In this post I am going to discuss what a conditional access policy is and how they can protect your organisation. We will then go through the process of creating a conditional access policy through the Azure Active Directory.
If you want to learn how to create a conditional access policy with PowerShell so the process can be automated or simplified, check out my tutorial here: Create a Azure AD Conditional Access Policy using PowerShell.
What license do I need to use Conditional Access?
To use Conditional Access, all users must be licensed for Azure Active Directory Premium Plan 1. If you do now have the appropriate licensing, you should look at enabling Security Defaults in your environment in stead as it is free. See: How To Enable Security Defaults in Azure Active Directory
What is Conditional Access in Azure Active Directory?
Conditional Access policies are a set of if-then statements which you can use to allow your users access to certain resources within your tenant, based on a condition defined by you. Conditional Access allows you to protect your organisation at a granular level that suits you as the administrator.
How do Conditional Access policies work?
To break the policies down, when conditional access policies are in place, when a user attempts to access a service, the policy receives that signal (the user, location, device being used, service being accessed), then applies the condition (allow access, require MFA or block access).
Example:
A Conditional Access policy is in place that says, if users are a member of the Accounts group and they try to access OWA (Outlook Web App) then MFA is enforced on every logon. As it states, every time a member of the Accounts group tries to go to Outlook on the web, they will be challenged for MFA on every logon. This is also true if an existing member of your organisation that uses OWA regularly by remembering their browser as safe, if they are added to a group, they then will be challenged on every logon.
How to create a Conditional Access policy
- Login to the Azure Active Directory admin center https://aad.portal.azure.com/
- Select Azure Active Directory from the menu on the left hand side
- Under Manage, select Security > Conditional Access
- Choose to create a new policy, you also have the option to create a policy from a pre-defined template
- Create a meaningful name for the policy, make is clear what the policy does from the name
- There are 3 options under Assignments
- Users or workload identities: requires you to decide which users, groups or service principles this policy will apply to.
- Cloud apps or actions allows you to chose which applications or actions this policy will apply to while being accessed.
- Conditions lets you define which condition must apply for this policy to apply, such as location or device type.
- Then under Access Controls, you have 2 options:
- Grant: allows you to control if you want to block access to the configured resource or require a higher level of authentication to access.
- Session: allows you to control the user experience within the current session such as the sign-in frequency or overriding the option to ‘stay signed in’ on login.
- Lastly we need to device if our policy will be On, Off or in Report-only mode. In my case I am going to set my policy to On.
You have now configured your conditional access policy! Be sure to check out more tutorials at https://ourcloudnetwork.com/tutorials/