Azure Documentation

Manage Conditional Access policies in Azure AD

Conditional Access is a feature of Azure Active Directory (Azure AD) that allows you to enforce organizational policies for access to cloud apps and resources. It allows you to respond to sign-in events by requiring additional actions, such as multi-factor authentication, limiting sessions, or blocking access.

Note: Conditional Access requires an Azure AD Premium P1 or P2 license.

Key Concepts

  • Assignments: Define who and what is affected by the policy. This includes users, groups, and cloud apps.
  • Conditions: Specify the circumstances under which the policy applies, such as user location, device state, application, or real-time risk.
  • Access Controls: Define the actions required when the policy conditions are met. This can include granting access, requiring multi-factor authentication, requiring device compliance, or blocking access.
  • Grant: Controls whether access is granted or blocked, and what controls (like MFA) are required.
  • Session: Controls how users can interact with applications, such as limiting sign-in frequency or enforcing app enforced restrictions.

Creating a Conditional Access Policy

Step-by-Step Guide

  1. Navigate to the Azure portal.
  2. Go to Azure Active Directory.
  3. Under the Security menu, select Conditional Access.
  4. Click on Policies, then click + New policy.
  5. Name your policy (e.g., "Require MFA for Admins").
  6. Under Assignments:
    • Select the Users or groups to which this policy applies. You can target all users, specific users/groups, or exclude certain users/groups.
    • Select the cloud apps or actions this policy will apply to. Common choices include "All cloud apps" or specific applications like "Microsoft Office 365 Exchange Online."
  7. Under Conditions:
    • User risk: If you have Azure AD Identity Protection, you can apply policies based on user risk levels.
    • Sign-in risk: Apply policies based on the risk of the sign-in event.
    • Device platforms: Target specific operating systems (Windows, macOS, iOS, Android).
    • Locations: Apply policies based on the user's network location (e.g., trusted locations, untrusted locations).
    • Client applications: Target specific types of clients (browser, mobile apps, desktop clients).
    • Device state: Apply policies based on whether the device is Hybrid Azure AD joined or marked as compliant.
  8. Under Access controls:
    • Grant: Select "Grant access" and then choose the required controls, such as "Require multi-factor authentication," "Require device to be marked as compliant," or "Require Hybrid Azure AD joined device." You can choose to require all selected controls or any of them.
    • Session: Configure session controls like sign-in frequency, persistent browser session, or app enforced restrictions.
  9. Set Enable policy to On to activate the policy. You can also set it to Report-only to monitor its impact without enforcing it.
  10. Click Create to save your policy.
Best Practice: Always start by enabling a policy in "Report-only" mode to understand its potential impact on users before enforcing it.

Common Scenarios

  • Require Multi-Factor Authentication (MFA) for all users
  • Require MFA for administrators
  • Block access from untrusted locations
  • Require compliant devices for access to specific applications
  • Limit session duration for sensitive applications

Microsoft Graph API

You can manage Conditional Access policies programmatically using the Microsoft Graph API. This allows for automation and integration with other management tools.

For detailed information and advanced configurations, please refer to the official Azure AD Conditional Access documentation.