Conditional access policy

What is the Conditional Access policy?

Conditional Access is the tool used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies.

Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. 

By using Conditional Access policies, you can apply the right access controls when needed to keep your organization secure and stay out of your user's way when not needed.

 

Understand Conditional Access policy components


CA policies are if-then statements: If an assignment is met, then apply these access controls.

When configuring CA policies, conditions are called assignments. CA policies allow you to enforce access controls on your organization’s apps based on certain assignments.

 

Conditional Access: Conditions

Within a Conditional Access policy, an administrator can make use of signals from conditions like risk, device platform, or location to enhance their policy decisions. Within a Conditional Access policy, an administrator can make use of access controls to either grant or block access to resources.

Define a Conditional Access policy and specify conditions

 

Conditional Access: Grant

Within a Conditional Access policy, an administrator can make use of signals from conditions like risk, device platform, or location to enhance their policy decisions.

Define a Conditional Access policy and specify conditions

Multiple conditions can be combined to create fine-grained and specific Conditional Access policies.

 

Multiple conditions can be combined to create fine-grained and specific Conditional Access policies.

Block access

Block access does just that, it will block access under the specified assignments. The block control is powerful and should be wielded with the appropriate knowledge.

Grant access

The grant control can trigger enforcement of one or more controls.

  • Require multi-factor authentication (Azure Multi-Factor Authentication)
  • Require device to be marked as compliant (Intune)
  • Require Hybrid Azure AD joined device
  • Require approved client app
  • Require app protection policy

Administrators can choose to require one of the previous controls or all selected controls using the following options. The default for multiple controls is to require all.

  • Require all the selected controls (control and control)
  • Require one of the selected controls (control or control)

 

Conditional Access: Users and groups

A Conditional Access policy must include a user assignment as one of the signals in the decision process. Users can be included or excluded from Conditional Access policies.

User as a signal in the decisions made by Conditional Access

 

Conditional Access: Cloud apps or actions

Cloud apps or actions are a key signal in a Conditional Access policy. Conditional Access policies allow administrators to assign controls to specific applications or actions.

  • Administrators can choose from the list of applications that include built-in Microsoft applications and any Azure AD integrated applications including gallery, non-gallery, and applications published through Application Proxy.
  • Administrators may choose to define policy not based on a cloud application but on user action. The only supported action is Register security information (preview), allowing Conditional Access to enforce controls around the combined security information registration experience.

Define a Conditional Access policy and specify cloud apps

 

Create a Conditional access policy

First, create a Conditional Access policy and assign your test group of users as follows:

  1. Sign in to the Azure portal using an account with global administrator permissions.

  2. Search for and select Azure Active Directory, then choose Security from the menu on the left-hand side.

  3. Select Conditional Access, then choose + New policy.

  4. Enter a name for the policy, for example, MFA Pilot.

  5. Under Assignments, choose Users and groups, then the Select users and groups radio button.

  6. Check the box for Users and groups, then Select to browse the available Azure AD users and groups.

  7. Browse for and select your Azure AD group, such as MFA-Test-Group, then choose Select.

    Select your Azure AD group to use with the Conditional Access policy

  8. To apply the Conditional Access policy for the group, select Done.

 

Configure the conditions for multi-factor authentication

With the Conditional Access policy created and a test group of users assigned, now define the cloud apps or actions that trigger the policy. These cloud apps or actions are the scenarios you decide to require additional processing, such as to prompt for MFA. For example, you could decide that access to a financial application or use of management tools requires an additional verification prompt.

For example, configure the Conditional Access policy to require MFA when a user signs in to the Azure portal.

  1. Select Cloud apps or actions. You can choose to apply the Conditional Access policy to All cloud apps or Select apps. To provide flexibility, you can also exclude certain apps from the policy.

    For this tutorial, on the Include page, choose the Select apps radio button.

  2. Choose Select, then browse the list of available sign-in events that can be used.

    For this tutorial, choose Microsoft Azure Management so the policy applies to sign-in events to the Azure portal.

  3. To apply the select apps, choose Select, then Done.

    Select the Microsoft Azure Management app to include in the Conditional Access policy

Access controls let you define the requirements for a user to be granted access, such as needing an approved client app or using a device that's Hybrid Azure AD joined. In this tutorial, configure the access controls to require MFA during a sign-in event to the Azure portal.

  1. Under Access controls, choose Grant, then make sure the Grant access radio button is selected.
  2. Check the box for Require multi-factor authentication, then choose Select.

Conditional Access policies can be set to Report-only if you want to see how the configuration would impact users, or Off if you don't want to the use policy right now. As a test group of users was targeted for this tutorial, lets enable the policy and then test Azure Multi-Factor Authentication.

  1. Set the Enable policy toggle to On.
  2. To apply the Conditional Access policy, select Create.

Test Azure Multi-Factor Authentication

Let's see your Conditional Access policy and Azure Multi-Factor Authentication in action. First, sign in to a resource that doesn't require MFA as follows:

  1. Open a new browser window in InPrivate or incognito mode and browse to https://account.activedirectory.windowsazure.com
  2. Sign in with your non-administrator test user, such as test user. There's no prompt for you to complete MFA.
  3. Close the browser window.

Now sign in to the Azure portal. As the Azure portal was configured in the Conditional Access policy to require additional verification, you get an Azure Multi-Factor Authentication prompt.

  1. Open a new browser window in InPrivate or incognito mode and browse to https://portal.azure.com.

  2. Sign in with your non-administrator test user, such as test user. You're required to register for and use Azure Multi-Factor Authentication. Follow the prompts to complete the process and verify you successfully sign in to the Azure portal.

    Follow the browser prompts and then on your registered multi-factor authentication prompt to sign in

  3. Close the browser window.

Clean up resources

If you no longer want to use the Conditional Access policy to enable Azure Multi-Factor Authentication configured as part of this tutorial, delete the policy using the following steps:

  1. Sign in to the Azure portal.
  2. Search for and select Azure Active Directory, then choose Security from the menu on the left-hand side.
  3. Select Conditional access, then choose the policy you created, such as MFA Pilot
  4. Choose Delete, then confirm you wish to delete the policy.

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Please sign in to leave a comment.