Conditional access policies enforce access controls based on specific conditions that can be tailored to your needs. These policies secure access to resources by enforcing specific conditions that must be met before being granted access. These policies are a key component of Microsoft’s Zero Trust Security Model. An in-depth explanation to better understand Conditional Access in Azure can be found here.
“You don’t need to be an Azure expert to secure your environment as if you are one. All you need is to understand best practices and how to tailor them to your organization.” – Jacob Saunders, EVP of Professional Services, Atmosera |
It’s essential to strike a delicate balance between security and accessibility. Overly restrictive policies can hinder your employees’ ability to perform their roles effectively. Fortunately, Azure best practices can help you maintain robust security without compromising accessibility.
Consider this article your guide to Azure Conditional Access policies. We’ll explore how this feature works in Azure, showcase 10 policies every business should use in their cloud environment, and show you how to set up a policy.
What is Conditional Access in Azure?
Azure Conditional Access is a security policy engine that manages access to your applications and resources by evaluating signals like user identity, device health, location, and session risk. This feature is automatically integrated into Microsoft Entra ID.
When a user tries to access an application or service, the Conditional Access feature evaluates the sign-in attempt based on the policies set by your organization. For example, if a user is trying to log in from an unfamiliar location, the policy might require them to provide additional verification.
Even after access is granted, Conditional Access continuously monitors the session. If any unusual activity is detected, the system triggers predefined conditions, such as requiring re-authentication or terminating the session.
Why Do 95% of Fortune 500 Companies Use Azure as Their Cloud Server?Part of the reason is Azure’s high-security standards. |
10 Azure Access Management Policies You Need to Use
1. Require MFA for All Users
Multi-factor authentication (MFA) ensures that even if a password is compromised, unauthorized access is prevented by requiring a second verification form. This security practice is relatively well-known and widely used. However, you must require it for all users in your Azure environment.
Across all IT systems, 61% of cybersecurity incidents involve compromised credentials. Using MFA is a simple, yet highly effective way to ensure that your server will not grant access to bad actors who stole or compromised a legitimate user’s credentials.
2. Block Basic/Legacy Authentication
Many legacy protocols don’t support MFA and are vulnerable to password spraying and credential stuffing attacks. Blocking these outdated methods ensures that only secure, modern authentication methods are used. This approach strengthens your organization’s defenses by eliminating weak points that attackers commonly exploit.
💡Password Spraying is an attack in which an attacker tries a common password (e.g., “password123”) against many different accounts. |
💡Credential Stuffing: This attack involves using a list of compromised usernames and passwords, often from previous data breaches, to gain unauthorized access to accounts. |
3. Require Compliant Devices
Requiring compliant devices means ensuring that only devices that meet your organization’s security standards can access corporate resources. This practice helps prevent untrusted or unsecured devices from introducing vulnerabilities into your network. It typically involves verifying device configurations and security status through Microsoft Intune.
4. Require Hybrid Entra ID Joined Device
This practice ensures that devices are both connected to a local network managed by your organization’s domain controller and registered with Microsoft Entra ID (formerly Azure AD). This dual-join enhances security and enables better management of devices, especially in hybrid environments where devices might access both on-premises and cloud resources.
5. Block Access From Untrusted Locations
Blocking access from untrusted locations reduces the risk of unauthorized access from unfamiliar or high-risk geographic regions. By configuring Conditional Access policies, you can restrict access to corporate resources from only trusted locations, such as your office network or verified remote work environments.
You can specify trusted IP ranges, individual IP addresses, or entire countries or regions as trusted locations.
6. Block High-User Risk
Blocking high-risk users involves stopping users identified as high-risk by Microsoft Entra ID Protection from accessing your resources until their risk is reduced. This system also uses risk signals, such as unusual sign-in behavior or suspicious activities, to detect potential security threats.
Please note that when the system detects risk signals, it may automatically flag that user as a high-risk user. This flag could impede that user’s ability to access resources. However, Microsoft Entra ID Protection is designed to consider the context.
For instance, if a user is traveling and signs in from a new location, the system might flag this as unusual. However, it also considers other behaviors to assess the overall risk before taking action.
If Entra ID Protection detects that the user is using a corporate VPN or if the sign-in aligns with recent activities, such as a series of approved logins from nearby locations, it may determine that the sign-in is legitimate.
Learn More About How You Can Take Control of Your Azure Security |
7. Block High Sign-In Risk
Similar to blocking high user risk, blocking high sign-in risk prevents access from attempts identified as risky. This includes sign-ins from unfamiliar locations, devices, or instances of impossible travel.
Impossible travel is detected when sessions originate from geographically distant locations within a short time frame. You can configure which locations, devices, or activities are considered suspicious and unlikely for your business.
These policies can also be tailored based on users and groups. For instance, you can create more restrictive policies for specific users or groups, ensuring higher security for sensitive roles or departments.
8. Require an App Protection Policy
App protection policies protect data by enforcing rules designed to ensure that an organization’s data remains secure within managed applications. These policies control how data is accessed and shared by apps on mobile devices, whether those devices are managed by Intune or not.
Using these policies is important for any business, but it’s especially important if you allow BYOD in your organization.
9. Block Unused Device Operating Systems
Blocking unused or outdated operating systems ensures that only devices running supported and secure OS versions can access your network. Older operating systems often have unpatched vulnerabilities that can be exploited by attackers. In fact, as of 2022, exploiting vulnerabilities in outdated software became the top way hackers gain unauthorized access.
10. Use Conditional Access for Workload Identities
Using Conditional Access for workload identities involves applying Conditional Access policies to service principals. Service principals often have elevated permissions and access to critical resources.
Workload Identities cannot perform multi-factor authentication and often lack formal lifecycle processes, making them more vulnerable to compromise. This practice ensures that automated processes and service principals follow the same security standards as user accounts.
How to Set Up an Azure Conditional Access Policy
1 | Sign in to the Azure PortalAccess the Azure portal at portal.azure.com. Ensure that you have at least a Conditional Access Administrator role. |
2 | Navigate to Conditional AccessIn the Azure portal, select “Microsoft Entra ID,” then go to “Security” and choose “Conditional Access.” |
3 | Create a New PolicyClick on “New Policy” to create a policy. Give your policy a meaningful name that reflects its purpose, such as “Require MFA for Admins.” Make sure each policy’s name is specific and unique. Policies with names that are too similar may conflict with each other. |
4 | Define AssignmentsFor Users or Groups For Cloud Apps or Actions |
5 | Set ConditionsLocations Devices |
6 | Configure Access ControlsGrant or Block Access Select Grant Access |
7 | Enable PolicySet the Policy to Report-Only Review and Enforce |
8 | Review & MonitorAfter the policy is active, use Azure’s monitoring tools to review how it affects user sign-ins and make adjustments as needed |
Outsource Management of Your Access Controls to the Pros
Managing and monitoring all of your access controls can quickly become cumbersome if you have a large environment. In that case, it may be in your best interest to hire Azure security experts to do all the heavy lifting.
Partner with Atmosera to secure your digital assets with our Identity and Access Management (IAM) services. Our expert team will implement a Zero Trust approach to ensure strong authentication, least-privilege access, and continuous threat evaluation.