Conditional access and its benefits
In this tutorial, we will understand the Conditional access and its benefits.
Conditional Access is the tool that Azure Active Directory use for bringing signals together, make decisions, and enforce organizational policies. Moreover, Conditional Access is at the heart of the new identity-driven control plane. By using this policy, you can apply the right access controls when needed to keep your organization secure and stay out of your user’s way when not needed.
Conditional Access signals
Conditional Access can use the following signals to control the who, what, and where of the policy:
- Firstly, User or group membership. Policies target specific users and groups (including admin roles), giving administrators fine-grained control over access.
- Secondly, Named location information. Named location information can be created using IP address ranges and used when making policy decisions. Also, administrators can opt to block or allow traffic from an entire country’s IP range.
- Thirdly, Device. Users with devices of specific platforms or having marks with a specific state can be used.
- Then, Application. Users attempting to access specific applications can trigger different Conditional Access policies.
- Next, Real-time sign-in risk detection. Signals integration with Azure AD Identity Protection allows Conditional Access policies to identify risky sign-in behavior. Policies can then force users to perform password changes or multifactor authentication for reducing their risk level until an administrator takes manual action.
- After that, Cloud apps or actions. Cloud apps or actions can include or exclude cloud applications or user actions that will be subject to the policy.
- Lastly, User risk. For customers with access to Identity Protection, user risk can be evaluated as part of a Conditional Access policy. User risk represents the probability that a given identity or account is compromised. Configuration of User risk can be for high, medium, or low probability.
Common decisions
- Firstly, Block access
- Most restrictive decision
- Secondly, Grant access
- The least restrictive decision can still require one or more of the following options:
- Firstly, require multi-factor authentication
- Then, require the device to mark as compliant
- Require Hybrid Azure AD joined device
- After that, require approved client app
- Require app protection policy (preview)
- The least restrictive decision can still require one or more of the following options:
Reference: Microsoft Documentation
Are you preparing for Microsoft SC-900 Exam?Take a Quiz