Azure Conditional Access

Azure Active Directory (Azure AD) Conditional Access is a tool that you use to bring together signals, make decisions, and enforce organizational policies. Conditional Access is the Azure AD's approach to the main objective of Zero Trust access, meaning "never trust, always verify."

What is Conditional Access?

Conditional Access policies provide a central place that you, as an organization, use to apply granular access controls to your cloud apps and data. These policies allow you to grant access to your users based on the conditions you define. This is a critical component for securing your cloud environment.

Key Components

A Conditional Access policy consists of assignments and access controls.

Conditions

Conditions are the "if" part of a Conditional Access policy. You specify the signals that the policy should consider. Examples include:

• Users and Groups: Apply the policy to specific users or groups.
• Cloud Apps or Actions: Target specific applications or user actions (e.g., registering security info).
• Conditions:
  • Device Platforms: Target specific operating systems (Windows, macOS, iOS, Android).
  • Locations: Specify trusted or untrusted network locations.
  • Client Applications: Target specific clients (e.g., browser, mobile apps, desktop clients).
  • Sign-in Risk: Use Azure AD Identity Protection's risk detection.
  • User Risk: Use Azure AD Identity Protection's risk detection for users.

Access Controls

Access controls are the "then" part of a Conditional Access policy. These are the controls that are enforced when the conditions are met. They can be:

• Grant Controls:
  • Require multi-factor authentication (MFA): Enforce MFA for users.
  • Require device to be marked as compliant: Ensure devices meet security standards.
  • Require Hybrid Azure AD joined device: Enforce domain-joined devices.
  • Require approved client application: Restrict access to specific apps.
  • Require app protection policy: For mobile devices.
  • Block access: Deny access completely.
• Session Controls:
  • Use Conditional Access App Control: Integrate with Microsoft Defender for Cloud Apps.
  • Sign-in frequency: Control how often users need to re-authenticate.
  • Persistent browser session: Allow users to remain signed in.

How it Works

When a user attempts to access a cloud application, Azure AD evaluates the relevant Conditional Access policies. If the user's sign-in request matches the conditions defined in a policy, the configured access controls are enforced. This process happens in real-time, providing dynamic security based on the context of the sign-in.

Common Use Cases

• Enforce Multi-Factor Authentication (MFA): Require MFA for all users, or for specific users accessing sensitive applications.
• Restrict Access from Untrusted Locations: Block access to resources when users are signing in from unfamiliar or risky geographic locations.
• Require Compliant Devices: Ensure that only devices managed and compliant with your organization's security policies can access corporate resources.
• Protect Sensitive Applications: Apply stricter controls, like requiring MFA and a compliant device, for applications containing sensitive data.
• Prevent Unmanaged Devices: Block access from personal or unmanaged devices for certain applications.

Getting Started

To configure Conditional Access policies, you need to have:

• An Azure AD Premium P1 or P2 license.
• Global Administrator, Security Administrator, or Conditional Access Administrator permissions.

You can configure policies in the Azure portal under Azure Active Directory > Security > Conditional Access.

For detailed steps and best practices, refer to the official Microsoft documentation.