Administrators of Azure AD can configure conditional access policies to restrict user access to Power BI based on the user or security group, the IP address of the user sign-in attempt, the device platform of the user, and other factors. A very common scenario supported by conditional access policies is to either block access to Power BI from outside the corporate network or to require multi-factor authentication (MFA) for these external sign-in attempts. As a robust, enterprise-grade feature, organizations can use conditional access policies in conjunction with security groups to implement specific data governance policies.

Each Azure AD conditional access policy is composed of one or more conditions and one or more controls. The conditions define the context of the sign-in attempt such as the security group of the user and the user's IP address, while the controls determine the action to take given the context. For example, a policy could be configured for the entire organization and all non-trusted IP addresses (the conditions) that requires MFA to access Power BI (the control). The Azure portal provides a simple user interface for configuring the conditions and controls of each conditional access policy. 

The following steps and supporting screenshots describe the creation of an Azure AD conditional access policy which requires MFA for users from the sales team accessing Power BI from outside the corporate network:

1. Log in to the Azure portal and select Azure Active Directory from the main menu
2. From the SECURITY group of menu items, select Conditional access, as shown in the screenshot:

3. Select the new policy icon at the top and enter a name for the policy, such as Sales Team External Access MFA
4. Set the users and group assignment property to an Azure AD security group (such as AdWorks DW Sales Team)
5. Set the Cloud apps assignment property to Microsoft Power BI service
6. On the Conditions assignment property, configure the locations to include any location and exclude all trusted locations:
   • With this definition, the policy will apply to all IP addresses not defined as trusted locations in Azure AD
7. On the Grant access control property, select the checkbox to require multifactor authentication
8. Finally, set the Enable policy property at the bottom to On and click the Create command button:

The minimum requirements to create new conditional access policies are the Users and groups property, the Cloud apps property (Power BI service), and at least one access control. As with all security implementations, conditional access policies should be tested and validated. In this screenshot, a user within the AdWorks DW Sales Team could attempt to log in to Power BI from outside the corporate network. The user should be prompted (challenged) to authenticate by providing a mobile device number and entering an access code sent via text message. 

It's important to remember that conditional access policies are in addition to the user permissions defined in the Power BI service and the row-level security roles created in Power BI datasets or Analysis Services data models. The User Permissions section in Chapter 11, Creating Power BI Apps and Content Distribution, contains additional information on these security layers.