Microsoft Search in Bing is a power full tool that you can enable as part of your Microsoft 365 subscription. What are you getting as a end user when using Bing to search?? Not only are your users searching the internet but also internal resources:
- SharePoint Online
- OneDrive for Business
- Outlook on the web
- Office apps on Windows
So wen you as a company is using Microsoft to store and share your documents, then your end users also get search result from your internal data.
So if your are searching for a person or a word then your internal data will show up in the top of bing.com.
Bing search will only show you results that you have the right to as a end user, maybe you don’t want your end users to search in internal resources when they are not on a trusted and compliant device. In that case Azure Active Directory Conditional Access is the right tool for the job. With Conditional Access you can require different controls to look after when a users is accessing corporate data. One of them is compliant device that looks after if your device is meeting the compliance policy from Intune. Again compliance policies can look after different settings and controls that meets with your corporate security policy. I will not cover how to make a device compliant in this blog post.
First you need to check if Microsoft Search in Bing is enabled in your tenant:
Login to Microsoft 365 admin center
- Click Settings
- Click Services & add-ins
- Select on for “Enable Microsoft Search in Bing”
Now you end user can leverage Microsoft Search in Bing when they are logging into bing.
If the end user is on a Azure Active Directory or a Hybrid Joined devices there is single sign-on to Bing search.
How to use Conditional Access with Microsoft Search:
Login to Azure Active Directory admin center
- Click Conditional Access
- Click New policy
- Enter a name for your CA policy : CA – Microsoft Search require compliant device
- Click – Assignments – Users and groups
- Select -All users or target what meet your security requirements
- Select – Exclude if you have some users where this is not applying to.
- Click – Cloud apps or actions
- Click – Select apps
- Click – Select
- Applications – search for Microsoft search
- Select – Microsoft Search in Bing
- Click – Conditions
- Click – Device Platforms
- Click – Configure Yes
Note : remember to exclude device platforms if your don’t want it to apply to mobile devices as an example
- Select – Grant
- Click – Grant Access
- Select – Require device to be marked as compliant (Intune enrolled and complaint devices)
- Select – Require Hybrid Azure AD joined devices (Applies only to Windows devices that are Domain joined and hybrid joined – not on AAD joined devices)
- Select – Require one of the selected controls
Now you are ready to Enable the policy
Note : Remember always test Conditional Access rules in your test environment or with a test group before deploying in production
How it is end user experience:
When you are using a browser that does have the capability to pass the information about device compliance state to Azure Active Directory the end user will get this message:
If you are on a device that are not compliant you will get a message – Oops – You can’t get this yet
In this case the device is registered to the corporate Azure Active Directory – but not Intune managed so the device cannot be compliant