Azure AD Conditional Access Policies 101

By now anyone who is in the industry, looking at Azure AD daily basis and who are thinking about how to implement Zero-Trust know what are Conditional Access Policies (CAPs). Anyone who is new to the Azure AD Premium benefits and starting out, must be wondering what are CAPs and how to config one. I’m going to breakdown the CAPs and discuss what are the components of a CAP and how to implement a CAP without impacting services and users.

Table of Content

As a Gate Keeper

Conditional Access is the Gate Keeper of the Zero Trust Principal. Ideally you need to implement MFA in your Azure AD environment so you can stop bad actors getting in by spoofing users’ passwords. In Zero Trust principal, it is widely acknowledged that Assume Breach and Always Verify. To perform those activities Conditional Access Policies (CAP) will be the solution.

CAP has evolved since it’s introduced and currently got a lot of options to secure identities.

Why this is the best option for Applying MFA?

Microsoft 1st introduced MFA with the standard all or nothing MFA setting for the users. Not to mention, it’s settings are not that user friendly and lacked a lot of features. With Azure MFA that is the core of implementing Conditional Access Policies, has many options that enhance the user experience while securing the identities and devices. If you are still using the legacy way of setting up MFA for the account, I believe it’s time to migrate those settings to Azure MFA.

Read my article on how to enable MFA.

Commonly Applied Policies

  • Requiring multi-factor authentication for users with administrative roles
  • Requiring multi-factor authentication for Azure management tasks
  • Blocking sign-ins for users attempting to use legacy authentication protocols
  • Requiring trusted locations for Azure AD Multi-Factor Authentication registration
  • Blocking or granting access from specific locations
  • Blocking risky sign-in behaviors
  • Requiring organization-managed devices for specific applications

Conditional Access Licensing

Conditional Access Policies will come in any license that contains Azure AD Premium P1 or P2. Ideally should a user needs to be captured in a Conditional Access Policy, that user needs to have the necessary license.

Risk Based Conditional Access

Risk based Conditional Access Policies is in other words, a variation to the standard Conditional Access Policies. This will intelligently identify the risk signals and act quickly to block that malicious actor from performing tasks.
This will look at the User Risk and Sign-in Risk actions. According to the license you have, you will get the Premium or Non-premium detection features which I have mentioned below.

Premium Detections

Only available for Azure AD P2 license

Non-Premium Detections

Available for Azure AD Free and P1

From Microsoft

  • Identity Protection generates risk detections only when the correct credentials are used. If incorrect credentials are used on a sign-in, it does not represent risk of credential compromise
  • While Microsoft doesn’t provide specific details about how risk is calculated, we’ll say that each level brings higher confidence that the user or sign-in is compromised. For example, something like one instance of unfamiliar sign-in properties for a user might not be as threatening as leaked credentials for another user.

Signals in a Conditional Access Policy

Below are the signals that can be evaluated by the Conditional Access before making the policy decision.

  • User or group membership – Policies can be targeted to specific users and groups giving administrators fine-grained control over access.

  • Special user types – such as Guests and users that has AD roles assigned

  • Workload Identities – Service Principals of owned apps in the Azure AD environment. Setting these will be based on the Risk detections.

  • IP Location information – Organizations can create trusted IP address ranges that can be used when making policy decisions. Administrators can specify entire countries/regions IP ranges to block or allow traffic from

  • Device Platforms – Users with devices of specific platforms or marked with a specific state can be used when enforcing Conditional Access policies. Use filters for devices to target policies to specific devices like privileged access workstations.

  • Device Filtering – When applying policies, it can include or exclude the specific devices in the organization that are enrolled with Intune.

  • Application – Users attempting to access specific applications can trigger different Conditional Access policies.

  • Client Apps – Depending on the client app that the user trying to connect the applications will trigger access policies. This can be used to stop legacy authentication protocols as an example.

  • Real-time and calculated risk detection – Signals integration with Azure AD Identity Protection allows Conditional Access policies to identify risky sign-in behavior. Policies can then force users to change their password, do multi-factor authentication to reduce their risk level, or block access until an administrator takes manual action.

  • Microsoft Defender for Cloud Apps – Enables user application access and sessions to be monitored and controlled in real time, increasing visibility and control over access to and activities done within your cloud environment

Common Decisions

  • Block access
    • Most restrictive decision
  • Grant access
    • Least restrictive decision, can still require one or more of the following options:
      • Require multi-factor authentication
      • Require device to be marked as compliant
      • Require Hybrid Azure AD joined device
      • Require approved client app
      • Require app protection policy (preview)

Session Controls

This will control access based on session controls to enable limited experiences within specific cloud applications. When configured, this will determine the frequency of challenging the user with MFA and how the user’s browser will behave with cookies and specially if the Continuous Access Evaluation needs to be disabled for that policy. Further more this can provide app control and stop downloading, copy/ paste or sensitive data and also do app enforced restrictions (works with SPO and EXO at the moment).

Enabling Continuous Access Evaluation

This feature was 1st available for the whole tenant while it was in the preview and now it is a per CAP based settings that’s sitting in the Session Controls.

Please read my below article on how to set this feature.

Policy Templates

This feature which is in preview at the moment gives you the option of selecting your CAP from a list of predefined templates. You have the option of setting up policies for Identities or Devices.

Once the Policy has been selected, you can view the summary of it

This is a quicker way to enforce policies, but best to set the Report Mode to understand it’s behaviour and then switch it ON.

What is “What if?”

This is a great tool to understand whether the created policy is getting applied to the targeted set of users. This can be done in the policy off mode or in the report-only mode


What is “Report Only” Mode?

This setting is ideal when you don’t want to switch ON the CA Policy without 100% sure about the results. Will there be a disruption to the work? Will the users get blocked? Will they be prompted for the MFA challenge?

This has the option of connecting with Azure Log Analytics service to get a better view of the policy behaviour. Read my previous article below to get more info on that.

Final Words

Hands down, this is a great and much needed tool for your Azure AD environment for safe guarding the identities with different controls. If you still haven’t set the policies, please go and do it now, because the bad actors are out their looking for their next target.


3 thoughts on “Azure AD Conditional Access Policies 101

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.