Conditional Access

Conditional access is Microsoft's tool for system authorization based on a combination of:
  1. user and device identity
  2. location signaling
  3. and if necessary,

  4. two-factor user verification.

ITS will begin to utilize Conditional Access on January, 10, 2022 to increase the level of security for our employee’s single-sign-on (SSO) to all Microsoft O365 software and some enterprise solutions (those using Microsoft SSO).

HOW DOES CONDITIONAL ACCESS WORK?

Simplified, conditional access procedures are if-then statements: if a UofL employee wants to access a resource, then a conditional action must then be completed on two of three fronts. The majority of conditional access requests are fulfilled by the first and second actions – a UofL employee with a recognized device working from campus or a previous known location (frequent access via IP address) – so there is no need for a third action.

However, on the occasion when the employee is traveling and attempts to log-in on their university laptop but from an unknown network or IP address, the second aspect is not possible. In this instance, the need for the conditional action must be taken by fulfilling the 3) user verification by means of two-factoring or acknowledging through UL2FCTR (Duo two-factor authentication).

Using UL2FCTR

User two-factor verification is already a known process for the majority of UofL Employees. For example: currently, if an employee wants to view their payroll check in ULink, they are required to perform UL2FTCR (Duo) to access PeopleSoftHR pages.

Limiting high-risk log-ins

The extra step of two-factor authentication for employees accessing university email or secure systems will only occur when users are off-campus, at a location unfamiliar to the system or on an unknown device. In of our testing, this occurred in only 1.5% of situations.

How do I sign up early?

UofL faculty and staff can protect both their own and all university assets plus add an extra layer of security when working from any location by filling out our early implementation request form. We can add individuals or groups of users (departmental approval required).