Microsoft's Conditional Access is an Azure Active Directory (AAD) feature that increases security with remote and "work from anywhere" employees. Businesses can restrict access to cloud resources depending on the conditions of a remote worker's connection. This article will show you how to define such policies.

To create a Conditional Access policy for your Azure Active Directory (Azure AD), log in to the Azure Portal, and type in "conditional access." Select the resulting Azure AD Conditional Access in the search results.

Accessing Conditional Access in the Azure portal

Accessing Conditional Access in the Azure portal

Once you navigate to the Conditional Access configuration page, click the New policy button.

Creating a new Conditional Access policy

Creating a new Conditional Access policy

After naming the Conditional Access policy, the first area of configuration defines the users or groups to which the policy is assigned. You have the option to both Include and Exclude users. The radio buttons provide a granular selection process by enabling the selection of all users or users and groups. Choose the required users or groups from the list, and click the Select button.

Select the users or groups to which you want to apply the Conditional Access policy

Select the users or groups to which you want to apply the Conditional Access policy

Next, you can define the scope of the Conditional Access policy based on the applications used. The controls are similar to selecting users and groups. You can include or exclude applications in a granular fashion. Here, we are selecting Office 365 as the application to which the Conditional Access policy will apply.

Select the apps to which you want to apply the Conditional Access policy

Select the apps to which you want to apply the Conditional Access policy

The Conditions section provides options for IT admins to further scope the Conditional Access policy. Under the Conditions section, you can choose to apply the policy based on the following:

  • Device platforms—Apply the policy to selected operating systems
  • Locations—Apply the policy based on the IP range the end user is logging in from
  • Client apps—Software the user is employing to access the cloud app
  • Device state—Whether the device the user is signing in from is Hybrid Azure AD joined or marked as compliant

Below, we apply the policy based on the device platform being used. Note that you can include or exclude device platforms.

Select the conditions under which to apply the Conditional Access policy

Select the conditions under which to apply the Conditional Access policy

After applying the conditions you want to set for the Conditional Access policy, you can configure control over user access enforcement to block or grant access. For the Grant access option, many interesting settings can be applied. These include:

  • Require multi-factor authentication
  • Require device to be marked as compliant
  • Require Hybrid Azure AD joined device
  • Require approved client app
  • Require app protection policy

We are setting the Grant access option and requiring multi-factor authentication for the end user accessing Office 365 with any device type.

Control user access enforcement

Control user access enforcement

The final section is the Session configuration. There, you can control user access based on session controls to enable limited experiences within specific cloud applications. The following settings are available:

  • Use app enforced restrictions
  • Use Conditional Access App Control
  • Sign-in frequency

As shown below, the sign-in frequency determines the time set before the user is asked to log in again when attempting to access a resource.

Control user access based on session controls

Control user access based on session controls

After configuring the session settings, the policy is ready to be created. Under the Enable policy toggle, you can create the policy with the following:

  • Report-only—Policy is created in monitor mode where policy violations are logged but not blocked
  • On—The policy is turned on and enforced
  • Off—The policy is created but turned off

Suppose you are using the Security defaults settings, which allow automatic creation and enforcement of the out-of-the-box policies that are considered best practice. In that case, you will see a warning that you need first to disable these security defaults before you start controlling your environment using customized Conditional Access policies.

You will not be able to turn your Conditional Access policy to On if you have not turned off the Security defaults setting in Azure Active Directory (Azure AD).

Define the policy enablement mode

Define the policy enablement mode

As a quick note, you can turn off the Security defaults settings in Azure Active Directory by navigating to the Azure Active Directory blade in your Azure portal. Select Properties > Manage Security defaults > Enable Security defaults. Change the setting to No if you want to use custom Conditional Access policies.

Turning off security defaults for Azure Active Directory

Turning off security defaults for Azure Active Directory

The Conditional Access policy is created successfully in Report-only mode.

Conditional Access policy successfully created in Report only mode

Conditional Access policy successfully created in Report only mode

Microsoft Azure Active Directory (Azure AD) Conditional Access policies provide an excellent way for businesses to extend security boundaries outside of the on-premises Active Directory environment. It allows securing end user connections to cloud applications, such as Office 365, and bolsters the security posture for the "work from anywhere" workforce.

Subscribe to 4sysops newsletter!

They support many granular options that can be applied to users, devices, locations, and sessions. As shown, creating Condition Access policies is straightforward and can be accomplished using the built-in wizard provided in Azure.

+2
avatar
2 Comments
  1. infranerd 3 months ago

    I suppose conditional access comes only with Azure active directory premium subscription.

    0

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account