Configuring Conditional Access for G Suite

September 5, 2019/
/by Akins IT

Automating Onboarding Students and Using Microsoft to Manage G Suite

Part 2: Configuring conditional access for g suite


The typical IT admin in this scenario requires their School Information System (SIS) to synchronize student data their on-prem AD, Azure AD, and G-Suite. Currently, they feel that neither Microsoft nor Google has provided them with a convenient method with which to both effectively and efficiently manage the identities in these seemingly disparate environments


By integrating Azure Active Directory with G-suite, we will be able to administratively manage an organization's on-prem AD, Azure AD, and G-suite identities from a single portal. In addition, with G-suite's identity management being delegated to Azure AD, we can redirect the SIS's synchronization from G-suite to either the on-prem AD or Azure AD.

In this way, we will have a continuous stream of data flowing from one entry point, that is reflected in all relevant directories. Such a seamless system will make the provisioning of identities, access permissions, and group memberships a simple process for IT administrators.

Part II: Configuring conditional access for g suite


In this section we will be pivoting to the following items:

  • Overview of Conditional Access
  • Sample CA Policy for MFA based on Location
  • Review of Student’s Login Experience

The Conditional Access (CA) policy that we will be creating for our students in this example will be based on location. The intended result of this CA policy is to challenge individuals who attempt to log into G Suite from a location that is outside the school’s campus.

The steps to create this CA policy include:

  1. Name the CA policy
  2. Specify the security group that we assigned to our G Suite SSO app
  3. Select G Suite as our Cloud app
  4. Designate Any location to be Included in this policy
  5. Exclude All trusted locations
  6. Select Require multi-factor authentication for the controls to be enforced in order to Grant access




  • Selected option to include any location in CA policy


  • Excluded All Trusted Locations from this CA policy
  • In this way, users will not be prompted to MFA while on the school’s premises


  • Access to G Suite resources will still be granted to those users who are outside of the school’s premises, but they are required to authenticate with MFA

With Azure AD now managing the identities in G Suite, we can take advantage of the powerful tools in Microsoft’s arsenal for protecting those identities. By applying Conditional Access and MFA on those identities, we will be ensuring that users are only being challenged when attempting to login from untrusted locations, such as when they are off campus.





Contact Us