How to Azure AD Security - Conditional Access
When talking about security in terms of Azure Active Directory, you can't get around Conditional Access. Conditional Access brings signals together, to make decisions, and enforce organizational policies.
Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. Example: A payroll manager wants to access the payroll application and is required to do multi-factor authentication to access it. We can use Conditional Access policies to apply the right access controls when needed to keep our organization secure.
Licensing: As of now, every user that is in scope of a Conditional Access Policy needs a active Azure AD Premium P1 License. Real-time risk is part of Azure AD Identity Protection and requires a AAD Premium P2 License.
Configuring a Policy
For this demo, I'll configure a policy based on countrys. In production you can use the same steps and configure this based on an IP, e.g. corporate network.
- Login to portal.azure.com
- Go to Azure Active Directory - Security - Conditional Access
- Click on Named locations - + Countries location - Name: Location Germany - Country: Germany - Save
You could also configure a Location to be not trusted. Configuring a Location does not mean it has to be trusted.
First, we'll create a Policy based on a template.
- Go to Policies - New policy from template (Preview)
- Under Customize your build - Select a template category: Identities - Next
- Under Select template - Select Require multifactor authentication for admins - Name your policy: CA001: Require multifactor authentication for admins - Policy State: Report-only - Next
- Under Review + create - Click on Create Policy
Next, we'll create a Policy that requires MFA for all users that are not connecting from the previously configured Location when accessing Office 365 Apps.
- Again, under Policies - New policy
- Name: CA002: Require MFA for O365 outside trusted Locations
- Users: All users
- Cloud apps or actions: Under Include - Select apps - Office 365
- Conditions: Locations - Under Include: Any location - Under Exclude: Selected locations: Location Germany (your previously configured location)
- Grant: Grant access: Select Require multifactor authentication
- Enable policy: Report-only
- Click on Save
The result should look somewhat like this:
It is recommended to create a Global Administrator account with a very strong password that is exluded from these policies. This account is also called "Breakglass Adminstrator". This account will serve as a backup account, in case Azure Multifactor Services are down so you don't lock yourself out.
After you've created this account, go back to your policies and exlude that account as follows:
- Click on your policies, e.g. CA001: Require multifactor authentication for admins
- Under Users - Under Exclude: Select your created account
- Hit Save
- Rinse and repeat for the other created policy
A word on Report-only
We've created the policies under Report-only. This means that the policies are not being enforced but you can still see what would've happened if they were active.
For this, under Conditional Access - Monitoring go to Sign-in logs
Every Sign-In will generate a login entry - Click on a Log entry - Conditional Access
If a policy was already configured when the log was generated, we can check if we would've blocked out a user, if MFA was enforced for the login attempt etc.
Recommendations
- Plan out Conditional Access policies carefully
- Set as Report-only when you're not certain they are configured correctly
- Blocking out users can happen quickly
- Keep the scope to a small group for the testing-phase (e.g. IT)
- If the feedback is positive, roll it out for all users
- Create a Breakglass Admin and exclude this account from policies. In Case of emergency, this will be your only way to remove conditional access company-wide