Essential Guide: Configuring & Deploying Azure Conditional Access

Azure conditional access policies enable organisations to control and monitor access as required. Using such policies allows organisations to grant, limit, or restrict access to resources and applications. Learn more about how your business can benefit from conditional access policies in this article. 

Organisational data is paramount to businesses worldwide. Its loss or compromise of integrity could lead to severe financial and reputational damages. In fact, recent statistics show that the average data breach cost in 2022 was around $4.35 million globally. Limiting unauthorised access helps reduce exposure to cyber threats, and therefore using Azure conditional access is essential. 

Cybersecurity professionals must understand that a data breach may occur due to external threats like malware attacks, malvertising, phishing etc. It may also occur due to internal factors like employee negligence. It’s important to note that such negligence only persists when employees are given or gain access to organisational resources they are not suited to handle. Such resources may include complicated business applications or sensitive information. 

Malpractices with either of these can lead to organisational data being compromised or breached. Businesses can use conditional access policies to limit unauthorised access to organisational resources and information. Organisations can choose from a variety of different technological solutions that allows them to deploy conditional access policies. 

Despite the numerous options available, using Azure conditional access policies is the most feasible option for businesses to rely upon. It’s essential that network security teams have an in-depth understanding of such policies before their deployment.

Feel free to contact our Microsoft Azure specialists for expert guidance on deploying conditional access policies for your organisational network, resources, and applications. 

What Is Azure Conditional Access?

Azure conditional access is a key feature of the Azure Active Directory (AD) that elevates an organisation’s access control protocols allowing them to improve their security posture. Prior to the use of such policies, organisations basically provided access based on user credentials. However, such protocols leave an organisation vulnerable to data theft as there is no way to verify if the authorised person is using the account or not.

Conditional access policies in Azure help organisations improve their user authentication and authorisation process. These policies use various signals to verify a user’s identity prior to granting or restricting their access to organisational resources. Some of these signals may include the user’s device, location, application, and an assessment of real-time risk. It’s important to note that upon authentication, the access provided to a user might still be limited based on an organisation’s access policies. 

An Overview Of Conditional Access In Microsoft Azure AD

Conditional access in Azure AD allows organisations to improve the security of their network infrastructure without requiring a compromise in productivity. Organisations can use these access policies to:

• Allow or restrict access based on real-time signals. 
• Ensure the protection of business and consumer data. 
• Restrict access for devices categorised as vulnerable or compromised. 

Conditional access in Azure AD takes into consideration over 40 terabytes (TBs) of security signals pertaining to a user’s identity. These security signals are then analysed using machine learning (ML) to determine which access policies should be applied to organisational resources. 

In addition to developing and deploying access control policies, network security teams can also view access control reports to determine the effectiveness of their policies. 

Components Of Azure AD Conditional Access 

Prior to developing a conditional access policy, organisations need to understand that it’s essentially an if-then statement. However, the functionality of the statement depends upon various components. These components include: 

• Name – this component refers to the actual name of the Azure conditional access policy being developed. 
• Assignments – this is the conditional element of the policy. It defines what factors need to be true prior to the policy being deployed and is divided into: 
  • Users and groups – specifies who the policy includes or excludes. 
  • Cloud applications or actions – specifies which actions or applications, like Azure Virtual Desktop, the policy will include or exclude. 
  • Conditions – specifies conditions based on signals like device, operating system, location, etc.
• Access control – this component is used to govern the implementation of the policy. It can be further divided into: 
  • Grant – a means of enforcing the policy where access is either granted or restricted. 
  • Grant access – allows the implementation of one or more access requirements like multi-factor authentication (MFA) or device compliance. 
  • Block access – used for restricting access to organisational resources. 
  • Session – used to limit the extent of access a user is provided with.

How To Configure Azure AD Conditional Access?

Misconfiguration of conditional access policies is one of the most common Azure AD mistakes businesses often make. Therefore, prior to configuring a conditional access policy, it’s important to know that it incorporates all the above-mentioned components. 

When configuring an Azure conditional access policy, network security administrators are required to access the Azure portal. Afterwards, the administrator should navigate to the Conditional Access security settings and create a new policy. 

It’s critical to ensure that the name of the policy is relevant so it can easily be recognised by other network security members. Afterwards, the network administrator must use the Assignments section to configure which applications to include and exclude. 

Once the user and application for the Include and Exclude settings have been defined, the administrator must navigate to the Access Control setting. Here, they will be required to choose whether to grant or restrict access and which authentication protocols to use. Afterwards, they can click Create to enable the policy. 

Azure Conditional Access Templates

Configuring conditional access policies can be a bit complex. Misconfiguration of these policies can lead to security risks like data theft and illegal use of information. This happens because unauthorised users may gain access to confidential resources. If the users who need access to perform the duties are restricted. It can also create productivity hurdles.

