Building a Conditional Access policy

  1. Home
  2. Building a Conditional Access policy

Go back to AZ-500 Tutorials

In this tutorial, we will learn and understand the Conditional Access policy, Assignments, and Access controls. However, a Conditional Access policy brings signals together for making decisions and enforcing organizational policies.

Requirement for Conditional Access Policy

conditional access policy requirement
Image Source: Microsoft
Assignments

The assignments portion is responsible for controlling the who, what, and where of the Conditional Access policy.

Users and groups

Users and groups have access for assigning who the policy will include or exclude. Moreover, this assignment can include all users, specific groups of users, directory roles, or external guest users.

Cloud apps or actions

Cloud apps or actions have access to include or exclude cloud applications or even user actions that will be subject to the policy.

Conditions

A policy can have multiple conditions.

Sign-in risk

For organizations with Azure AD Identity Protection, for the risk detections generated there can influence your Conditional Access policies.

Device platforms

Organizations with multiple device operating system platforms can enforce specific policies on different platforms. However, the information calculating the device platform comes from unverified sources like user agent strings that can be changed.

AZ_500 online course
Locations

Location data is given by IP geolocation data. Moreover, the administrators can choose to define locations. Further, they can choose to mark some as trusted like those for their organization’s network locations.

Client apps

Conditional Access policies by default  apply to browser apps, mobile apps, and desktop clients that support modern authentication.

However, this assignment condition gives access to Conditional Access policies for targeting specific client applications that are not using modern authentication. The applications include Exchange ActiveSync clients, older Office applications that do not use modern authentication, and mail protocols like IMAP, MAPI, POP, and SMTP.

Device state

This control is for excluding the devices that are hybrid Azure AD joined, or marked a complaint in Intune. 

Access controls

The access controls portion of the Conditional Access policy is for controlling how a policy is enforced.

Grant

Grant provides administrators meaning for the  policy enforcement where they can block or grant access.

Block access

Block access can block access under the specified assignments. The block control is powerful and should be wielded with the appropriate knowledge.

Grant access

The grant control triggers enforcement of one or more controls.

  • Firstly, it requires multi-factor authentication (Azure Multi-Factor Authentication)
  • Secondly, it require device to be marked as compliant 
  • Thirdly, it require Hybrid Azure AD joined device
  • Then, it require approved client app
  • Lastly, it require app protection policy

Administrators can choose to need one of the previous controls or all selected controls using the following options. However, the default for multiple controls is to require all.

  • Firstly, it require all the selected controls
  • Secondly, it require one of the selected controls 
Session

Session controls can limit the experience

Using app enforced restrictions
  • Firstly, it currently works with Exchange Online and SharePoint Online only.
  • Secondly, it passes device information for allowing control of experience granting full or limited access.
Using Conditional Access App Control
  • Firstly, using signals from Microsoft Cloud App Security to do things like:
  1. In this, blocking download, cut, copy, and print of sensitive documents.
  2. Then, monitoring risky session behavior.
  3. Lastly, requiring labeling of sensitive files.
Signing-in frequency
  • Skills to change the default sign in frequency for modern authentication.
Persistent browser session
  • Allowing users for remaining signed in after closing and reopening their browser window.
Simple policies

A Conditional Access policy must have minimum the following to be enforced:

  • Firstly, the name of the policy.
  • Secondly, assignments
  1. It includes users and/or groups to apply the policy to.
  2. And, cloud apps or actions to apply the policy to.
  • Thirdly, access controls
  1. This covers Grant or Block controls
Az-500 Online course

Reference: Microsoft Documentation

Go back to AZ-500 Tutorials

Menu