Conditional Access in Azure Active Directory

Ganesh Chauhan, Technical Support Specialist, Microsoft Azure.

The modern security perimeter now includes user and device identity in addition to an organization’s network. Identity-driven signals can be used by organizations to make access control decisions.

Conditional Access combines signals to make decisions and enforce organizational policies. The new identity-driven control plane is powered by Azure AD Conditional Access.

At their most basic, conditional access policies are if-then statements: if a user wants to access a resource, they must first complete an action. For example, a payroll manager needs to access the payroll application and must use multi-factor authentication to do so.

Administrators must prioritize two objectives:

 

– Enable users to be productive wherever and whenever they want.

– Safeguard the assets of the organization

To keep your organization secure, use Conditional Access policies to apply the appropriate access controls when they are required.

Common signals

The following are examples of common signals that Conditional Access can consider when making a policy decision:

  • Membership in a user or group

Policies can be tailored to specific users and groups, giving administrators fine-grained access control.

  • IP address location data

Organizations can create trusted IP address ranges for use in policy decisions.

Administrators can block or allow traffic from entire countries/regions’ IP ranges.

  • Device

When enforcing Conditional Access policies, users with specific platform devices or devices marked with a specific state can be used.

Use device filters to target policies to specific devices, such as privileged access workstations.

  • Application

Different Conditional Access policies may be triggered when users attempt to access specific applications.

  • Real-time and calculated risk detection

The integration of Signals with Azure AD Identity Protection enables Conditional Access policies to detect risky sign-in behaviour. Policies can then require users to change their passwords, use multi-factor authentication to reduce their risk level, or block access until an administrator intervenes.

  • Microsoft Cloud App Defender

Allows for real-time monitoring and control of user application access and sessions, increasing visibility and control over access to and activities performed within your cloud environment.

Policies that are commonly used

Many organizations face common access issues that Conditional Access policies can help with, including:

  • requiring multi-factor authentication for administrative users
  • Multi-factor authentication is required for Azure management tasks.
  • Sign-ins for users attempting to use legacy authentication protocols are being blocked.
  • Trusted locations are required for Azure AD Multi-Factor Authentication registration.
  • restricting or allowing access from specific locations
  • Preventing risky sign-in behaviors
  • Organization-managed devices are required for specific applications.

 

Requirements for a license

This feature requires Azure AD Premium P1 licenses to be used. See Compare Azure AD’s generally available features to find the right license for your needs.

Conditional Access features are also available to customers with Microsoft 365 Business Premium licenses.

Identity Protection, an Azure AD P2 feature, is required for risk-based policies.

Other products and features that may interact with Conditional Access policies necessitate appropriate licensing.

When Conditional Access licenses expire, policies are not automatically disabled or deleted, allowing customers to transition away from Conditional Access policies without a sudden change in their security posture. Policies can still be viewed and deleted, but they can no longer be updated.

All customers have access to security defaults, which help protect against identity-related attacks.

 

Professional Labs is the Best Cloud Managed Services Provider Saudi Arabia, for more details contact
Contact Us | Professional labs (prolabsit.com)