10 Policies for Conditional Access in Azure That Every Business Needs to Use

Conditional access policies enforce access controls based on specific conditions that can be tailored to your needs. These policies secure access to resources by enforcing specific conditions that must be met before being granted access. These policies are a key component of Microsoft’s Zero Trust Security Model. An in-depth explanation to better understand Conditional Access in Azure can be found here.

It’s essential to strike a delicate balance between security and accessibility. Overly restrictive policies can hinder your employees’ ability to perform their roles effectively. Fortunately, Azure best practices can help you maintain robust security without compromising accessibility.

Consider this article your guide to Azure Conditional Access policies. We’ll explore how this feature works in Azure, showcase 10 policies every business should use in their cloud environment, and show you how to set up a policy.

What is Conditional Access in Azure?

Azure Conditional Access is a security policy engine that manages access to your applications and resources by evaluating signals like user identity, device health, location, and session risk. This feature is automatically integrated into Microsoft Entra ID.

When a user tries to access an application or service, the Conditional Access feature evaluates the sign-in attempt based on the policies set by your organization. For example, if a user is trying to log in from an unfamiliar location, the policy might require them to provide additional verification.

Even after access is granted, Conditional Access continuously monitors the session. If any unusual activity is detected, the system triggers predefined conditions, such as requiring re-authentication or terminating the session.

10 Azure Access Management Policies You Need to Use

1. Require MFA for All Users

Multi-factor authentication (MFA) ensures that even if a password is compromised, unauthorized access is prevented by requiring a second verification form. This security practice is relatively well-known and widely used. However, you must require it for all users in your Azure environment.

Across all IT systems, 61% of cybersecurity incidents involve compromised credentials. Using MFA is a simple, yet highly effective way to ensure that your server will not grant access to bad actors who stole or compromised a legitimate user’s credentials.

2. Block Basic/Legacy Authentication

Many legacy protocols don’t support MFA and are vulnerable to password spraying and credential stuffing attacks. Blocking these outdated methods ensures that only secure, modern authentication methods are used. This approach strengthens your organization’s defenses by eliminating weak points that attackers commonly exploit.

3. Require Compliant Devices

Requiring compliant devices means ensuring that only devices that meet your organization’s security standards can access corporate resources. This practice helps prevent untrusted or unsecured devices from introducing vulnerabilities into your network. It typically involves verifying device configurations and security status through Microsoft Intune.

4. Require Hybrid Entra ID Joined Device

This practice ensures that devices are both connected to a local network managed by your organization’s domain controller and registered with Microsoft Entra ID (formerly Azure AD). This dual-join enhances security and enables better management of devices, especially in hybrid environments where devices might access both on-premises and cloud resources.

5. Block Access From Untrusted Locations

Blocking access from untrusted locations reduces the risk of unauthorized access from unfamiliar or high-risk geographic regions. By configuring Conditional Access policies, you can restrict access to corporate resources from only trusted locations, such as your office network or verified remote work environments.

You can specify trusted IP ranges, individual IP addresses, or entire countries or regions as trusted locations.

6. Block High-User Risk

Blocking high-risk users involves stopping users identified as high-risk by Microsoft Entra ID Protection from accessing your resources until their risk is reduced. This system also uses risk signals, such as unusual sign-in behavior or suspicious activities, to detect potential security threats.

Please note that when the system detects risk signals, it may automatically flag that user as a high-risk user. This flag could impede that user’s ability to access resources. However, Microsoft Entra ID Protection is designed to consider the context.

For instance, if a user is traveling and signs in from a new location, the system might flag this as unusual. However, it also considers other behaviors to assess the overall risk before taking action.

If Entra ID Protection detects that the user is using a corporate VPN or if the sign-in aligns with recent activities, such as a series of approved logins from nearby locations, it may determine that the sign-in is legitimate.

7. Block High Sign-In Risk

Similar to blocking high user risk, blocking high sign-in risk prevents access from attempts identified as risky. This includes sign-ins from unfamiliar locations, devices, or instances of impossible travel.

Impossible travel is detected when sessions originate from geographically distant locations within a short time frame. You can configure which locations, devices, or activities are considered suspicious and unlikely for your business.

These policies can also be tailored based on users and groups. For instance, you can create more restrictive policies for specific users or groups, ensuring higher security for sensitive roles or departments.

8. Require an App Protection Policy

App protection policies protect data by enforcing rules designed to ensure that an organization’s data remains secure within managed applications. These policies control how data is accessed and shared by apps on mobile devices, whether those devices are managed by Intune or not.

Using these policies is important for any business, but it’s especially important if you allow BYOD in your organization.

9. Block Unused Device Operating Systems

Blocking unused or outdated operating systems ensures that only devices running supported and secure OS versions can access your network. Older operating systems often have unpatched vulnerabilities that can be exploited by attackers. In fact, as of 2022, exploiting vulnerabilities in outdated software became the top way hackers gain unauthorized access.

10. Use Conditional Access for Workload Identities

Using Conditional Access for workload identities involves applying Conditional Access policies to service principals. Service principals often have elevated permissions and access to critical resources.

Workload Identities cannot perform multi-factor authentication and often lack formal lifecycle processes, making them more vulnerable to compromise. This practice ensures that automated processes and service principals follow the same security standards as user accounts.

How to Set Up an Azure Conditional Access Policy

Outsource Management of Your Access Controls to the Pros

Managing and monitoring all of your access controls can quickly become cumbersome if you have a large environment. In that case, it may be in your best interest to hire Azure security experts to do all the heavy lifting.

Partner with Atmosera to secure your digital assets with our Identity and Access Management (IAM) services. Our expert team will implement a Zero Trust approach to ensure strong authentication, least-privilege access, and continuous threat evaluation.

Stay Informed

Sign up for the latest blogs, events, and insights.

We deliver solutions that accelerate the value of Azure.
Ready to experience the full power of Microsoft Azure?

Atmosera is thrilled to announce that we have been named GitHub AI Partner of the Year.

X