Active Directory & Office 365 Reporting Tool

Azure AD Conditional Access: Implement Access Policies & Controls. Are you familiar with Azure AD Conditional Access and interested in learning how to implement it? Please read on.

First, we explain the meaning of Azure AD Conditional Access. This gives you a clear understanding of the concept. Next, we discuss the specific roles and subscriptions required to access this Azure Active Directory security feature.

Then, we emphasize why many organizations choose to use Conditional Access. Finally, we provide step-by-step instructions for implementing Conditional Access.

What is Azure Active Directory Conditional Access?

Microsoft describes conditional access using 3 words: signals, decisions, and policies. Organizations consider signals to make decisions that drive access policies.

Decisions encompass actions such as blocking access, allowing access, or requiring additional authentication conditions. Policies enforce the signals and decisions.

So, Azure AD Access Control policy utilizes signals to make decisions while enforcing an organization’s policy.

Access Control policy at its core is an “if-then” statement. It evaluates a user’s access request and determines whether to grant, deny, or require further authentication.

A Conditional Access policy may evaluate user group membership, IP location, or device state signals. Then, it makes decisions like blocking access or granting access.

A policy may require additional authentication to grant access, such as 2FA or a compliant user device. Other conditions are also considered.

Typical policies may disallow users utilizing legacy authentications from signing in, block sign-in from specific locations, or block users identified as “risky” from signing in.

Later this article discusses signals, decisions, and policies and how to use them to plan your Azure AD Conditional Access policies.

Subscription & Role Prerequisites for Azure AD Conditional Access

Before utilizing this Azure AD security feature, you must ensure that your account fulfils 2 conditions.

First, you need to have an assigned Azure AD Premium P1 or P2 license. Alternatively, if you lack these licenses, you initiate a trial.

Second, depending on your intended task, your account must possess any of the following roles. If you plan to create or modify Conditional Access policies, you require the Conditional Access Administrator or Security Administrator roles.

However, the Security Reader or Global Reader role suffices, if your purpose is solely to read policies.

Regarding the requirements, follow these steps to verify, if your account meets the conditions:

1. Sign in to portal.azure.com and open Azure Active Directory.
2. The Overview tab displays the highest license applied to your account. 

3. To check your assigned roles, click “Role and admins.” View your role – see the highlighted portion of the second screenshot below. 

Why Implement Conditional Access

Organizations use Conditional Access to secure their resources. This Azure AD security feature enables businesses to control access for users, locations, and devices, deciding when to allow or deny access.

Additionally, Conditional Access safeguards application data by evaluating access requests based on predefined conditions and determining whether to permit sign-in requests. Another layer of protection is provided through device control.

By evaluating device health, Conditional Access helps organizations protect their infrastructure from vulnerable devices. To achieve this goal, it evaluates the device’s state and uses that information to decide whether to permit or refuse sign-in requests.

In summary, Azure AD Conditional Access policies protect infrastructure by actively assessing real-time risks across 3 layers: user context, device status, and application and data access.

How to Implement Conditional Access and Controls in Azure AD

To implement Conditional Access, you need to create a policy in Azure Active Directory. But first, complete preliminary planning tasks.

Firstly, familiarize yourself with the components of a Conditional Access policy. This knowledge aids in correctly preparing for policy implementation.

In addition, Microsoft suggests excluding certain Azure AD accounts from your policies.

In the upcoming subsections, we guide you through the steps for implementing Conditional Access policies in Azure Active Directory.

Step 1: Evaluate Signals, Decisions, and Decide Policies

Earlier, we explored how Azure AD Conditional Access combines signals and decisions to enforce organizational policies. To assist you in policy planning, your initial step is to identify the signals that need evaluation.

These signals may vary depending on your organization’s requirements, but there are common ones to consider. Begin by evaluating whether access management based on IP address location is necessary.

For example, create a “safe IP” list encompassing countries, cities, or IP ranges. Additionally, take into account user group memberships and device sign-in conditions.

Refer to the “common signals” for a comprehensive list.

Next crucial step is to decide how your policies make decisions. Precisely, determine conditions to allow or deny access.

Based on the signals, establish the conditions that warrant denying or permitting access. Moreover, if access is granted, decide whether additional authorization is required based on predetermined user or device signals.

For instance, you might require multifactor authentication (MFA), a “compliant” device status, or other specific conditions.

Once you have gathered the necessary information about signals and decisions, proceed to the next subsection to begin creating your Conditional Access policies.

