Microsoft Conditional Access is a tool used by Azure Active Directory to make decisions and enforce organizational policies. To make effective use of Microsoft Conditional Access, one of the first things organizations must do is decide what types of Conditional Access policies to implement.
Microsoft Conditional Access policies allow an organization to examine a number of different factors when deciding whether to give users access to a particular resource in the Microsoft 365 cloud. When Microsoft Conditional Access policies are enabled, Azure Active Directory can evaluate factors such as user location and device to decide whether to allow a user to access an application or data. This stands in stark contrast to the relatively simple policies that were used in the past, when an administrator either granted or denied a user access based only on the user’s identity.
One of the most important things that a conditional access policy should look at is user risk. User risk is based on the probability that a user’s account has been compromised. Active Directory considers users to be risky if there is evidence that their credentials have been leaked (for instance, a user’s credentials have shown up on the dark web) or that they have engaged in abnormal activity.
Sign-in risk is another important consideration when determining which Microsoft Conditional Access policies to put in place. Sign-in risk is based on the probability that signed-in users are who they claim to be. In other words, sign-in risk seeks to determine whether someone who has just signed in is a legitimate user or a cyber criminal who has acquired stolen credentials.
Microsoft Conditional Access examines a number of different factors when determining sign-in risk. A login might be considered risky, for example, if a user is signing in with an anonymous IP address (such as one that is associated with a TOR browser or an anonymous VPN). A sign-in might also be considered risky if a user logs in from an unusual location--particularly if that location happens to be in a foreign country.
Of course, sometimes the login location immediately signals fraudulent activity. If, for example, a user logged out of a desktop at the corporate office and then half an hour later that same user logged in from a computer on the other side of the world, that would be an obvious indication of fraud.
Sign-in risk can be based on numerous other factors beyond those mentioned here, but most are in some way related to the user’s IP address. You can read more about sign-in risks here.
Conditional Access policies can also be based on a specific location. If, for example, you consider the domain-joined computers in your corporate office to be relatively secure, then you might define the corporate headquarters as a named location. (Named locations are based on IP address ranges.) This would give you the option of making the sign-in process a little bit easier on the users (by not requiring multi-factor authentication) since they are signing in from a trusted location.
Finally, it is possible to tie a conditional Microsoft Conditional Access policy to a specific device type or configuration. Some organizations, for example, will allow access to specific applications only if the user is working from a managed device.
So what types of Microsoft Conditional Access policies should you put in place? Here are a few suggestions:
- At a bare minimum, you should require multi-factor authentication for any user who has administrative privileges, or any time that an administrator is performing a privileged operation.
- Consider blocking access to users who are logging in from unknown locations (all the "work from home" we have been doing may complicate this) or users who are deemed to be risky.
- Access to sensitive applications should be limited to users who are logged in to managed devices and who are operating in a known location.
The Azure Active Directory Admin Center interface makes it relatively easy to create these types of policies, along with any other Conditional Access policies that you might need. It is worth noting, however, that you will need an Azure AD Premium subscription to use Microsoft conditional access policies.