Using conditional access templates is a feasible alternative to prevent such scenarios from occurring. These templates are created based on Microsoft recommendations. They are also based on commonly used access control policies. There a total of fourteen Azure conditional access policy templates that include:

1. Blocking legacy authentication – these templates focus on blocking the use of traditional authentication methods. They emphasise the use of modern protocols instead.
2. Requiring MFA for administrators – this emphasises the use of multiple authentication protocols. They are applied to users with administrative privileges. It helps reduce the risk of compromised or unauthorised access.
3. Requiring MFA for all users – this focuses on using multiple authentication protocols. They are applied to all users regardless of the extent of access or privileges they have. 
4. Requiring MFA for Azure management – this ensures multiple authentication methods for users are used. These users have access to an organisation’s Azure resources. 
5. Blocking access for unknown or unsupported devices – ensure that access is not granted to users from a device or platform that is either not recognised or supported 
6. Eliminating browser persistence – this ensures that a one-hour sign-in frequency is deployed. It also ensures that access is terminated once a user closes their browser. 
7. Requiring approved access – this uses Microsoft Intune app protection policies. It ensures access is granted only to approved devices. 
8. Requiring Azure AD compliance – it ensures that access is provided only to compliant devices. The compliance is verified based on an organisation’s Azure AD access protocols. 
9. Requiring Azure AD compliance for administrators – it ensures that administrative access is provided to compliant users. The compliance is measured using the organisation’s Azure AD configurations. 
10. Implementing MFA for risky sign-ins – it requires MFA to be deployed, MFA is used if or when users deviate from routine behaviour or sign-in methods. 
11. Deploying MFA for guest users – it requires guest users to undergo MFA protocols. This is done to verify their identity prior to granting access. 
12. Implementing passwords for high-risk users – this identifies users based on commonly leaked usernames and password pairs. It requires them to change their passwords. 
13. Securing registration – it allows organisations to have a secure and streamlined registration process. The process can be applied to all their Azure conditional access policies. 
14. Using application-enforced restrictions – controls access to organisational resources and applications. These resources may include Microsoft Editor or other Microsoft 365 applications. 

How To Deploy Azure AD Conditional Access?

Organisations must understand the deployment of Azure conditional access policies is divided into various phases. Prior to initiating the process, it’s important for network administrators to consider their organisation’s requirements. The phases of deploying conditional access policies include: 

Creating Conditional Access Policies 

In the initiation phases, the network administrator must create access control policies. When creating these policies, it’s important to ensure that they are in compliance with the organisation’s security requirements.

Creating such policies can be a difficult task for those with inadequate understanding. However, such individuals can use the conditional access template to develop policies for their organisation.  

Evaluating The Policy’s Impact 

As mentioned, ineffective access policies can lead to security and productivity risks. Therefore, it’s paramount for network administrators to measure and analyse the impact of these policies prior to their deployment. 

Network administrators should ideally conduct a simulated launch of the access policies prior to enabling or deploying them. In addition, they may also use the What If tool to determine if their policies are configured appropriately. 

Testing Access Policies 

After evaluating the process, the network administrator must test the conditional access policies. They must also verify the exclusion criteria. A user or group might be excluded from MFA requirements but still, be subject to them due to a combination of other policies. 

During the testing phase, it’s important to analyse the results and reconfigure the access policies as needed. Such reconfigurations must be made to the conditional access policy’s assignment and access control components. 

Deploying The Policies 

Conditional access policies can be deployed once their impact has been analysed and the necessary reconfigurations are made. When deploying the policy, network administrators are required to access the Enable Policy setting and choose the On option. 

After deployment, access, or the extent of access, organisation resources will be limited or restricted. Users will be able to access resources they are permitted to access, and their functionalities regarding the resource will be limited as configured.   

Rolling Back Policies

In some cases, organisations may need to roll back their conditional access policies. When such a requirement exists, they can choose to disable one or more policies. Disabled policies can be put into use when required at a later date. 

In addition, they can also choose to exclude specific users or groups from one or more policies. Doing so will ensure that disabling the policy is not needed, yet the policy is not applicable to specified users or groups. 

Best Practices For Azure Conditional Access Baseline Policies 

Baseline conditional access policies are an essential part of the basic security and protection that can be harnessed using Azure AD. These policies help organisations ensure that they have a basic level of protection and can monitor their access control mechanism. Choosing the right baseline policies is essential, and the best practices mentioned below can help businesses make informed decisions: 

1. Azure MFA 

Organisations should include Azure MFA in their baseline policies. Doing so will help ensure that only authorised users and devices are permitted to access resources and applications. 

2. Legacy Authentication 

Legacy authentication protocols can be exploited by cybercriminals leading to unauthorised access to resources and applications. Organisations must ensure that their baseline policies block such access protocols. 

3. Device Compliance 

CISOs must ensure that their organisation is using Microsoft Endpoint alongside baseline access policies. This will ensure that only compatible and compliant devices are granted access. 

4. Sign-In Events 

Organisations must ensure that their baseline access policies block all high-risk sign-in events. These policies can include conditional access for low or medium-risk sign-in events. 

5. Session Policies 

Baseline access policies must also include session-based access control. This protocol can be governed based on requirements for access to privileged information or resources.

Organisations should also ensure that they limit the number of Azure conditional access policies they deploy. When deploying such access policies, organisations should also have a contingency plan in place. In addition, they should also implement Geofencing to block access from countries where they don’t have any employees. 

Final Thoughts

Organisational data is paramount to businesses worldwide, and unauthorised access is one of the main reasons that lead to data breaches. Using Azure conditional access is the most feasible way to control and monitor access to organisational networks, resources, and applications. Businesses must have an in-depth understanding of conditional access policies prior to their deployment. Get in touch and learn more about how we can help you leverage conditional access for your organisation.

Reuben Campbell

I am a passionate System's Engineer & part-time lecturer from New Zealand, who loves going the extra mile, as seeing your work come to fruition is one of life's greatest gifts, whether with engineering projects or seeing students succeed in their studies. Although I am from New Zealand I have close friends from all over the globe, what an age we live in!