Conditional Access Policies

Elias AtieAzure, M365Leave a Comment

If you’ve been in the IT world for a while, you would have heard of all the talk around multifactor authentication and more recently, a lot more talk about ‘Conditional Access’. In this post, I’m going to break down how you can use Conditional Access within your environment and how it can help organisations secure authentication.

Conditional Access is a feature within Microsoft’s Azure Active Directory that allows administrators to add an extra layer of security to the authentication process.

Traditionally, using multifactor authentication, users sign-in using their username and password and are then prompted to prove they are who they say they are by means of a unique SMS code, a Authentication App, or some other means. Once the user has done this, they have then proven they are indeed who they say they are, and the login process continues without much further granularity.

Enter Conditional Access…..

Conditional Access allows administrators to assess other values and variables during the sign-in process. Some of these may include

  • The user’s location
  • The device’s operating system
  • The application being signed into
  • The client application being used
  • Whether the device is Azure AD joined

Let’s look at these two examples below.

Company A has 100 employees all working from Australia. No employees are expected to work outside of Australia. Administrators can then create a Conditional Access policy to block access to any of the applications within their organisation (provided they use Azure AD for auth) from outside of Australia.

Or maybe the organisation expects all devices that sign into their organisation to be enrolled in Microsoft Intune. Administrators can create a Conditional Access policy that checks the device during the sign-in process to determine if it is compliant with the organisation’s policies.

Multifactor authentication can also be managed from within the Conditional Access policy to ensure that users are required to MFA prior to logging in. The extra granularity allows organisations to create “Trusted Locations” which may not require MFA. For example, when a user is signing in from their corporate IT network where the physical network is secured and the organisation owns the public IP address.

Organisations using Azure AD with Premium Plan 1 licensing are eligible to enable Conditional Access policies and those are not are able to purchase P1 licensing as add-on if required.

Hope that gives you a bit of an idea of how you can use Conditional Access within your environment and as usual, if you need help, reach out!

Leave a Reply

Your email address will not be published. Required fields are marked *