Introduction to Conditional Access

Azure Active Directory (Azure AD) Conditional Access is a tool that you can use to bring all your cloud apps together, making access decisions, and enforcing organizational policies. It allows you to enforce granular access controls to applications based on specific conditions, enhancing security and compliance.

This tutorial will guide you through the process of creating and configuring a basic Conditional Access policy to secure access to your cloud applications.

Prerequisites

Before you begin, ensure you have the following:

  • An Azure AD tenant with a Premium P1 or P2 license.
  • An account with appropriate administrative privileges (e.g., Conditional Access Administrator, Security Administrator, or Global Administrator).
  • Access to the Azure portal.

Step 1: Creating a New Conditional Access Policy

1

Navigate to Conditional Access

1. Sign in to the Azure portal.

2. Search for and select Azure Active Directory.

3. In the left navigation pane, under Security, select Conditional Access.

2

Create a New Policy

1. In the Conditional Access overview page, click + New policy.

2. Give your policy a descriptive name, for example, "Require MFA for Admin Roles".

Step 2: Define Assignments

This section defines who and what the policy applies to.

2.1. Users and groups

1

Include Users

Under Assignments, click on Users.

In the Include tab, select the users or groups you want this policy to apply to. It's recommended to start with a small group of test users or specific administrative roles.

Tip: Avoid selecting 'All users' initially to prevent accidental lockout. Use the 'Users and groups' option to target specific security groups or administrative roles.

2

Exclude Users (Optional)

You can optionally exclude specific users or groups from this policy. This is crucial for break-glass accounts or emergency access.

Important: Ensure you have at least one emergency access or break-glass account excluded from all Conditional Access policies to prevent being locked out of your tenant.

2.2. Cloud apps or actions

1

Select Cloud Apps

Click on Cloud apps or actions under Assignments.

In the Include tab, select the cloud applications or actions this policy should target. Common choices include:

  • All cloud apps: Applies to all applications.
  • Select apps: Allows you to choose specific applications (e.g., Azure portal, Microsoft 365).
  • User actions: For specific user actions like registering security information.

Tip: For enhanced security, consider applying policies to critical applications like the Azure portal or Microsoft 365. For initial testing, select a single application.

Step 3: Define Conditions (Optional but Recommended)

Conditions allow you to apply policies only when specific circumstances are met.

3.1. Device platforms

1

Configure Device Platforms

Click on Conditions, then select Device platforms.

To use this condition, set the toggle to Yes.

In the Configure section, select All device platforms or choose specific platforms (e.g., iOS, Android, Windows, macOS).

Under Done, choose whether the policy applies to selected platforms (e.g., require MFA on mobile devices) or exclude them.

3.2. Locations

1

Configure Locations

Go back to Conditions and select Locations.

To use this condition, set the toggle to Yes.

You can configure policies based on the user's network location:

  • Any location
  • All trusted locations (requires configuration of named locations)
  • Selected locations (choose specific countries, IP ranges, or named locations)

Under Done, choose whether the policy applies when users are in selected locations or not.

Tip: A common scenario is to require Multi-Factor Authentication (MFA) when users are outside of trusted network locations.

3.3. Client applications

1

Configure Client Applications

Go back to Conditions and select Client applications.

To use this condition, set the toggle to Yes.

Select the types of client applications the policy should apply to:

  • Browser
  • Mobile apps and desktop clients
  • Modern authentication clients
  • Legacy authentication clients (e.g., older email clients)

Under Done, choose whether the policy applies to selected client applications.

Important: Blocking legacy authentication is a strong security recommendation. Conditional Access can be used to enforce this.

Step 4: Define Access Controls (Grant)

This section specifies what actions to take when the policy conditions are met.

1

Configure Grant Controls

Click on Grant under Access controls.

You can choose to:

  • Grant access: Allow access.
  • Block access: Prevent access.
  • Require multi-factor authentication: A common and highly recommended control.
  • Require device to be marked as compliant: Enforces compliance with device management policies.
  • Require Hybrid Azure AD joined device: Ensures devices are managed by the organization.
  • Require approved client application: For mobile devices.
  • Require app protection policy: For mobile devices.

You can also choose to require one or multiple controls. For example, requiring MFA and a compliant device.

Under For multiple controls, select Require all the selected controls or Require one of the selected controls.

Tip: For sensitive applications or administrative access, requiring both Multi-Factor Authentication and a compliant device offers a robust security posture.

Step 5: Enable the Policy

1

Enable Policy

At the bottom of the policy configuration screen, under Enable policy, you have three options:

  • Report-only: This is the safest option for testing. It logs the policy's impact without actually enforcing it. You can review the sign-in logs to see what would have happened.
  • On: The policy is active and enforced.
  • Off: The policy is disabled.

Tip: Always start with Report-only mode to understand the potential impact before enabling the policy.

2

Create

Click Create to save your new Conditional Access policy.

Best Practices for Conditional Access

  • Start with Report-only Mode: Thoroughly test your policies to avoid locking users out.
  • Use Named Locations: Define trusted IP address ranges for your corporate network.
  • Implement Break-Glass Accounts: Have at least one or two emergency access accounts excluded from policies.
  • Target Specific Applications: Apply policies to critical applications first.
  • Require MFA: For all users, especially administrators, and for access from untrusted locations or to sensitive apps.
  • Block Legacy Authentication: Legacy protocols do not support modern security features like MFA.
  • Review Policies Regularly: As your organization's needs and threat landscape evolve, review and update your policies.
  • Use Insights and Reporting: Leverage Azure AD sign-in logs and Conditional Access insights to monitor policy effectiveness and identify potential issues.