Azure AD Conditional Access: Implement Access Policies & Controls. Are you familiar with Azure AD Conditional Access and interested in learning how to implement it? Please read on.
First, we explain the meaning of Azure AD Conditional Access. This gives you a clear understanding of the concept. Next, we discuss the specific roles and subscriptions required to access this Azure Active Directory security feature.
Then, we emphasize why many organizations choose to use Conditional Access. Finally, we provide step-by-step instructions for implementing Conditional Access.
What is Azure Active Directory Conditional Access?
Microsoft describes conditional access using 3 words: signals, decisions, and policies. Organizations consider signals to make decisions that drive access policies.
Decisions encompass actions such as blocking access, allowing access, or requiring additional authentication conditions. Policies enforce the signals and decisions.
So, Azure AD Access Control policy utilizes signals to make decisions while enforcing an organization’s policy.
Access Control policy at its core is an “if-then” statement. It evaluates a user’s access request and determines whether to grant, deny, or require further authentication.
A Conditional Access policy may evaluate user group membership, IP location, or device state signals. Then, it makes decisions like blocking access or granting access.
A policy may require additional authentication to grant access, such as 2FA or a compliant user device. Other conditions are also considered.
Typical policies may disallow users utilizing legacy authentications from signing in, block sign-in from specific locations, or block users identified as “risky” from signing in.
Later this article discusses signals, decisions, and policies and how to use them to plan your Azure AD Conditional Access policies.
Subscription & Role Prerequisites for Azure AD Conditional Access
Before utilizing this Azure AD security feature, you must ensure that your account fulfils 2 conditions.
First, you need to have an assigned Azure AD Premium P1 or P2 license. Alternatively, if you lack these licenses, you initiate a trial.
Second, depending on your intended task, your account must possess any of the following roles. If you plan to create or modify Conditional Access policies, you require the Conditional Access Administrator or Security Administrator roles.
However, the Security Reader or Global Reader role suffices, if your purpose is solely to read policies.
Regarding the requirements, follow these steps to verify, if your account meets the conditions:
1. Sign in to portal.azure.com and open Azure Active Directory.
2. The Overview tab displays the highest license applied to your account.Â
Why Implement Conditional Access
Organizations use Conditional Access to secure their resources. This Azure AD security feature enables businesses to control access for users, locations, and devices, deciding when to allow or deny access.
Additionally, Conditional Access safeguards application data by evaluating access requests based on predefined conditions and determining whether to permit sign-in requests. Another layer of protection is provided through device control.
By evaluating device health, Conditional Access helps organizations protect their infrastructure from vulnerable devices. To achieve this goal, it evaluates the device’s state and uses that information to decide whether to permit or refuse sign-in requests.
In summary, Azure AD Conditional Access policies protect infrastructure by actively assessing real-time risks across 3 layers: user context, device status, and application and data access.
How to Implement Conditional Access and Controls in Azure AD
To implement Conditional Access, you need to create a policy in Azure Active Directory. But first, complete preliminary planning tasks.
Firstly, familiarize yourself with the components of a Conditional Access policy. This knowledge aids in correctly preparing for policy implementation.
In addition, Microsoft suggests excluding certain Azure AD accounts from your policies.
In the upcoming subsections, we guide you through the steps for implementing Conditional Access policies in Azure Active Directory.
Step 1: Evaluate Signals, Decisions, and Decide Policies
Earlier, we explored how Azure AD Conditional Access combines signals and decisions to enforce organizational policies. To assist you in policy planning, your initial step is to identify the signals that need evaluation.
These signals may vary depending on your organization’s requirements, but there are common ones to consider. Begin by evaluating whether access management based on IP address location is necessary.
For example, create a “safe IP” list encompassing countries, cities, or IP ranges. Additionally, take into account user group memberships and device sign-in conditions.
Refer to the “common signals” for a comprehensive list.
Next crucial step is to decide how your policies make decisions. Precisely, determine conditions to allow or deny access.
