- Automate offline servicing of Windows images with the PowerShell module OSDBuilder - Wed, Sep 15 2021
- Enroll Windows 10 machines in Microsoft Intune and manage them using the MDM interface - Thu, Sep 2 2021
- Securden's new Unified Privileged Access Management - Mon, Aug 30 2021
To create a Conditional Access policy for your Azure Active Directory (Azure AD), log in to the Azure Portal, and type in "conditional access." Select the resulting Azure AD Conditional Access in the search results.
Once you navigate to the Conditional Access configuration page, click the New policy button.
After naming the Conditional Access policy, the first area of configuration defines the users or groups to which the policy is assigned. You have the option to both Include and Exclude users. The radio buttons provide a granular selection process by enabling the selection of all users or users and groups. Choose the required users or groups from the list, and click the Select button.
Next, you can define the scope of the Conditional Access policy based on the applications used. The controls are similar to selecting users and groups. You can include or exclude applications in a granular fashion. Here, we are selecting Office 365 as the application to which the Conditional Access policy will apply.
The Conditions section provides options for IT admins to further scope the Conditional Access policy. Under the Conditions section, you can choose to apply the policy based on the following:
- Device platforms—Apply the policy to selected operating systems
- Locations—Apply the policy based on the IP range the end user is logging in from
- Client apps—Software the user is employing to access the cloud app
- Device state—Whether the device the user is signing in from is Hybrid Azure AD joined or marked as compliant
Below, we apply the policy based on the device platform being used. Note that you can include or exclude device platforms.
After applying the conditions you want to set for the Conditional Access policy, you can configure control over user access enforcement to block or grant access. For the Grant access option, many interesting settings can be applied. These include:
- Require multi-factor authentication
- Require device to be marked as compliant
- Require Hybrid Azure AD joined device
- Require approved client app
- Require app protection policy
We are setting the Grant access option and requiring multi-factor authentication for the end user accessing Office 365 with any device type.
The final section is the Session configuration. There, you can control user access based on session controls to enable limited experiences within specific cloud applications. The following settings are available:
- Use app enforced restrictions
- Use Conditional Access App Control
- Sign-in frequency
As shown below, the sign-in frequency determines the time set before the user is asked to log in again when attempting to access a resource.
After configuring the session settings, the policy is ready to be created. Under the Enable policy toggle, you can create the policy with the following:
- Report-only—Policy is created in monitor mode where policy violations are logged but not blocked
- On—The policy is turned on and enforced
- Off—The policy is created but turned off
Suppose you are using the Security defaults settings, which allow automatic creation and enforcement of the out-of-the-box policies that are considered best practice. In that case, you will see a warning that you need first to disable these security defaults before you start controlling your environment using customized Conditional Access policies.
You will not be able to turn your Conditional Access policy to On if you have not turned off the Security defaults setting in Azure Active Directory (Azure AD).
As a quick note, you can turn off the Security defaults settings in Azure Active Directory by navigating to the Azure Active Directory blade in your Azure portal. Select Properties > Manage Security defaults > Enable Security defaults. Change the setting to No if you want to use custom Conditional Access policies.
The Conditional Access policy is created successfully in Report-only mode.
Microsoft Azure Active Directory (Azure AD) Conditional Access policies provide an excellent way for businesses to extend security boundaries outside of the on-premises Active Directory environment. It allows securing end user connections to cloud applications, such as Office 365, and bolsters the security posture for the "work from anywhere" workforce.
Subscribe to 4sysops newsletter!
They support many granular options that can be applied to users, devices, locations, and sessions. As shown, creating Condition Access policies is straightforward and can be accomplished using the built-in wizard provided in Azure.