Azure Active Directory Conditional Access

What is Azure AD Conditional Access?

Azure Active Directory (Azure AD) Conditional Access is a tool that is used to bring all your decisions about app access into one place. Conditional Access policies allow you to enforce specific controls on your cloud apps, based on conditions such as user identity, location, device, application, and real-time risk detection. This helps to protect your organization's resources by ensuring that only authenticated and authorized users can access them under specific circumstances.

Key Concepts

• Access Policies: The core of Conditional Access, defining the rules for granting or blocking access.
• Assignments: Policies are assigned to users, groups, or roles, and can be targeted to specific cloud apps.
• Conditions: These are the triggers for a policy, such as user location, sign-in risk, device platform, or application.
• Access Controls: The actions taken when a policy is met, including granting access, requiring multi-factor authentication (MFA), limiting session duration, or blocking access entirely.

Core Components of a Conditional Access Policy

1. Assignments

• Users and groups: Specify which users or groups the policy applies to. You can include or exclude specific users, groups, or directory roles.
• Cloud apps or actions: Define the applications or actions that the policy will govern. This can range from all cloud apps to specific services like Office 365 or Azure management.

2. Conditions

Conditions are optional and allow you to add more granular control to your policies. If a condition is met, the policy is applied.

• Sign-in risk: Policies can be triggered based on the risk level associated with a sign-in event, as determined by Azure AD Identity Protection.
• Device platforms: Target policies to specific operating systems (e.g., Windows, macOS, iOS, Android).
• Locations: Define policies based on the user's network location (e.g., trusted locations like your corporate network, or untrusted locations).
• Client applications: Specify policies for different types of clients, such as browser-based apps, mobile apps, or desktop clients.
• Device state: Apply policies based on whether a device is managed or compliant.

3. Access Controls

These are the controls that are enforced when all assigned and conditional criteria are met.

• Grant:
  • Grant access: Allow access.
  • Require multi-factor authentication: Prompt the user for MFA.
  • Require device to be marked as compliant: Ensure the device meets your organization's compliance policies.
  • Require Hybrid Azure AD joined device: Ensure the device is joined to your on-premises Active Directory and Azure AD.
  • Require approved client application: Ensure the app is configured to be secure.
  • Require app protection policy: Ensure the app has a Microsoft Intune app protection policy.
• Session:
  • Sign-in frequency: Control how often users are required to sign in again.
  • Persistent browser session: Allow users to stay signed in after closing and reopening their browser.
  • Conditional Access App Control: Use Microsoft Defender for Cloud Apps to monitor and control user sessions in real-time.
• Block access: Deny access entirely.

Example Scenario: Requiring MFA for Remote Access

To ensure security for users accessing corporate resources from outside the company network, you can create a policy that:

• Users: All users
• Cloud Apps: Office 365 suite
• Conditions:
  • Locations: All trusted locations (and exclude specific trusted IP addresses if necessary)
• Access Controls: Grant access and require multi-factor authentication.

This policy would prompt users for MFA when they sign in to Office 365 applications from outside the defined trusted network locations.

Further Reading

For detailed implementation guides and advanced scenarios, please refer to the official Microsoft Azure documentation.

• What is Conditional Access?
• Conditional Access policies
• Common Conditional Access policy