What is Conditional Access Policy? How it helps in real world?
Are you 100% confident that you are managing the enterprise resources perfectly without any security gaps? If you have some questions then you have to definitely read this topic.
Controlling access to enterprise resources has become increasingly difficult as more businesses adopt cloud computing, hybrid work, and the use of non-corporate owned devices on company networks.
Conditional Access is an intelligent security policy engine designed specifically for this challenge—you can define specific conditions for how users authenticate and gain access to applications and data using its robust controls.
A set of policies and configurations can be created through conditional access, regulates which devices have access to certain services and data sources. Conditional access is compatible with the Office 365 products and Software as a Service applications that are set up in Azure Active Directory in the Microsoft environment.
Why do we need Conditional access policy ?
With the shift in computing to a more cloud-centric model, it has become more difficult to control access to the documents and data on which an enterprise relies to run its operations.Previously, all IT teams had to do was keep content behind the corporate firewall, and access was determined by who had network access, computers on the network were always company-owned and controlled.
Devices in the current model may be owned by the company, the user, or a third party (think vendors and partners) so there are plenty of security gaps visible in terms of identity, apps, web access etc., so, to tighten the security issues, conditional access policies where used to deploy to the devices and operate as per cyber security or Microsoft best practice security policies defined.
How conditional access policy works?
Before devices can gain access to company data, conditional access relies on signals from either the corporate AD Domain or Microsoft Intune to inform the system about the device's state and trustworthiness.
To make decisions and implement organisational policies, conditional access combines signals. The new identity-driven control plane is built on the foundation of Azure AD Conditional Access. Once signal combines, a decision is made based on the policy creation and enforcement is done on the devices to apply those access policies that are defined as a part of security measure from the enterprise organisations.
Mobile devices (iOS, Android, and Windows) must be enrolled in Intune, which provides security policy settings and confirms that the device has not been rooted or jailbroken. Windows PCs must be joined to the enterprise AD Domain, which enforces policies and governance.
If-then statements are the simplest kind of conditional access controls; if a user wants to access a resource, they must perform an action. Let’s take an example, a finance manager needs to complete multi-factor authentication in order to access the finance related applications even though devices are given by their company.
Administrators have two advantages on conditional access policies:
Empower users to be productive wherever and whenever.
Protect the organization's assets or devices.
Conditional Access policy uses common signals like Devices, Users and locations, Application and other real time risk scenarios.
Conditional access policy has 2 common decisions to be taken.
Most restrictive decision to block certain actions based on policy.
Least restrictive decision, can still require one or more of the following options:
Require multi-factor authentication.
Require device to be marked as compliant.
Require Hybrid Azure AD or Azure AD joined device.
Require approved client application as per the policy.
Require app protection policy.
To enable conditional access policies, users should have either Azure AD premium P1 or Azure AD premium P2 licenses.
A User will be eligible to create conditional access policies, if he has any one of the following access permissions: a) Global admin b) Conditional access admin
Administrators must use the right conditional access policies to make the environment secure and also it shouldn’t cause too much complexity on daily activities for users.
As an admin, you should have proper planning before creating conditional access policies
Administrators should have thorough understanding of Conditional access components.
You should have to ask yourself some common questions about assignments and access controls based on the existing environment.
You should understand conditional access policies are very powerful and it can easily restrict or grant access to the data and devices.
As an admin, you should have complete understanding of Users and workload identities involved.
You should be aware of the cloud applications that are used by different departments and how to apply conditions or actions on those applications without interrupting user behaviour but defining necessary security restrictions are in place.
Administrators should follow Microsoft best practices and cybersecurity standards defined.
Below are the recommended conditional access policies to be configured:
Require users with related permissions to utilise multi-factor authentication.
Multi-factor authentication must be used for all Azure administration operations.
Blocking sign-in attempts from people who try to use legacy authentication methods.
Azure AD requires trusted locations registration using Multi-Factor Authentication.
Blocking or Allowing access from particular places or region or country.
Preventing dangerous sign-in practice.
User based restriction policy.
Device based restriction policy.
Considering Guest access when defining certain policies.
Use standard naming convention.
Add break-glass accounts under exclusion list.
NOTE: Conditional access policies are customisable as per environment requirement
Things to be considered when implementing Conditional Access policies:
Conditional access policies can be extremely powerful but also dangerous, one mistake by setting wrong conditions or actions can result in a complete lock down of the system.
For an example, lets take you have 2 break-glass accounts that holds the global administrator access if we are setting a conditional access policy to lock the entire system with MFA and for some reason, there is an outage on the MFA service then the entire account will be locked without access to the tenant.
Since you can use those break glass accounts to enter the Azure tenant in an emergency, it is generally advisable to have two break-glass accounts excluded from these kinds of restrictions.
Any new policies created or configured make sure they are in report-only mode, observe the actions in log activity and then apply it to live environment.
Hope you have understood about the Conditional access policy basics, how it works, its benefits and drawbacks if not configured properly.
If you are not sure about what is Microsoft Intune or how to enable MFA, go through the below links that explains in detail :
Kindly reach us for any further questions or advise on this topic.