Conditional Access Policies – ( Azure AD Premium P1 or P2 feature)
As name suggests its policy based on certain condition which
needs to met to access your organization resources or application if not then
certain challenges need to fulfill like MFA or Password reset or access blocked.
Conditional Access policies are enforced after the
first-factor authentication has been completed. Conditional Access is not
intended as an organization's first line of defense for scenarios like
denial-of-service (DoS) attacks, but can use signals from these events to
determine access.
Based on certain situations as defined below conditional
access policies decide either to grant access or block access if grant then
what else needed to confirm that you are who you say you are.
Situations –
·
User logging in with unknown location or not
from office.
·
Organizations can create trusted IP address
ranges that can be used when making policy decisions if request not coming from
that range the Policy applies.
·
Users with devices of specific platforms or
marked with a specific state can be used when enforcing Conditional Access
policies.
·
Azure AD ID Protection can trigger the policy on
case of Sign-in risk & many more.
Conditional Access Policies – Decisions:
Block Access – Off course that’s restrictive if you don’t want
to provide access if conditions are odd.
Grant Access – In this situation, need to fulfill certain conditions like –
- Require
multi-factor authentication
- Require
device to be marked as compliant
- Require
Hybrid Azure AD joined device
- Require
approved client app
- Require
app protection policy (preview)
Commonly applied policies -
Many organizations have common access concerns that
Conditional Access policies can help with such as:
- Requiring
multi-factor authentication for users with administrative roles
- Requiring
multi-factor authentication for Azure management tasks
- Blocking
sign-ins for users attempting to use legacy authentication protocols
- Requiring
trusted locations for Azure Multi-Factor Authentication registration
- Blocking
or granting access from specific locations
- Blocking
risky sign-in behaviors
- Requiring
organization-managed devices for specific applications
So as discussed above - Conditional Access policy is an
if-then statement, of Assignments
and Access controls. A Conditional
Access policy brings signals together, to make decisions, and enforce
organizational policies. Lets create and talk about all the components simultaneously.
Lets go to Azure Active Directory and click on Conditional Access as shown :-
Once you hit the conditional access and you would landed on this page where it shows all the relevant components and add button for policy. (Shown Below)
Under Manage you will see Named location where you can define the region like you head-office or branches along with the IP range as a known location or secure location as shown below -
Next component is Terms of use which provides a simple method that organizations can use to present
information to end users. You need to click on terms of use and click New terms.
Below is the template and you can even upload the pdf and all. To now more click below link -
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/terms-of-use
Now lets click on New Policy at the top and check what all options we have and configure it with policy that would allow you to login without MFA if you are in head-office and if not the MFA.
Under assignment we have users and groups that you want your policy to apply , you can choose all or selected and we do have option to exclude as well. Be cautious because you can lock yourself out if you apply this to all user including yours that what the exclamation says at the bottom highlighted
The assignments portion controls the who, what, and where of the Conditional Access policy.
(below picture)
Second option that we have is cloud apps and you can choose cloud applications that will be subjected to the policy again be cautious it also include Azure portal if you choose all apps.
Now its time to define conditions and we have multiple conditions here to define.
First one is Sign-in risk which comes from Azure AD ID Protection and the risk detection's generated there can influence your conditional access policies as shown below -
Now its time to define the locations -
Location data is provided by IP geolocation data. Administrators can
choose to define locations and choose to mark some as trusted like those
for their organization's network locations.
(below picture)
Next option is in preview - client apps (shown below)
Now its time to check the Device state which is in preview -
This control is used to exclude devices that are hybrid Azure AD joined,
or marked a compliant in Intune. This exclusion can be done to block
unmanaged devices.
Now all conditioned defined and lets check the Access controls i.e. Block access and Grant access.
- Require multi-factor authentication (Azure Multi-Factor Authentication)
- Require device to be marked as compliant (Intune)
- Require Hybrid Azure AD joined device
- Require approved client app
- Require app protection policy
Session controls can limit the experience
- Currently works with Exchange Online and SharePoint Online only.
- Passes device information to allow control of experience granting full or limited access.
- Uses signals from Microsoft Cloud App Security to do things like:
- Block download, cut, copy, and print of sensitive documents.
- Monitor risky session behavior.
- Require labeling of sensitive files.
If you worked on Powershell , you must be aware of what if , its exactly the same just to check if policy build is correct or applied correctly to the users
In below snippet you can see at the bottom "policies that would apply"
Alright folks so we at the end of this post and we learned what Azure Ad conditional access policy is how to create and apply ad what all are the components. Well this post is not all its just a pass through and if you want to know more please check the MS docs , reference link below
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/
No comments:
Post a Comment