Try our Active Directory & Office 365 Reporting & Auditing Tools

Try us out for Free.  100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.

Step 2: Create Conditional Access Policies Based on Signals and Decisions

Before implementing Azure AD Conditional Access policies, consider these nine policies that protect your Azure AD infrastructure. Moreover, you may find these best practices beneficial.

After considering those recommendations, proceed with the following steps to create a Conditional Access policy in the Azure Active Directory portal:

1. Open the Azure portal, portal.azure.com, and sign in.
2. Search “conditional access” and open “Azure AD Conditional Access.”

3. Then, on the Overview page, click “+ create new policy.” 

4. Finally, complete the configurations on the New Conditional Access policy page. See the information below this screenshot for details. 

Start by entering a descriptive name for the access policy. Then, configure the “Signals” by clicking on Users, Cloud apps or actions, and/or Conditions.

Next, configure the “Decisions” by clicking on “0 controls selected” (labelled 3).

Once you have finished setting up the new policy, Microsoft recommends using “Report only” to gather session information before eventually enabling the policy. Finally, click on Create to establish the new policy.

Step 3: Implement User Exclusions

Microsoft recommends excluding some user accounts to avoid tenant wide lockouts. Specifically, Emergency access access accounts must be excluded.

Important service accounts and accounts used in scripts or codes should also be excluded from your access policies.

To exclude the desired accounts, open the policy from the Azure AD Access Control page. Then, go to the Users section and click on the “Exclude” tab.

Finally, select the group, check the box, add the users to be excluded, and save the policy.

Step 4: Manage Azure AD Conditional Access

The conditional Access Policy has some standard settings you may need to configure. Find these settings under the Manage node.

Starting with “Named locations,” use this to create a list of locations you want to use when creating an access policy. For instance, you may create “safe countries” and a “blocked countries” lists.

Then, use these lists in Conditions -> Locations -> Include or Exclude section of a policy. The second screenshot below demonstrates how “named locations” are used in a Conditional Access policy.  

Apart from named locations, security admins configure “Custom controls.” This feature (still in preview), when we wrote this article in May 2023, allows the creation of conditional controls using JSON. 

Other features of Azure AD Conditional Access available for configuration are “Terms of use”, “VPN connectivity,” “Authentication context,” and  “Authentication strengths.”

Step 5: Monitor Conditional Access with Sign-in and Audit Logs

Once you have configured Azure AD Conditional Access, it is essential to monitor user sign-ins and activities. This monitoring process provides valuable data for evaluating the impact of Conditional Access.

To monitor Conditional Access policies in Microsoft Azure AD, you utilize 2 logs: Sign-in Logs and Audit Logs. These logs are found in the “Monitoring” section of the Azure AD Conditional Access portal.

When accessing “Sign-in logs”, click “Columns” to configure the columns you require.

After the “Columns” flyout is displayed, check the relevant columns for monitoring Conditional Access policies. Once you have finished, click “Save.”

For example, I selected the User, IP address, Location, and Conditional Access columns to analyse the user’s sign-in based on these parameters. 

In addition to the “Sign-in logs,” also use the “Audit logs” to learn and analyse user behaviours. We highly recommend reading our article on Azure AD audit logs for a more comprehensive understanding of Azure Sign-in logs.

Azure AD Conditional Access: Implement Access Policies & Controls Conclusion

This article provided a comprehensive overview of Azure AD Conditional Access and detailed guidance on implementing access policies and controls.

It began by explaining what Azure Active Directory Conditional Access is. It then outlined the subscription and role prerequisites for implementing this Azure AD security feature.

Moreover, we highlighted the benefits of implementing Conditional Access, emphasizing its role in enhancing security and mitigating risks associated with unauthorized access.

Lastly, the article provided step-by-step instructions on implementing Conditional Access and effectively applying access controls in Azure AD.


Try InfraSOS for FREE

Invite your team and explore InfraSOS features for free

Victor Ashiedu

Victor Ashiedu

Victor is an IT pro based in Manchester, UK. With over 22 years of experience managing Windows Server, Active Directory, and Powershell, and 7 years of expertise in Azure AD and Office 365, he's a seasoned expert in his field. When he's not working, he loves spending time with his family - a wife and a 5-year-old. Victor is passionate about helping businesses succeed in today's fast-changing tech landscape.

Leave a comment

Your email address will not be published. Required fields are marked *