Azure AD Conditional Access Best Practices

Published on October 27, 2023 | By Azure Security Team

Azure Active Directory (Azure AD) Conditional Access is a powerful tool that acts as your organization's first line of defense for identity and access management. It allows you to enforce granular access policies based on conditions such as user, location, device, application, and real-time risk. Implementing best practices for Conditional Access is crucial for maximizing its effectiveness and ensuring a secure yet productive environment.

The Core Principles of Conditional Access

Before diving into specific best practices, it's important to understand the foundational principles:

• Least Privilege: Grant only the necessary access to resources.
• Defense in Depth: Implement multiple layers of security controls.
• Zero Trust: Never trust, always verify. Authenticate and authorize based on all available data points.
• User Experience: Balance security with usability to avoid user friction.

Key Best Practices

1. Start with a Baseline Policy (Report-Only Mode)

The most critical first step is to deploy policies in Report-only mode. This allows you to monitor the impact of your policies without enforcing them, preventing unintended access disruptions. Review the sign-in logs to understand which users and scenarios would be affected.

2. Target Specific Users and Groups

Avoid applying policies to "All Users" indiscriminately, especially during initial rollout. Instead, start with specific pilot groups and gradually expand. This allows for controlled testing and feedback.

• Create dedicated groups for testing.
• Consider administrative roles or specific departments for initial rollout.

3. Leverage User and Sign-in Risk Policies

Azure AD Identity Protection provides risk signals that can be used as conditions in Conditional Access. These policies are essential for detecting and responding to suspicious activities.

• Require multi-factor authentication (MFA) for users with detected sign-in risk.
• Block access for users with a high user risk.
• Block sign-ins from unmanaged devices or untrusted locations.

4. Enforce Multi-Factor Authentication (MFA)

MFA is one of the most effective controls against compromised credentials. Make it a cornerstone of your Conditional Access strategy.

• Require MFA for all users accessing sensitive applications.
• Require MFA when users are signing in from untrusted locations.
• Use MFA for administrative accounts as a mandatory requirement.

5. Control Access Based on Device State

Ensure devices accessing your resources meet your organization's security standards.

• Require Compliant Devices: Enforce that devices managed by Intune or another MDM are compliant with your policies (e.g., encryption, OS version).
• Require Hybrid Azure AD Joined Devices: For internal resources, ensure devices are joined to your on-premises Active Directory and registered with Azure AD.

6. Restrict Access Based on Location

Control access based on geographical location to mitigate risks associated with unauthorized access from unknown or untrusted locations.

• Named Locations: Define trusted IP address ranges (e.g., corporate network) and block access from all other locations for highly sensitive applications.
• Require MFA from untrusted locations.

7. Grant Least Privilege Access to Applications

Apply granular controls to specific applications. Not all applications require the same level of security. Classify your applications by sensitivity.

• Block legacy authentication protocols (e.g., POP, IMAP, SMTP AUTH). These protocols do not support MFA and are a common attack vector.
• Use session controls like "Use app enforced restrictions" for cloud apps that support them.

8. Use Session Controls Effectively

Session controls provide granular control over how users access cloud applications.

• Sign-in frequency: Control how often users need to re-authenticate.
• Persistent browser session: Allow users to stay signed in after closing and reopening their browser. Use with caution.
• Conditional Access App Control: Integrate with Microsoft Defender for Cloud Apps to monitor and control user actions within cloud apps (e.g., block downloads of sensitive data).

9. Plan for Emergency Access Accounts

It is critical to have at least two "break-glass" accounts that are excluded from Conditional Access policies. These accounts should be highly secured and monitored.

10. Regularly Review and Audit Policies

The threat landscape and your organization's needs evolve. Therefore, regular review and auditing of your Conditional Access policies are essential.

• Schedule periodic reviews of all policies (e.g., quarterly).
• Monitor sign-in logs and audit logs for any suspicious activity or policy bypasses.
• Stay updated with new features and recommendations from Microsoft.

Example Policy Snippet (Conceptual)

Here's a conceptual example of a policy that requires MFA for users accessing sensitive apps from untrusted locations:

{
  "displayName": "Require MFA for Sensitive Apps from Untrusted Locations",
  "state": "enabled",
  "conditions": {
    "applications": {
      "includeApplications": [
        "all"
      ]
    },
    "locations": {
      "excludeLocations": [
        "10.0.0.0/8", // Example: Trusted internal IP range
        "192.168.0.0/16", // Example: Another trusted internal IP range
        "home" // Example: Allow trusted home networks
      ],
      "includeLocations": [
        "any"
      ]
    },
    "users": {
      "includeUsers": [
        "AllUsers"
      ]
    }
  },
  "grantControls": {
    "operator": "OR",
    "builtInControls": [
      "mfa"
    ]
  }
}
        

Conclusion

Azure AD Conditional Access is a cornerstone of modern identity security. By implementing these best practices, you can significantly enhance your organization's security posture, protect sensitive data, and ensure a more secure and productive user experience. Remember to always test policies in report-only mode before enabling enforcement and to continuously monitor and refine your configurations.