One Way to Enhance Conditional Access

enhance conditional access

Enhance Conditional Access

I wrote an article awhile ago about how to use conditional access when MFA is not possible. In some cases you need need to enhance conditional access.

What is Conditional Access?


As a refresher, Conditional Access is a part of Azure AD that helps organizations improve security and compliance. By creating Conditional Access policies, you can tweak your authentication process.

Think about the old way of authentication: You require user to supply a username and password. Most of the time, it’s the legitimate account owner typing them in, the user can go on to access all the data, applications and other resources they’ve been granted permissions for. But consider this, an attacker has stolen or guessed a user’s credentials. Now they are accessing your network, and could have a breach on your hands.

You can use Azure AD Conditional to strengthen the authentication process. For example, you can create a policy to require users in a certain group to only login on devices that are recognized by the organization (At least Azure AD registered) and block all others. This will also help you pinpoint a breach a lot quicker. I will show you how in the next section.

Limit A Users Login With Conditional Access

Login to your Azure Active Directory (AD) portal and go to Conditional Access and add a new policy:

Enhance Conditional Access

Give your Policy a name and then add users or groups that you want to include in this policy ( In my example I added a group):

Conditional Access

Next, you can move to the next step, which is what applications you want to restrict login to. In this example, I have chosen Office 365:

Enhance Conditional Access

Enhancing Conditional Access

The next part enhance the access by making sure all types of apps are block. This means no browser access and no desktop or mobile app access. Click on conditions and then client apps:

Enhance Conditional Access

Check other clients if you still use POP, IMAP and SMTP but I hope you don’t. Those are legacy protocols.

This is the most important part the Conditional Access Policy:

Enhance Conditional Access

In the Filter for Devices Section, you exclude devices from the policy by “Trust type”. If a user account from the group specified above is NOT one or more of the trust types you specify, they ARE included. I kept it simple and chose Azure AD registered. I am in a Hybrid environment and our devices are not joined to the cloud, only registered.

The last section is to block all access to the aforementioned apps:

Enhance Conditional Access

You could save the policy and start using it right away but that would not be a good idea. Save it as “Report-Only” and then check you Azure AD sign in logs to make sure it it working. Look at the logs by going to Azure AD / Users / Sign-in Logs. You will see a list of your users sign-ins. Filter for a time period where you have the Report-Only Conditional Access Policy in place.

Pick a user account that you know in included in the policy, if you see this then the policy would not block them if it were on:

Enhance Conditional Access

If you see the following you the device would be blocked from signing in if it were on:

Enhance Conditional Access

Users would expect to get this screen when they try to login:

Enhance Conditional Access

You can investigate the sign-in to make sure it is not a false positive. Let the policy run in “Report-Only” Mode for awhile until you are sure it is running as it should and then turn it on. You have now enhance your conditional access policy.

Happy IT’ing

Dan

Avatar photo

I am an IT professional with over twenty years experience in the field. I have supported thousands of users over the years. The organizations I have worked for range in size from one person to hundreds of people. I have performed support from Help Desk, Network / Cloud Administration, Network Support, Application Support, Implementation and Security.

Pin It on Pinterest