What is Conditional Access?
In this, we will learn about condtional access and its related services.
Conditional Access is the tool that Azure Active Directory use for bringing signals together, make decisions, and enforce organizational policies. Moreover, Conditional Access is at the heart of the new identity-driven control plane.
However, Conditional Access policies at their simplest are if-then statements. So, if a user wants to access a resource, then they must complete an action. Further, administrators have two primary goals:
- Firstly, empower users to be productive wherever and whenever
- Secondly, protect the organization’s assets
By using Conditional Access policies, you can apply the right access controls when needed to keep your organization secure and stay out of your user’s way when not needed.
Common signals
Common signals that Conditional Access can take in to account when making a policy decision include the following signals:
- Firstly, the user or group membership
- Policies can be targeted to specific users and groups giving administrators fine-grained control over access.
- Secondly, IP Location information
- Organizations can create trusted IP address ranges that can be used when making policy decisions.
- Administrators can specify entire countries/regions’ IP ranges to block or allow traffic from.
- Thirdly, device
- Users with devices of specific platforms or having marks with a specific state is use when enforcing Conditional Access policies.
- Fourthly, application
- Users attempting to access specific applications can trigger different Conditional Access policies.
- Then, Real-time and calculated risk detection
- Signals integration with Azure AD Identity Protection allows Conditional Access policies to identify risky sign-in behavior. Policies can then force users to perform password changes or multi-factor authentication for reducing their risk level until an administrator takes manual action.
- Lastly, Microsoft Cloud App Security (MCAS)
- Enables user application access and sessions to be monitored and controlled in real-time, increasing visibility and control over access to and activities performed within your cloud environment.
Common decisions
- Firstly, Block access
- Most restrictive decision
- Secondly, Grant access
- The least restrictive decision can still require one or more of the following options:
- Firstly, require multi-factor authentication
- Then, require the device to mark as compliant
- Require Hybrid Azure AD joined device
- After that, require approved client app
- Require app protection policy (preview)
- The least restrictive decision can still require one or more of the following options:
Reference: Microsoft Documentation