What is Conditional Access?
Conditional Access is a tool in Azure Active Directory that is used to make decisions that include user and device Id entity to enforce organizational policies. It’s an if-then statement.
Common signals
Common signals that Conditional Access can take in to account when making a policy decision include the following signals:
- User or group membership
- Policies can be targeted to specific users and groups giving administrators fine-grained control over access.
- IP Location information
- Organizations can create trusted IP address ranges that can be used when making policy decisions.
- Administrators can specify entire countries IP ranges to block or allow traffic from.
- Device
- Users with devices of specific platforms or marked with a specific state can be used when enforcing Conditional Access policies.
- Application
- Users attempting to access specific applications can trigger different Conditional Access policies.
- Real-time and calculated risk detection
- Signals integration with Azure AD Identity Protection allows Conditional Access policies to identify risky sign-in behavior. Policies can then force users to perform password changes or multi-factor authentication to reduce their risk level or be blocked from access until an administrator takes manual action.
- Microsoft Cloud App Security (MCAS)
- Enables user application access and sessions to be monitored and controlled in real time, increasing visibility and control over access to and activities performed within your cloud environment.
Common decisions
- Block access
- Most restrictive decision
- Grant access
- Least restrictive decision, can still require one or more of the following options:
- Require multi-factor authentication
- Require device to be marked as compliant
- Require Hybrid Azure AD joined device
- Require approved client app
- Require app protection policy (preview)
- Least restrictive decision, can still require one or more of the following options:
Commonly applied policies
Many organizations have common access concerns that Conditional Access policies can help with such as:
- Requiring multi-factor authentication for users with administrative roles
- Requiring multi-factor authentication for Azure management tasks
- Blocking sign-ins for users attempting to use legacy authentication protocols
- Requiring trusted locations for Azure Multi-Factor Authentication registration
- Blocking or granting access from specific locations
- Blocking risky sign-in behaviors
- Requiring organization-managed devices for specific applications
Why Technology Spa
Technology Spa has extensive experience architecting and deploying Conditional Access. Contact us today to learn about applicable use cases and how we can help with Conditional Access.