How can Conditional Access help your business ?


In an increasingly connected world and in an era where digital transformation is the most disruptive innovation, your business is certainly going digital and, if not, you are planning to go digital soon. While digitalization is a must for businesses to survive, your business could be significantly disturbed if your digitalization planning is not accompanied with a solid cybersecurity defense plan. Azure Active Directory is a leader in the cloud identity management field and includes features allowing to protect your business as long as you use it for your digital transformation. You are already using Office 365? If yes, then you are using Azure Active Directory and you can take benefit of the feature we are describing in this article. Remember first that password protections are fundamentally flawed and that you need to stop perfecting your password policies and invest on multi-factor authentication and compensating controls. More details in our previous Wiki « Stop perfecting your Active Directory Domain Services Password / Lockout Policies – It is time to invest on Multi-Factor Authentication and Compensating Controls » : https://social.technet.microsoft.com/wiki/contents/articles/52714.stop-perfecting-your-active-directory-domain-services-password-lockout-policies-it-is-time-to-invest-on-multi-factor-authentication-and-compensating-controls.aspx

Conditional Access is an Azure Active Directory tool that is used to allow access based on a set of requirements (also called signals). It is the heart of the new identity driven control plane and is a powerful tool offered by Microsoft.

In a simplified way, it is based on « If then » statements that are summarized as follows :

  • Signals are the set of conditions that are expected to be met (Example : The condition could be that the connection should be performed from specific public IP addresses)
  • Decisions are the actions shall could be taken depending if the conditions are met or not (Examples of decisions are « Allow full access », « Allow limited access » and « Block access »)

It is important to note that, unlike traditional protection techniques, the focus of Conditional Access is to manage identity access from everywhere (e.g. inside and outside of the organization). As such, every access attempt is verified and acted on depending if specified conditions are met or not. As well, Conditional Access policies are enforced after the first-factor authentication has been completed (Example : After providing your login and password).

What are the common signals ?

Conditional Access uses signals to define a set of conditions to act on and take decisions. The following are the common signals that can be taken into account when making a policy decision :

Signal

Description

Usage example

User or group membership

Policies can target specific users and groups. This signal is used to specify the specific users and groups on which the policy would be applied

You can require multi-factor authentication only for all users having admin access and whom are part of a specific group you have created or used in Azure Active Directory.

IP Location information

Policies can target IP addresses  or ranges

You can allow traffic to your services from specific countries. As well, you can only allow public IPs used by organization to ensure that accesses are performed only from your premises.

Device

Policies can be enforced to devices with specific platforms or marked with a specific state

You can require that mobile phones cannot be used to connect to your Azure Active Directory integrated systems.

Application

Policies can be enforced per application

You can enforce a multi-factor authentication to Office 365 but not to other applications.

Real-time and calculated risk detection

Microsoft identifies risky sign-in behaviors based on which specific policies could be applied

If an account has been identified to be at risk (Example : Leaked credentials), you can require a password change or a multi-factor authentication.

Microsoft Cloud App Security (MCAS)

Enables user application access and sessions to be monitored and controlled in real time, increasing visibility and control over access to and activities performed within your cloud environment.

As you can see, Conditional Access on Azure is one of the most granular and advanced access filtering feature that is currently available on the market. It shall be considered to overcome the limitations of the traditional password protection controls and move toward a more dynamic and effective setup. If you are already a user of Azure Active Directory, you shall consider Conditional Access and see how you could take benefit of it. As well, when designing architectures around Azure, think of how you can centrally use your Azure Active Directory to centrally manage your identities and enhance it with Conditional Access to better control your accesses.

What are the common decisions ?

Decisions would be to block or grant access while introducing certain requirements. If you grant access then you can :

  • Grant it without additional requirements
  • Require one or a combination of the following :
    • Multi-factor authentication
    • A device that meets compliance requirements
    • A hybrid Azure AD joined device
    • An approved client app
    • Meeting an app protection policy

What are the commonly applied policies ?

By combining signals and decisions, you can establish your policies. While there are so many ways to craft your policies, the following examples are here to inspire you while creating them:

Policy

Rationale

Requiring multi-factor authentication for users with administrative roles

Your users with administrative roles are the most interesting individuals for attacks. As such, you certainly do not think that a single factor-authentication is sufficient and you would like to require a multi-factor authentication at least for them

Blocking sign-ins for users attempting to use legacy authentication protocols

Legal authentication protocols are obsolete and weak. This policy helps you protect your identities from the most common attacks on authentication protocols

Requiring trusted locations for Azure Multi-Factor Authentication registration

Imagine that an account has been compromised and that its Multi-Factor Authentication is required but not setup yet. Certainly, you do not want the hacker to setup the Multi-Factor Authentication using his/her devices and access your data. As such, you want to restrict the setup to only your organization IP addresses used for internet access. Unless your hacker is an insider, this policy will greatly protect your identities

Blocking risky sign-in behaviors

If Microsoft confirms that an account has been compromised then you certainly will block access to this account until your administrators reset the password or addresses the issue

Requiring organization-managed devices for specific applications

BYOD helps to show flexibility but it has its limit. If an application has data that are classified as secret then you are more likely to allow only the devices managed by your organization to access this application

What have you learned ?

As you can see, Conditional Access on Azure is one of the most granular and advanced access filtering feature that is currently available on the market. It shall be considered to overcome the limitations of the traditional password protection controls and move toward a more dynamic and effective setup. If you are already a user of Azure Active Directory, you shall consider Conditional Access and see how you could take benefit of it. As well, when designing architectures around Azure, think of how you can centrally use your Azure Active Directory to centrally manage your identities and enhance it with Conditional Access to better control your accesses.

Remark : This Microsoft article was used as an inspiration to write this Wiki : https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview