Azure AD Conditional Access Baselines & Best Practices

Microsoft Entra ID (formerly Azure AD) Conditional Access has a tremendous amount of potential and capabilities for organizations big and small. I like to think of it as the engine that runs Azure AD Authentication. It is a fairly simply concept, create a scoped scenario for your incoming signals and ensure it meets minimum requirements to be provided access to corporate resources.

The simplest conditional access policy can be created in mere minutes. However, as simple as they are, they can also drastically affect your environment in an adverse way if not properly configured. There are many different signals\conditions and decisions that can be configured to create an org-wide policy down to a specific scenario.

Common Signals and Conditions

Here are some common signals and conditions that can be used to scope out how the policy is applied:

  •  User or group membership
  •  Select one or all users, guest users, or directory roles
  •  Application
  •  Select one, multiple, or all applications
  •  Conditions
  •  Risk
  •  Platform
  •  Location
  •  Client Apps
  •  Devices (preview)

Common Decisions

  •  Block access
  •  Grant access (one or all selections)
  •  Require multi-factor authentication
  •  Require device to be marked as compliant
  •  Require Hybrid Azure AD joined device
  •  Require approved client app
  •  Require app protection policy
  •  Require Terms of Use
  •  Custom controls for 3rd party MFA
  •  Require client certificate (coming soon)
  •  Session Controls
  •  MCAS Conditional Access App Control
  •  Exchange/SharePoint Restricted Session
  •  Persistent Sign on
  •  User Sign In Frequency

Baseline

Microsoft and eGroup | Enabling Technologies recommends that each organization employ Baseline AAD Conditional Access Policies for strong authentication and real time access monitoring to ensure a consistent and thorough balance of security and productivity while maintaining awareness and enforcement on todays common threats. While the purpose of these policies should be similar across organizations, the scoping conditions may differ based on organization specific scenarios and accepted risk.

The following describes what should be considered for your baseline package:

Policy #1: Enforce Azure MFA
  • Scope as widely as possible. All users and All applications ideally. Nothing should be accessing your resources without strong factor authentication
  • Configure exclusions as applicable. Do not intend for this to be permanent
Policy #2: Block Legacy Authentication Protocols
  • Scope to same as Azure MFA Conditional Access Policy

  • Configure exclusions as applicable. Do not intend for this to be permanent

  • Select Client Apps > Legacy Authentication Clients (Exchange Active Sync and Other clients)

  • Block Access

Policy #3: Require Device Compliance
  • Requires Microsoft Endpoint Manager

  • Ensure all devices meet minimum defined compliance

  • Can also include Require Hybrid Azure AD Joined device to eliminate BYOD access scenarios

Policy #4: Sign-in Risk-Based
  • Block all high sign in risk events

  • Alternatively, require multiple controls (i.e. MFA with app protection policy)

  • Optionally, choose additional grant control for Medium or Low events

Policy #5: User Risk-Based
  • Block all high user risk events

  • Alternatively, require multiple controls (i.e. MFA with app protection policy)

  • Optionally, choose additional grant control for Medium or Low events

Policy #6: Session Policies
  • High risk scenarios that demand additional enforcement and data protection

  • Administrative logins via privileged access workstations

  • Highly confidential data access

  • General desire to increase monitoring activities

Policy #7: Location Policies
  • Create a Geofence

  • Block countries and other locations you do not wish to have anyone access corporate resources from.

Policy #8: Secure Security Info Registration (Use Case Severely Reduced Due to COVID)
  • Ensure all users are within defined parameters (i.e. on corporate network) to register or change MFA information

Best Practices

The following are a list of common best practices that every organization should consider when implementing Azure AD Conditional Access Policies:

1. Apply Conditional Access to every authentication request for all users and applications.

2. Minimize the number of policies

3. Use a standard naming convention

4. Plan for some disruption for newly created policies

5. Scope new policies to test accounts and run through a test plan to validate expected results

6. Configure Report Only mode when defining new policies

7. Use emergency access accounts in exclusions

8. Block legacy authentication while implementing MFA policies

9. Use the What If tool for use case testing or troubleshooting an issue

10. Be aware that some apps are multiple child apps (i.e. Office 365)

11. Consider Guest Access when defining policies

12. Block countries which you never expect a sign in (i.e. Geofencing)

What’s New

Here are some of the latest features released in the past few months to improve on the capabilities and granularity within Conditional Access.

· GPS based Named Locations

· Filter by Device conditions (Similar to creating dynamic groups, filter on queried devices)

· Register or Join Device Action (enforce CA policy upon AAD Registration or Join)

· Authentication Context (step up authentication)

Conclusion

eGroup | Enabling Technologies has helped many organizations properly plan out and implement their conditional access policies. With the right foundation and framework, you can be confident that your Azure AD environment is setup to adhere to Zero Trust principles.

Work with our team of Cloud Computing Consultants with years of experience that know all of the “minefields” to prevent missteps.

Learn more about Conditional Access Policies

Interested in learning how to get your Azure AD environment setup properly?

Contact our team of experts to get started today!

Last updated on August 31st, 2023 at 04:07 pm