Today’s modern security perimeter extends beyond an organization’s network to include both user and device identity, as access to the organization can occur from many different places and in many different ways.
For this reason, today we are going to talk about Azure Conditional Access, the tool that allows you to manage access according to the organization’s policies and their security.
We could define conditional access as the tool that gathers the necessary signals to make decisions and apply the policies established by the organization. And this Azure AD conditional access is at the heart of the new identity-based control plane.
Stated most simply, conditional access directives are if-then statements; this means that if a user wants to access a resource, they must complete an action.
For example, if a payroll manager wants to access our organization’s payroll application, they need to use multi-factor authentication to access it. Another example, one of our workers wants to access the system from a trusted IP. For example, if the user/device is connected from a registered and trusted IP, such as the IP of the company offices, conditional access can allow the exemption from using multi-factor authentication.
When setting up Conditional Access, administrators face two main goals:
That is, the administrators of our organization using Conditional Access, can facilitate access in certain conditions or limit it in others, adapting to the necessary security of each situation so that our workers and users have the required access with a balance between comfort and security.
Next, we can see the operating scheme of Conditional Access:
If we talk about the most common conditions that can be taken into account when deciding the access of a user or device in our organization, we could include the following:
Specific users and groups can be targeted by policies. These aregiving administrators in our organization greater control over access to applications and data.
Trusted IP address ranges can be created by organization administrators for use in making policy decisions.
They can also specify that traffic from IP address ranges of entire countries or regions is blocked or allowed.
Users in our organization with devices on specific platforms or marked with a specific status can use them when applying Conditional Access policies.
Filters can be used for different devices, to target policies to specific devices, such as privileged access devices.
Users trying to access specific apps can trigger different Conditional Access policies.
Signal integration with Azure AD Identity Protection enables Conditional Access policies to identify dangerous sign-in behavior.
Faced with a problem of this type, the established policies can force users to change their password for security, use multi-factor authentication to reduce their level of risk, or block access until an administrator carries out a manual action, making sure that there is no error. risk to the organization.
Microsoft Defender enables our administrators to maintain real-time monitoring and control of user application access and sessions, increasing visibility and control over access and activities within our organization’s Cloud environment.
The most restrictive decision is the user or device access to the applications or data of our organization is blocked.
The least restrictive decision to apply, but this decision may require one or more of the following options:
Let’s now see how a conditional access policy works in Azure AD.
All Conditional Access policies are applied in two phases:
During the first phase of the policy, we collect session details such as network location and device identity, which will be necessary for policy evaluation.
All enabled policies, as well as informational-only policies, undergo Phase 1 of policy evaluation.
In phase 2, we utilize the session details collected during phase 1 to identify unfulfilled requirements.
If a policy is set to block access, the app will come to a stop at this point, and the user will experience access denial.
If there is no lockout policy, but the user has not fulfilled all the requirements for access, they will be prompted to complete further control requirements in the following order, until the policy is met:
After the user or device successfully passes all the controls, the session controls, including those enforced by the application, Microsoft Defender for Cloud Apps, and token lifetime control, are applied.
Similar to phase 1, this phase 2 policy evaluation is carried out for all enabled policies.
Many of today’s organizations have common access problems. It could be easily solved by using Conditional Access.
Next, we will put some examples in which the use of Conditional Access will be useful for our organization:
If you want to know more about creating Conditional Access policies and their possibilities, you can continue reading about the step-by-step process here.