Mark Brezicky / / Categories: Azure, Microsoft Teams, Microsoft

Azure AD Conditional Access Baselines and Best Practices

Azure AD Conditional Access has a tremendous amount of potential and capabilities for organizations big and small.  I like to think of it as the engine that runs Azure AD Authentication.  It is a fairly simply concept, create a scoped scenario for your incoming signals and ensure it meets minimum requirements to be provided access to corporate resources.   

mark b blog pic 1

The simplest conditional access policy can be created in mere minutes.  However, as simple as they are, they can also drastically affect your environment in an adverse way if not properly configured. There are many different signals\conditions and decisions that can be configured to create an org-wide policy down to a specific scenario.  Each decision option was described in prior blog articles: 

https://blog.enablingtechcorp.com/azure-ad-conditional-access-beyond-mfa

https://blog.enablingtechcorp.com/azure-ad-conditional-access-session-controls

Here are some common signals and conditions that can be used to scope out how the policy is applied: 

 

  • User or group membership 
  • Select one or all users, guest users, or directory roles 
  • Application 
  • Select one, multiple, or all applications 
  • Conditions 
  • Risk 
  • Platform 
  • Location 
  • Client Apps 
  • Devices (preview) 

Common decisions 

  • Block access 
  • Grant access (one or all selections) 
  • Require multi-factor authentication 
  • Require device to be marked as compliant 
  • Require Hybrid Azure AD joined device 
  • Require approved client app 
  • Require app protection policy 
  • Require Terms of Use 
  • Custom controls for 3rd party MFA 
  • Require client certificate (coming soon) 
  • Session Controls 
  • MCAS Conditional Access App Control 
  • Exchange/SharePoint Restricted Session 
  • Persistent Sign on 
  • User Sign In Frequency 

 

Baseline 

Microsoft and Enabling Technologies recommends that each organization employ Baseline AAD Conditional Access Policies for strong authentication and real time access monitoring to ensure a consistent and thorough balance of security and productivity while maintaining awareness and enforcement on todays common threats.  While the purpose of these policies should be similar across organizations, the scoping conditions may differ based on organization specific scenarios and accepted risk. 

 

The following describes what should be considered for your baseline package: 

 

Policy #1: Enforce Azure MFA  

  • Scope as widely as possible.  All users and All applications ideally.  Nothing should be accessing your resources without strong factor authentication 
  • Configure exclusions as applicable.  Do not intend for this to be permanent 

Policy #2: Block Legacy Authentication protocols  

  • Scope to same as Azure MFA Conditional Access Policy 
  • Configure exclusions as applicable.  Do not intend for this to be permanent 
  • Select Client Apps > Legacy Authentication Clients (Exchange Active Sync and Other clients) 
  • Block Access 

Policy #3: Require Device Compliance 

  • Requires Microsoft Endpoint Manager 
  • Ensure all devices meet minimum defined compliance 
  • Can also include Require Hybrid Azure AD Joined device to eliminate BYOD access scenarios 

Policy #4: Sign-in risk-based 

  • Block all high sign in risk events 
  • Alternatively, require multiple controls (i.e. MFA with app protection policy) 
  • Optionally, choose additional grant control for Medium or Low events 

Policy #5: User risk-based 

  • Block all high user risk events 
  • Alternatively, require multiple controls (i.e. MFA with app protection policy) 
  • Optionally, choose additional grant control for Medium or Low events 

Policy #6: Session Policies 

  • High risk scenarios that demand additional enforcement and data protection 
  • Administrative logins via privileged access workstations 
  • Highly confidential data access 
  • General desire to increase monitoring activities 

Policy #7: Location policies 

  • Create a Geofence.   
  • Block countries and other locations you do not wish to have anyone access corporate resources from. 

Policy #8: Secure Security info registration (use case severely reduced due to COVID) 

  • Ensure all users are within defined parameters (i.e. on corporate network) to register or change MFA information. 

 

Best Practices 

The following are a list of common best practices that every organization should consider when implementing Azure AD Conditional Access Policies: 

 

  1. Apply Conditional Access to every authentication request for all users and applications.   
  2. Minimize the number of policies 
  3. Use a standard naming convention 
  4. Plan for some disruption for newly created policies 
  5. Scope new policies to test accounts and run through a test plan to validate expected results 
  6. Configure Report Only mode when defining new policies 
  7. Use emergency access accounts in exclusions 
  8. Block legacy authentication while implementing MFA policies 
  9. Use the What If tool for use case testing or troubleshooting an issue 
  10. Be aware that some apps are multiple child apps (i.e. Office 365) 
  11. Consider Guest Access when defining policies 
  12. Block countries which you never expect a sign in (i.e. Geofencing) 

 

 

What’s New 

Here are some of the latest features released in the past few months to improve on the capabilities and granularity within Conditional Access. 

 

 

Conclusion 

Enabling Technologies has helped many organizations properly plan out and implement their conditional access policies.  With the right foundation and framework, you can be confident that your Azure AD environment is setup to adhere to Zero Trust principles. 

 

Enabling Technologies can help you properly prepare for moving to the cloud based on Microsoft Best Practices and utilizing a secure and productive environment.  You can check out more in the Security section of our website. 

 

 

Work with our team of Cloud Computing Consultants who have done this so many times they know all of the “minefields” to prevent missteps.

ref:_00D80KtFf._5000y1WwWQD:ref