation points

    You could look at using Azure VPN to control access to the local resources, Azure VPN supports conditional access.

    Just a thought : )

    0 comments No comments