Building a Conditional Access policy
In this tutorial, we will learn and understand the Conditional Access policy, Assignments, and Access controls. However, a Conditional Access policy brings signals together for making decisions and enforcing organizational policies.
Requirement for Conditional Access Policy
Assignments
The assignments portion is responsible for controlling the who, what, and where of the Conditional Access policy.
Users and groups
Users and groups have access for assigning who the policy will include or exclude. Moreover, this assignment can include all users, specific groups of users, directory roles, or external guest users.
Cloud apps or actions
Cloud apps or actions have access to include or exclude cloud applications or even user actions that will be subject to the policy.
Conditions
A policy can have multiple conditions.
Sign-in risk
For organizations with Azure AD Identity Protection, for the risk detections generated there can influence your Conditional Access policies.
Device platforms
Organizations with multiple device operating system platforms can enforce specific policies on different platforms. However, the information calculating the device platform comes from unverified sources like user agent strings that can be changed.
Locations
Location data is given by IP geolocation data. Moreover, the administrators can choose to define locations. Further, they can choose to mark some as trusted like those for their organization’s network locations.
Client apps
Conditional Access policies by default apply to browser apps, mobile apps, and desktop clients that support modern authentication.
However, this assignment condition gives access to Conditional Access policies for targeting specific client applications that are not using modern authentication. The applications include Exchange ActiveSync clients, older Office applications that do not use modern authentication, and mail protocols like IMAP, MAPI, POP, and SMTP.
Device state
This control is for excluding the devices that are hybrid Azure AD joined, or marked a complaint in Intune.
Access controls
The access controls portion of the Conditional Access policy is for controlling how a policy is enforced.
Grant
Grant provides administrators meaning for the policy enforcement where they can block or grant access.
Block access
Block access can block access under the specified assignments. The block control is powerful and should be wielded with the appropriate knowledge.
Grant access
The grant control triggers enforcement of one or more controls.
- Firstly, it requires multi-factor authentication (Azure Multi-Factor Authentication)
- Secondly, it require device to be marked as compliant
- Thirdly, it require Hybrid Azure AD joined device
- Then, it require approved client app
- Lastly, it require app protection policy
Administrators can choose to need one of the previous controls or all selected controls using the following options. However, the default for multiple controls is to require all.
- Firstly, it require all the selected controls
- Secondly, it require one of the selected controls
Session
Session controls can limit the experience
Using app enforced restrictions
- Firstly, it currently works with Exchange Online and SharePoint Online only.
- Secondly, it passes device information for allowing control of experience granting full or limited access.
Using Conditional Access App Control
- Firstly, using signals from Microsoft Cloud App Security to do things like:
- In this, blocking download, cut, copy, and print of sensitive documents.
- Then, monitoring risky session behavior.
- Lastly, requiring labeling of sensitive files.
Signing-in frequency
- Skills to change the default sign in frequency for modern authentication.
Persistent browser session
- Allowing users for remaining signed in after closing and reopening their browser window.
Simple policies
A Conditional Access policy must have minimum the following to be enforced:
- Firstly, the name of the policy.
- Secondly, assignments
- It includes users and/or groups to apply the policy to.
- And, cloud apps or actions to apply the policy to.
- Thirdly, access controls
- This covers Grant or Block controls
Reference: Microsoft Documentation