When you’re moving over to Microsoft 365 or Azure, you want to make sure your users’ data is protected and malicious access is prevented. With Azure AD Conditional Access, you can set up policies to decide when a user can or can’t access an application.
In this blog, I’ll talk about the possibilities you have with Conditional Access and in what situations this might be useful.
What is Azure AD Conditional Access?
A common example could be that you want to enforce Azure MFA; you only want to allow access to Microsoft Dynamics 365 when the user has MFA. When migrating to the cloud, it’s important you take the rights steps to protect your company assets. Conditional Access, part of Azure AD, can help you with this.
In the previous example, you want to enforce a policy based on the application that is being accessed. Microsoft describes this as being a Signal, this decides what triggers a certain Conditional Access policy. The following types of signals are available to you:
- User and Location; for example a Group, User, IP Address, Country, etc.
- Device; for example a mobile phone being managed from within Intune.
- Application; for example Exchange Online.
- Real-time risk; for example identify risky sign-in behavior using Azure AD Identity Protection.
The available signals can tell you more about when a certain policy should be enforced.
When using multiple services from within Microsoft 365, for example both Exchange Online, Azure AD and Intune, more signals are available to you. This is where the fun really starts and gives you more granular control of your Conditional Access policies. You might for example want to restrict access to only devices that comply to your Intune policy.
Based on the signal, you want to make a certain decision. You might want to block access when the application is being access from outside of the EU. A decision will be either block or allow access.
When allowing access, you still want this to be a bit more restrictive. With Conditional Access you can use one of the following options:
- Require multi-factor authentication.
- Require device to be marked as compliant.
- Require Hybrid Azure AD joined device.
- Require approved client app.
- Require app protection policy (preview).
What license do I need?
Azure AD Conditional Access is available to you If you’ve licensed your users for an Azure AD Premium P1 plan. If you want to make use of certain signals from Azure AD Identity Protection, you might want to go for Azure AD Premium Plan P2.
You can either license this as a standalone “add-on” but it also included in certain Microsoft 365 subscriptions. If you’re a business with less than 300 users, you might want to check out the Microsoft 365 Business subscriptions.
Demo: Getting started with Conditional Access
If you’re new to Conditional Access, you might want to start of with enforcing MFA for a certain application. In this example I’ll show you how to configure Conditional Access
- Log in to the Azure Portal
- Go to “Azure AD Conditional Access”, you can use the search bar this;
- Create a new policy
- First off, pick a name and click “Users and Groups” under “Assignments” to Include or Exclude certain users. It’s always a good thing to only include a test user at first, and Exclude your Admin Account or even an entire role. Make sure you do this, you don’t want to lock yourself out!
- Go to “Cloud apps or actions” and select what applications this policy should apply to. In my example I selected a single cloud app.
- If you’d like to be more granular, you can select more conditions (signals).
In my example I have not done this, but I highly recommend you checking this out..
- Next, click “Grant” and select “Grant Access” with “Require multi-factor authentication”.
- Select “On” if you’d like to enable the policy. If you do not want to enable the policy but only want to report, select “Report-only”. If you select “Report-only” here, you will be able to see this in the Azure Sign-in logs. Make sure to not lock yourself out!
Should I implement Conditional Access?
The short answer to this question, should always be “Yes!” to my opinion. Nowadays security risks are more and more a growing concern. Using just a username and password is no longer being considered safe. You want to make sure you protect your cloud environment in a proper way. Multi-factor authentication should be the least you configure but I highly recommend you checking out all the options you have with this.