Expand your knowledge of Azure AD Conditional Access policies

More cloud means a lot of things, including more opportunity and flexibility. But it also means more IT headaches.

The services and data managed by modern IT departments are very different from just a few years ago. Most enterprises have workloads, applications, and services that exist on-premises and in the cloud, or even multiple clouds. Employees work wherever they have Internet access. Asset protection becomes more difficult as users have an ever-growing list of access methods. Conditional Access to Azure Active Directory (Azure AD) can give IT a way to maintain control over their growing IT estate by creating a set of policies that require users to perform approved actions to access an application. Azure AD also decides, based on a combination of factors, when to require more login verifications. Creating policies with multiple conditions gives administrators a layered approach for increased security.

Changing times require updated security practices

It is no longer acceptable to rely on mere assumptions to grant access to resources. For example, you cannot block all access from countries in the Asia-Pacific region. Businesses need more flexibility to handle more unique login combinations.

The company may require a different level of authentication when a user logs in from their phone compared to the company laptop. For compliance reasons, the management team may be subject to stricter controls than frontline workers. Access attempts from known trusted networks can still pose a threat due to phishing and compromised credentials.

These factors add up to dynamic environments that do not allow a single set of rules to govern access. Organizations need to determine if a login attempt is legitimate or a threat, and Azure AD Conditional Access policies allow enterprises to analyze logins in real time to stop potential threats.

What is Azure AD Conditional Access?

Azure AD Conditional Access is a set of policies that overlay an already successful access attempt. Policies are a set of requirements that grant or deny access. Policies use “signals” from many sources as part of the process to allow access, require stricter access controls, such as two-factor authentication, or deny access. The signals are common criteria, such as user and group membership in Azure AD and the application being accessed, but are also based on other data, such as public IP location or device type.

Conditional Access policies use real-time risk intelligence data in Azure AD Identity Protection and Microsoft Defender for Cloud Apps, formerly known as Microsoft Cloud App Security, to determine the level of risk for each attempt of access. If the risk threshold is reached, Azure AD will require additional login information or deny the login.

How to Understand How Conditional Access Policies Work

To imagine how these policies work, think of an if-then statement used in programming. If a user wants to access a resource, they must perform an approved action and/or meet a set of conditions. For example, you can limit access to an HR app to HR staff who use Azure AD-joined devices. You can limit access to a payroll application from known corporate IP address ranges and require multi-factor authentication (MFA). There are many combinations of requirements for a single user or a single application. You can also apply multiple policies to each cloud-based resource.

In addition to these rules, Azure AD also enforces MFA for attempts that trigger a security red flag. For example, if I normally log in from an address in the United States, Azure AD may require additional security prompts if it detects an access attempt from another country. Azure AD can outright deny a sign-in attempt from a known bad actor IP address.

How to develop a Conditional Access policy in Azure AD

The console for setting up a Conditional Access policy is simple to understand.

First, create a policy and select options, also known as assignments, with requirements that the policy will enforce. Some options, such as “Users and groups”, allow you to include or exclude specific users, groups and roles, and cover guests and external users. You can assign a policy to a single app, an app group, or all apps in your Azure AD tenant.

From there, the choices get interesting.

The Azure AD Conditional Access section of the portal offers various rules and requirements that must be met to grant access.

Configuring conditions in a policy

Conditional Access policies have several unique options that you set as access conditions or to deny a login attempt. In the assignment part of the policy, you can define several specific conditions.

conditions to control access
A policy’s conditions consist of several parameters, including user risk and locations.

For example, the policy can use “user risk” and “login risk” conditions to determine the likelihood of a secure login. Login Risk uses several signals in its analysis, including anonymous IP address information such as VPN or Onion Router (Tor) network, detection of IP addresses related to malware, suspicious browser clients and connection properties that do not match the characteristics of previous attempts.

Microsoft determines user risk based on leaked credentials and Azure AD threat intelligence. The assignment of a user risk or connection requirement is broken down into low, medium, and high categories. A high setting applies a policy if the user risk and/or logon risk is high.

Policies can apply to all device platforms or be set to block a specific platform. Azure AD Conditional Access supports policy controls for Android, iOS, Windows, Windows, and macOS devices through user agent strings. User agent strings can be customized. Work in this area should therefore be thorough and combined with Intune device compliance to achieve the best results.

Location is another compliance control option. Locations refer to public IPv4 address information, GPS coordinates, countries and regions, or unknown regions. For an organization with multiple field offices, you can limit connections to known corporate IP addresses.

Filter access to privileged resources

A new feature called “filter devices” creates policies to allow or block specific devices based on detailed criteria related to organizational devices, which could be ideal for scenarios aimed at restricting access to sensitive applications.

The following screenshot shows a policy that allows only one machine to connect to a specific application. This is an example of the granularity of the policy to protect certain assets.

filter by device policy
This device policy restricts access to an application by limiting it to a single machine.

The Azure AD portal offers extensive filtering capabilities

For most organizations, Conditional Access policies will be an upgrade option as many will already be using multiple cloud applications, such as Office 365, Salesforce, and Workday.

A little perspective here may help: my organization has over 700 cloud applications and 20,000 users. We use Conditional Access extensively, but to get started we had to put a lot of policies in place, test the impact, and then scale. We now have around 25 Conditional Access policies to cover the range of applications we protect.

The Azure AD portal has extensive capabilities to determine Conditional Access policies applied to sign-in attempts. Microsoft captures detailed login information for each user and device, including what happened and when. Comprehensive filtering and sorting capabilities find a range of activity including login attempts for users, timeslots, applications, IP address information, login successes and failures, with little ‘effort.

Filtering Azure AD login attempts
The Azure AD portal gives IT an accurate way to check login attempts with its extensive filtering capabilities.

Don’t let security fall behind after a cloud migration

Conditional Access policies give administrators a range of options previously unavailable in traditional on-premises networks. Conditional Access helps IT enforce login compliance to much higher standards. Using the range of features – MFA, real-time risk scanning, extensive logging, device filtering – administrators will have peace of mind knowing that they have done everything possible to protect the business.

Donald E. Patel