Implementing Conditional Access in Azure AD to Strengthen Security

Implementing Conditional Access in Azure AD to Strengthen Security

05/01/2024

This technical and educational article aims to guide security analysts, IT administrators, and systems engineers in implementing and optimizing Conditional Access in Microsoft Entra ID (formerly Azure Active Directory). Conditional Access is Microsoft's flagship Zero Trust policy enforcement mechanism, enabling organizations to control access to resources based on real-time conditions such as user identity, location, device health, and session risk [1].

Introduction

In today's security landscape, where cyber threats are sophisticated and remote work is prevalent, traditional network perimeter protection is no longer sufficient. Azure AD Conditional Access enables organizations to move away from a static security approach to a dynamic, adaptive approach where each access attempt is evaluated before being granted. This ensures that access is granted only to trusted users and devices, under specific conditions, protecting company data and applications more effectively [2].

This practical guide will cover creating and configuring Conditional Access policies, including requiring multi-factor authentication (MFA), supported devices, trusted locations, and legacy authentication blocking. Step-by-step instructions, configuration examples, and validation methods will be provided so that the reader can implement and strengthen their organization's security posture, ensuring that access to resources is secure and compliant.

Why is Conditional Access crucial?

  • Zero Trust: It is the policy engine for implementing the Zero Trust model, explicitly verifying each access request.
  • Adaptive Control: Allows access policies to dynamically adapt based on real-time risk signals.
  • Comprehensive Protection: Protects identities, devices, data and applications in the cloud and on-premises.
  • MFA and Device Compliance: Makes it easier to enforce MFA and require compliant or Azure AD-joined devices for access.
  • Risk Reduction: Helps mitigate risks such as credential theft, access from unauthorized devices and access from suspicious locations.

Prerequisites

To implement Conditional Access in Azure AD, you will need the following items:

  1. Licensing: A Microsoft Enroll ID Premium P1 or P2 (formerly Azure AD Premium P1 or P2) license. Conditional Access is a unique feature of these licenses [3].
  2. Administrative Access: An account with the role of Conditional Access Administrator, Security Administrator or Global Administrator in the Microsoft Entra admin center (https://entra.microsoft.com).
  3. Users and Groups: Users and security groups in Microsoft Entra ID to test policies.
  4. Multi-Factor Authentication (MFA) Configured: For policies that require MFA, users must have MFA configured and registered.
  5. Managed devices (optional): For policies that require supported or Azure AD/Hybrid-joined devices, the devices must be managed by Microsoft Intune or Azure AD-joined.

Step by Step: Configuring Conditional Access Policies

Let's create some essential Conditional Access policies to strengthen security.

1. Accessing the Microsoft Portal Enter admin center

  1. Open your browser and navigate to https://entra.microsoft.com.
  2. Log in with an account that has the necessary permissions.
  3. In the left navigation pane, select Protection > Conditional Access.

2. Creating a Policy to Require MFA for All Users (Excluding Emergency Accounts)

This is a fundamental policy for most organizations, ensuring that MFA is required for all access attempts except emergency/break-glass access accounts.

  1. On the Conditional Access page, click New Policy > Create New Policy.
  2. Name: 01 - Require MFA for All Users.

  3. Assignments > Identity Users or Workloads:

    • In Include, select All users.
    • Under Delete, select Users and groups and add your emer access accountsagency/break-glass (highly protected accounts that can be used to access the tenant in case of MFA failure or directory unavailability).

  4. Cloud Resources or Actions:

    • Under Include, select All Cloud Apps.

  5. Grant:

    • Select Grant access.
    • Check Require multi-factor authentication.
    • Click Select.

  6. Enable Policy: Select Report only (to test impact before applying) or Enabled.

    • Tip: Always start with Report only to monitor the impact of the policy without applying it, checking the input logs for possible unwanted blocks.
  7. Click Create.

3. Creating a Policy to Block Legacy Authentication

Legacy authentication (such as POP, IMAP, SMTP, Basic authentication) does not support MFA and is a common vector for attacks. It is crucial to block it.

  1. On the Conditional Access page, click New Policy > Create New Policy.
  2. Name: 02 - Block Legacy Authentication.
  3. Assignments > Identity Users or Workloads: Select All Users (excluding your emergency accounts).
  4. Cloud Resources or Actions: Select All Cloud Applications.

  5. Conditions > Client applications:

    • Set Client Applications to Yes.
    • Check Exchange ActiveSync Clients and Other Clients.

  6. Access Controls > Grant:

    • Select Block access.
    • Click Select.

  7. Enable Policy: Select Report Only or Enabled.

  8. Click Create.

4. Creating a Policy to Require Compatible Device for Access to Critical Applications

This policy ensures that only devices that meet security standards (managed by Intune, for example) can access sensitive apps.

  1. On the Conditional Access page, click New Policy > Create New Policy.
  2. Name: 03 - Require Compatible Device for Critical Applications.
  3. Assignments > Identity Users or Workloads: Select All Users (or a specific group).