Based on the signals, establish the conditions that warrant denying or permitting access. Moreover, if access is granted, decide whether additional authorization is required based on predetermined user or device signals.
For instance, you might require multifactor authentication (MFA), a “compliant” device status, or other specific conditions.
Once you have gathered the necessary information about signals and decisions, proceed to the next subsection to begin creating your Conditional Access policies.
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free. 100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.
Step 2: Create Conditional Access Policies Based on Signals and Decisions
Before implementing Azure AD Conditional Access policies, consider these nine policies that protect your Azure AD infrastructure. Moreover, you may find these best practices beneficial.
After considering those recommendations, proceed with the following steps to create a Conditional Access policy in the Azure Active Directory portal:
1. Open the Azure portal, portal.azure.com, and sign in.
2. Search “conditional access” and open “Azure AD Conditional Access.”
Start by entering a descriptive name for the access policy. Then, configure the “Signals” by clicking on Users, Cloud apps or actions, and/or Conditions.
Next, configure the “Decisions” by clicking on “0 controls selected” (labelled 3).
Once you have finished setting up the new policy, Microsoft recommends using “Report only” to gather session information before eventually enabling the policy. Finally, click on Create to establish the new policy.
Step 3: Implement User Exclusions
Microsoft recommends excluding some user accounts to avoid tenant wide lockouts. Specifically, Emergency access access accounts must be excluded.
Important service accounts and accounts used in scripts or codes should also be excluded from your access policies.
To exclude the desired accounts, open the policy from the Azure AD Access Control page. Then, go to the Users section and click on the “Exclude” tab.
Finally, select the group, check the box, add the users to be excluded, and save the policy.
Step 4: Manage Azure AD Conditional Access
The conditional Access Policy has some standard settings you may need to configure. Find these settings under the Manage node.
Starting with “Named locations,” use this to create a list of locations you want to use when creating an access policy. For instance, you may create “safe countries” and a “blocked countries” lists.
Then, use these lists in Conditions -> Locations -> Include or Exclude section of a policy. The second screenshot below demonstrates how “named locations” are used in a Conditional Access policy. Â
Step 5: Monitor Conditional Access with Sign-in and Audit Logs
Once you have configured Azure AD Conditional Access, it is essential to monitor user sign-ins and activities. This monitoring process provides valuable data for evaluating the impact of Conditional Access.
To monitor Conditional Access policies in Microsoft Azure AD, you utilize 2 logs: Sign-in Logs and Audit Logs. These logs are found in the “Monitoring” section of the Azure AD Conditional Access portal.
When accessing “Sign-in logs”, click “Columns” to configure the columns you require.
In addition to the “Sign-in logs,” also use the “Audit logs” to learn and analyse user behaviours. We highly recommend reading our article on Azure AD audit logs for a more comprehensive understanding of Azure Sign-in logs.
Azure AD Conditional Access: Implement Access Policies & Controls Conclusion
This article provided a comprehensive overview of Azure AD Conditional Access and detailed guidance on implementing access policies and controls.
It began by explaining what Azure Active Directory Conditional Access is. It then outlined the subscription and role prerequisites for implementing this Azure AD security feature.
Moreover, we highlighted the benefits of implementing Conditional Access, emphasizing its role in enhancing security and mitigating risks associated with unauthorized access.
Lastly, the article provided step-by-step instructions on implementing Conditional Access and effectively applying access controls in Azure AD.
Try InfraSOS for FREE
Invite your team and explore InfraSOS features for free
- Free 15-Days Trial
- SaaS Reporting & Auditing Solution
- Full Access to All Features
Related posts:
- Using Group Policy to Enhance Active Directory Security
- Analyze Azure AD Security Logs: Audit & Monitor Azure AD Activity
- How to use Azure AD Security Tools & Resources To Secure Azure
- Using Conditional Access Policies to Enhance Office 365 Security
- Office 365 Security Best Practices: Secure Your Office 365