In a traditional on-premises infrastructure, the system administrator has complete control over user access to corporate resources. When using cloud solutions, access to resources can be carried out both from the corporate network and outside. Condition Access (CA) is an Azure Active Directory feature that can be used to allow or deny access to company resources based on user, device, location, 2FA, and a number of other factors. Condition Access allows you to dramatically increase the security of your resources without complicating user access.
The Conditional Access mechanism is to validate each process of connecting to the resource based on a customized scenario and a decision that determines what to do with that connection. In a Condition Access policy, you can deny access, allow without conditions, or allow with conditions.
Conditional Access allows you to use different conditions when granting a user access to a resource:
- Is the user a member of a specific Azure AD group?
- What cloud application is the user trying to connect to?
- Whether it is connected from a controlled device or not (Intune/Hybrid Azure AD joined)?
- From which IP address/subnet the user is trying to connect? Does the user is connecting from outside the company network?
- What type of client the user is using (an app on a computer, phone, or browser)?
- etc.
You can combine these conditions to provide the highest level of protection when accessing your corporate resources.
Note. Be careful when creating Conditional Access policies. It is advisable to exclude the Global Admin group from your Conditional Access policies to save yourself from losing access to Azure tenant.
Azure Active Directory (AAD) Conditional Access policies are available with Microsoft 365 Business subscriptions (previously only available for Azure AD premium subscribers).
Log into your tenant on Azure Portal as an administrator and go to the Azure AD > Security > Conditional Access Policies section.
By default, Conditional Access policies are not created in an Azure tenant. You can create a new policy manually or using templates (currently in preview mode).
Click New policy from template (Preview).
Related. Check our article on how to create an Azure Service Principal.
The following security templates are available to you:
Conditional Policies for Identities (allow you to make sure all identities perform strong authentication when connected):
- Require multifactor authentication for admins — the policy requires the mandatory use of MFA for some administrative roles;
- Securing security info registration — when and how users register for Azure AD multifactor authentication and self-service password;
- Block legacy authentication — the policy blocks access via legacy authentication protocols that do not support multi-factor authentication (MFA);
- Require multifactor authentication for all users;
- Require multifactor authentication for guest access;
- Require multifactor authentication for Azure management — MFA requirement for users to sign in to services based on the Azure Resource Manager API (Azure Portal, Azure CLI, PowerShell);
- Require multifactor authentication for risky sign-ins — if the sign-in risk is detected to be medium or high (requires an Azure AD Premium 2 License);
- Require password change for high-risk users.
Conditional Policies for Devices (allow you to configure rules for checking devices connecting to your network):
- Require compliant or hybrid Azure AD joined device for admins;
- Block access for unknown or unsupported device platforms;
- No persistent browser session — allows to prevent browser sessions from remaining signed in after the browser is closed and setting a sign-in frequency to 1 hour;
- Require approved client apps and app protection — implementing modern auth client apps with Intune app protection;
- Require compliant or hybrid Azure AD joined device or multifactor authentication for all users — for Windows and macOS devices only;
- Use application enforced restrictions for unmanaged devices.
Let’s try to create your own Conditional Access Policy in Azure.
Click New policy in the AAD Conditional Access Policy Blade and set the policy name.
In the Assignments section, you need to specify the conditions for applying the policy;
Users and groups — which users are covered by the policy. These can be all users in Azure AD or specific groups/users. Exceptions can be specified separately.
Cloud apps — select apps registered with Azure AD (you can select more than one Azure cloud app).
Referer. Learn how to enable MFA in Azure AD.
Additional conditions are specified in the Conditions section.
- User risk level — configure user risk levels needed for the policy to be enforced (High, Medium, or Low);
- Sign-in risk — a mechanism for assessing the authorization risk (from where, at what time, using which client, how common is this behavior, etc). Azure can check some sign-in risks: Atypical travel, Impossible travel, Anomalous Token, Token Issuer Anomaly, Suspicious browser, Malware linked IP address, Activity from anonymous IP address, Mass Access to Sensitive Files, etc. An Azure AD Premium 2 License is required.
- Device platforms — it is possible to specify which platform the policy will apply to (for example, only mobile clients, or only Windows computers).
- Locations — allows you to use lists of trusted IP addresses.
- Client apps — allows selecting client apps this policy will apply to Modern Auth clients (Browser, Mobile apps, and desktop clients) or Legacy authentication clients (Exchange ActiveSync clients, older office clients, and email protocols such as POP, IMAP, SMTP, etc.)
- Filter for devices — allows to create custom managed device filter with expressions to apply the policy.
Note. Check our guide on how to resize Azure VM disk.
Next, you need to configure what exactly the policy will do or require.
Grant — you can block access or allow and request additional security measures.
Then you have to select your conditional policy mode:
- Report-only — the policy is used only to track and log the violation events. User and device access is not blocked;
- On — the policy is enabled and enforced;
- Off — the policy is turned off.
You will not be able to switch your Conditional Access policies to On unless you disable security defaults in Office 365 (Azure Active Directory > Properties > Manage Security Defaults).
Setting up Conditional Access policies in the Azure Portal is quick and easy. PowerShell can be used with Microsoft Graph to configure complex CA policies or in automation deployment scripts.