Common Conditional Access Policies

  1. Home
  2. Common Conditional Access Policies

Go back to AZ-304 Tutorials

In this, we will discuss the conditional access policies with defining security defaults and various access accounts in Azure AD. So, let’s start understanding them.

Security Defaults

Security defaults can be good for some but many organizations need more flexibility than they offer. That is to say, many organizations require the ability for excluding specific accounts like their emergency access or break-glass administration accounts from Conditional Access policies requiring multi-factor authentication.   

However, managing security can be difficult with common identity-related attacks like password spray, replay, and phishing. So, Security defaults make it easy to help by protecting your organization from these attacks with pre-configured security settings:

  • Firstly, requiring all users to register for Azure Multi-Factor Authentication.
  • Secondly, requiring administrators to perform multi-factor authentication.
  • Thirdly, blocking legacy authentication protocols.
  • Then, requiring users to perform multi-factor authentication when necessary.
  • Lastly, protecting privileged activities like access to the Azure portal.

Emergency access accounts

For better understand the emergency access accounts, you should learn about:

  • Managing emergency access accounts in Azure AD
  • Creating a resilient access control management strategy with Azure Active Directory
Managing emergency access accounts in Azure AD

You should know that it is important to prevent accidental locked out of your Azure Active Directory (Azure AD) organization. The reason is you can’t sign in or activate another user’s account as an administrator. Therefore, you should mitigate the impact of an accidental lack of administrative access. This is done by creating two or more emergency access accounts.

However, Emergency access accounts are highly beneficial, and they are not appointed to specific individuals. Moreover, they are limited to emergency or “break glass”‘ scenarios where normal administrative accounts can’t be used. 

Why use an emergency access account?

An organization might need to use an emergency access account in the following situations:

  • Firstly, when the user accounts federate, and the federation is currently unavailable. This is due to a cell-network break or an identity-provider outage. 
  • Secondly, when the administrator registration is through Azure Multi-Factor Authentication. Moreover, all their individual devices are unavailable or the service is unavailable. Then, users might be unable to complete Multi-Factor Authentication to activate a role. 
  • Thirdly, when the person with the most recent Global Administrator access has left the organization. Azure AD stops the last Global Administrator account from deleting. But, it does not prevent the account from being deleted or disabled on-premises.
  • Lastly, at unforeseen circumstances such as a natural disaster emergency, during which a mobile phone or other networks might be unavailable.
Az-304 Practice tests
Creating a resilient access control management strategy with Azure Active Directory

Organizations that depend on single access control, such as multi-factor authentication (MFA) or a single network location for securing their IT systems are susceptible to access failures. If that single access control becomes unavailable then, the failure is shown on their apps and resources. That is to say, a natural disaster can result in the unavailability of large segments of telecommunications infrastructure or corporate networks. Such a disruption could prevent end-users and administrators from being able to sign in.

This paper includes recommendations for actions that an organisation should use to increase resilience and decrease the risk of lockout during the following scenarios:

  • Firstly, organizations can increase their resiliency to reduce the risk of lockout before a disruption by implementing mitigation strategies or contingency plans.
  • Secondly, organizations can continue to access apps and resources they choose during a disruption by having mitigation strategies and contingency plans in place.
  • Thirdly, organizations should make sure they preserve information, such as logs, after a disruption and before they roll back any contingencies they implemented.
  • Lastly, organizations that haven’t implemented prevention strategies or alternative plans may be able to implement emergency options to deal with the disruption.
understand conditional access policy using AZ-304 online course

Reference: Microsoft Documentation

Go back to AZ-304 Tutorials

Menu