By now anyone who is in the industry, looking at Azure AD daily basis and who are thinking about how to implement Zero-Trust know what are Conditional Access Policies (CAPs). Anyone who is new to the Azure AD Premium benefits and starting out, must be wondering what are CAPs and how to config one. I’m going to breakdown the CAPs and discuss what are the components of a CAP and how to implement a CAP without impacting services and users.
Table of Content
- Commonly Applied Policies
- Conditional Access Licensing
- Risk Based Conditional Access
- Signals in a Conditional Access Policy
- Common Decisions
- Session Control
- Policy Templates
- What is “What if”?
- What is Report Only mode?
- Final Words
As a Gate Keeper
Conditional Access is the Gate Keeper of the Zero Trust Principal. Ideally you need to implement MFA in your Azure AD environment so you can stop bad actors getting in by spoofing users’ passwords. In Zero Trust principal, it is widely acknowledged that Assume Breach and Always Verify. To perform those activities Conditional Access Policies (CAP) will be the solution.
CAP has evolved since it’s introduced and currently got a lot of options to secure identities.
Why this is the best option for Applying MFA?
Microsoft 1st introduced MFA with the standard all or nothing MFA setting for the users. Not to mention, it’s settings are not that user friendly and lacked a lot of features. With Azure MFA that is the core of implementing Conditional Access Policies, has many options that enhance the user experience while securing the identities and devices. If you are still using the legacy way of setting up MFA for the account, I believe it’s time to migrate those settings to Azure MFA.
Read my article on how to enable MFA.
Commonly Applied Policies
- Requiring multi-factor authentication for users with administrative roles
- Requiring multi-factor authentication for Azure management tasks
- Blocking sign-ins for users attempting to use legacy authentication protocols
- Requiring trusted locations for Azure AD Multi-Factor Authentication registration
- Blocking or granting access from specific locations
- Blocking risky sign-in behaviors
- Requiring organization-managed devices for specific applications
Conditional Access Licensing
Conditional Access Policies will come in any license that contains Azure AD Premium P1 or P2. Ideally should a user needs to be captured in a Conditional Access Policy, that user needs to have the necessary license.
Risk Based Conditional Access
Risk based Conditional Access Policies is in other words, a variation to the standard Conditional Access Policies. This will intelligently identify the risk signals and act quickly to block that malicious actor from performing tasks.
This will look at the User Risk and Sign-in Risk actions. According to the license you have, you will get the Premium or Non-premium detection features which I have mentioned below.
Premium Detections
Only available for Azure AD P2 license
Non-Premium Detections
Available for Azure AD Free and P1
From Microsoft
- Identity Protection generates risk detections only when the correct credentials are used. If incorrect credentials are used on a sign-in, it does not represent risk of credential compromise
- While Microsoft doesn’t provide specific details about how risk is calculated, we’ll say that each level brings higher confidence that the user or sign-in is compromised. For example, something like one instance of unfamiliar sign-in properties for a user might not be as threatening as leaked credentials for another user.
Signals in a Conditional Access Policy
Below are the signals that can be evaluated by the Conditional Access before making the policy decision.
- User or group membership – Policies can be targeted to specific users and groups giving administrators fine-grained control over access.
- Special user types – such as Guests and users that has AD roles assigned
- Workload Identities – Service Principals of owned apps in the Azure AD environment. Setting these will be based on the Risk detections.
- IP Location information – Organizations can create trusted IP address ranges that can be used when making policy decisions. Administrators can specify entire countries/regions IP ranges to block or allow traffic from
- Device Platforms – Users with devices of specific platforms or marked with a specific state can be used when enforcing Conditional Access policies. Use filters for devices to target policies to specific devices like privileged access workstations.
- Device Filtering – When applying policies, it can include or exclude the specific devices in the organization that are enrolled with Intune.
- Application – Users attempting to access specific applications can trigger different Conditional Access policies.
- Client Apps – Depending on the client app that the user trying to connect the applications will trigger access policies. This can be used to stop legacy authentication protocols as an example.
- Real-time and calculated risk detection – Signals integration with Azure AD Identity Protection allows Conditional Access policies to identify risky sign-in behavior. Policies can then force users to change their password, do multi-factor authentication to reduce their risk level, or block access until an administrator takes manual action.
- Microsoft Defender for Cloud Apps – Enables user application access and sessions to be monitored and controlled in real time, increasing visibility and control over access to and activities done within your cloud environment
Common Decisions
- Block access
- Most restrictive decision
- Grant access
- Least restrictive decision, can still require one or more of the following options:
- Require multi-factor authentication
- Require device to be marked as compliant
- Require Hybrid Azure AD joined device
- Require approved client app
- Require app protection policy (preview)
- Least restrictive decision, can still require one or more of the following options:
Session Controls
This will control access based on session controls to enable limited experiences within specific cloud applications. When configured, this will determine the frequency of challenging the user with MFA and how the user’s browser will behave with cookies and specially if the Continuous Access Evaluation needs to be disabled for that policy. Further more this can provide app control and stop downloading, copy/ paste or sensitive data and also do app enforced restrictions (works with SPO and EXO at the moment).
Enabling Continuous Access Evaluation
This feature was 1st available for the whole tenant while it was in the preview and now it is a per CAP based settings that’s sitting in the Session Controls.
Please read my below article on how to set this feature.
Policy Templates
This feature which is in preview at the moment gives you the option of selecting your CAP from a list of predefined templates. You have the option of setting up policies for Identities or Devices.
Once the Policy has been selected, you can view the summary of it
This is a quicker way to enforce policies, but best to set the Report Mode to understand it’s behaviour and then switch it ON.
What is “What if?”
This is a great tool to understand whether the created policy is getting applied to the targeted set of users. This can be done in the policy off mode or in the report-only mode
Result
What is “Report Only” Mode?
This setting is ideal when you don’t want to switch ON the CA Policy without 100% sure about the results. Will there be a disruption to the work? Will the users get blocked? Will they be prompted for the MFA challenge?
This has the option of connecting with Azure Log Analytics service to get a better view of the policy behaviour. Read my previous article below to get more info on that.
Final Words
Hands down, this is a great and much needed tool for your Azure AD environment for safe guarding the identities with different controls. If you still haven’t set the policies, please go and do it now, because the bad actors are out their looking for their next target.
EMS Route - Shehan Perera 
3 thoughts on “Azure AD Conditional Access Policies 101”