  4. Cloud Resources or Actions:

    • Under Include, select Select applications and choose critical applications (e.g. SharePoint Online, Dynamics 365, line-of-business applications).

  5. Grant:

    • Select Grant access.
    • Check Require device to be marked as supported.
    • Click Select.

  6. Enable Policy: Select Report Only or Enabled.

  7. Click Create.

5. Creating a Policy to Block Access from Untrusted Locations

This policy helps protect against access from geographic regions or IP addresses known to be sources of attacks.

  1. First, you need to create Named Locations (Named Locations) in Azure AD to define trusted locations (e.g. company offices, VPN).

    • In the Microsoft Login admin center, go to Protection > Conditional Access > Named Locations.
    • Click New Countries/Regions Location or New IP Ranges Location to set your trusted locations.

  2. On the Conditional Access page, click New Policy > Create New Policy.

  3. Name: 04 - Block Access from Untrusted Locations.
  4. Assignments > Identity Users or Workloads: Select All Users.
  5. Cloud Resources or Actions: Select All Cloud Applications.

  6. Conditions > Locations:

    • Set Locations to Yes.
    • In Include, select Any location.
    • Under Exclude, select Selected Locations and choose the Named Locations that you have defined as trusted.

  7. Access Controls > Grant:

    • Select Block access.
    • Click Select.
  8. Enable Policy: Select Report Only or Enabled.
  9. Click Create.

Validation and Testing

Validating Conditional Access policies is critical to ensure they work as expected and do not cause unwanted blockages.

1. Using the “What If” Tool

The "What If" tool allows you to simulate the impact of your Conditional Access policies on a specific user or scenario.

  1. On the Conditional Access page, clickAnd if.
  2. Configure the test scenario (user, application, IP address, device, etc.).
  3. Click What if to see which policies would be applied and the result (grant or block access).

2. Checking Input Logs

Inbound logs provide detailed information about each access attempt, including which Conditional Access policies were evaluated and the outcome.

  1. In the Microsoft Login admin center, go to Monitoring and Health > Inbound Logs.
  2. Filter logs by user, application or status (e.g. Failed) to investigate access attempts.
  3. Click on a log entry to view details, including the Conditional Access tab, which will show the policies applied and the result.

3. Real Tests with Test Users

Conduct testing with test users in different scenarios (e.g., access from an untrusted location, with an unsupported device, without MFA) to confirm the expected behavior of the policies.

Security Tips and Best Practices

  • Careful Planning: Plan your Conditional Access policies based on your organization's needs and Zero Trust principles. Start with a small set of policies and gradually expand.
  • **Report Only Mode: Always deploy new policies in Report Only mode first to assess their impact and adjust before applying them in Enabled mode.
  • Emergency Accounts: Always exclude emergency/break-glass access accounts from all Conditional Access policies to avoid accidental lockouts.
  • Block Legacy Authentication: This is one of the most effective policies for reducing the attack surface.
  • Require MFA for All Users: An essential policy for protecting identities.
  • Managed Devices: Require devices to be managed (Azure AD joined or Intune-enabled) to access sensitive resources.
  • Named Locations: Use named locations to define trusted networks and block access from untrusted locations.
  • Continuous Review and Adjustment: Review and adjust your Conditional Access policies regularly to adapt to changes in the threat environment and business requirements.
  • Documentation: Maintain clear documentation of your Conditional Access policies, including their purpose, scope, and any exclusions.

Common Troubleshooting

  • Unexpectedly Blocked Users: Use the "What If" tool and sign-in logs to identify which policy is causing the block. Check the policy inclusions and exclusions.
  • Policies not applied: Check that the policy is in Enabled mode and that the user and application are in the scope of the policy. Check the input logs to see if the policy was evaluated.
  • MFA issues: Make sure users have registered MFA methods. Check for connectivity issues with MFA providers.
  • Compliant Device Issues: Check your device's compliance status in Intune. Make sure the device is Azure AD joined or registered with Intune.
  • Policy Conflicts: Conditional Access evaluates all policies and applies the most restrictive one. If there are conflicting policies, adjust them to ensure the desired behavior.

Conclusion

Implementing Conditional Access in Azure AD is a fundamental pillar for building a robust and adaptive security architecture based on the Zero Trust model. By enabling organizations to set granular access policies based on a variety of conditions, Conditional Access significantly strengthens the protection of identities and resources against cyber threats. Strategic policy configuration, combined with rigorous testing and a continuous cycle of review and optimization, empowers security teams to ensure that access is always verified, minimally privileged, and adapted to the risk context. With Conditional Access, companies can protect their most valuable assets while empowering their users to work securely and productively from anywhere and on any device.

References:

[1] Microsoft Learn. What is Conditional Access?. Available at: https://learn.microsoft.com/pt-br/entra/identity/conditional-access/overview [2] Microsoft Learn. Plan the implementation of Conditional Access. Available at: https://learn.microsoft.com/pt-br/entra/identity/conditional-access/plan-conditional-access [3] Microsoft Learn. License requirements for Conditional Access. Available at: https://learn.microsoft.com/pt-br/entra/identity/conditional-access/overview#license-requirements