Microsoft Azure Active Directory Conditional Access – The Pinnacle of Security
Are you considering transforming your business processes from an on-premises, fixed-cost IT model to gain the flexibility that the cloud platform has to offer? Are you concerned with the challenges for compliance and security that the cloud brings?
Trust that we’ve got you covered with Azure Active Directory Conditional Access. This blog will explain how Microsoft Azure AD Conditional Access can help your organization unleash the potential of the cloud while adhering to increased compliance and improved security by managing access to Microsoft 365.
What is Azure Active Directory?
Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and management service in the cloud, which is responsible for powering functions like single sign-on and making sure the right users are accessing the right places quickly, easily, and securely.
What is Azure Active Directory Conditional Access?
Conditional Access (CA) is the capability in Azure AD which allows organizations to control how authorized users access apps in the cloud based on specific conditions.
There are two types of CA offered via the Microsoft 365 platform:
- Microsoft Azure Active Directory Conditional Access
- Microsoft Intune with Conditional Access
Let’s talk Licenses!
Conditional Access with Azure Active Directory is a feature available with the Azure AD Premium License. Organizations that wish to have users access applications with conditional access policies applied must have an Azure AD Premium license. Azure AD Premium licenses can be purchased stand-alone or as part of the bundled Enterprise Mobility & Security E3, Microsoft 365 E3, and Microsoft 365 Business Premium.
Conditional Access with Microsoft Intune may also be purchased stand-alone or as part of the bundled Enterprise Mobility + Security E3 and Security E5 Suite, Microsoft 365 E3 and E5, Microsoft 365 Business Premium and a few others. Intune’s conditional access capabilities allow organizations to securely access company’s email and other Office 365 services by restricting access to devices that are compliant with the rules that have been configured.
Business Value Organization Goals!
Azure Active Directory Conditional Access…How is this beneficial to my organization you may ask?
Cloud solutions are transforming the way we work and how the contemporary workplace functions. It allows more flexibility and, as a result, boosts productivity. With the rapid growth of technology, it is fast becoming a mobile-first, cloud-first world in which we live and work. As a result, users are now able to access organizational resources from practically anywhere using any device. Given these conditions, it is no longer adequate to protect company resources based on just user access. It is now becoming mandatory that organizations are able to control not only who has access, but from where, and from what devices resources are being accessed. Azure AD Conditional Access provides this means of control by allowing organizations to stipulate the conditions that a user must meet in order to gain access to applications and data.
Conditional Access allows you to build policies that fit your organization. Below are some examples:
- If users are accessing Exchange Online from an unmanaged device outside the corporate network, then all users must perform Multifactor Authentication (reference our MFA blog here)
- If users are accessing SharePoint Online from an untrusted device, then users will be restricted from downloading or uploading documents
- If the sales team wants access to the CRM application, then they are required to use a managed device
Conditional Access policies allow you to control if and when users are prompted for Multifactor Authentication (MFA), when they are required to use a trusted/domain-joined device, and when access is blocked.
Conditional Access also integrates with many other security features such as Microsoft Defender ATP, Intune (App Protection), and Cloud App Security.
Conditional Access encompasses several advantages and benefits that will help your organization to thrive:
- Increased productivity: Conditional Access policies enable control over when users are prompted for MFA, when access is blocked, or when they are required to use a trusted device; for example, a policy can define that users must use MFA for access to an application only when outside the corporate network
- Manage risk: enabling Conditional Access policies will provide organizations with cloud-scale identity protection, risk-based access control capabilities, and native multi-factor authentication support
- Manage cost: moving access policies to Azure AD reduces the reliance on custom or on-premises solutions, such as Active Directory Federation Services, removing the cost of running and maintaining that infrastructure
- Security: compromised passwords are the number one cause of data breaches around the world today. Passwords, especially those of privileged accounts, are a high-value target for hackers. Conditional access significantly improves the security posture of your organization’s cloud infrastructure and data by adding factors beyond just a username and password that hackers can’t easily replicate, such as the location of the login or the device being used for login
- Boost productivity: Conditional Access is largely automated using system policies, which users are not affected by once in place unless they try to log in beyond the set parameters. The fact that conditional access can be programmed into a system, with all the work of authentication being done behind the scenes, makes it convenient to increase security without risking a decline in productivity
- Data Privacy Compliance: the ability to protect data at the device level reduces the risk of personally identifiable information (PII) getting into the wrong hands. By implementing this type of policy, it allows for the automation to monitor anomalies and respond when certain risk conditions are met. For example, blocking access to a cloud storage account if access is originating outside an approved geographic area
Conditional Access Policies
Conditional Access works by allowing your organization to set up a series of conditions and controls to create the rules for what is allowed and what isn’t. Cloud technology has the potential to revolutionize how work is done; however, finding the right balance between unleashing the potential of the cloud and the need for more stringent compliance and security measures is the key to successful, efficient, and secure business operations.
- Conditions can be thought of as “if this happens”
- Access controls can be thought of as “then do this”
Below are the main categories and conditions available for configuration which, in turn, allow controls for how authorized users can access company resources.
- Enforcing Multifactor Authentication: MFA is a well-known control that goes hand-in-hand with and enforced by conditional access. In reality, you only need to go through two stages as a user to gain access to the workspace. The initial step of entering a login and password is where the user provides something they “know”. MFA requires another criterion that the person requesting the login is indeed that person. This requires the user to prove it with something they “have”, such as a code generated from their phone’s authenticator app. Conditional access policies can determine if the second factor is necessary or not. If it is a recognized device in a recognized location, MFA might not be required for the login session
- Authorized Devices: a typical category of conditional access is determining which devices have cloud access. This permits you to restrict network access to only business devices, ensuring that unauthorized devices and potentially unprotected private devices are restricted, which is a fantastic approach to maintaining control over what devices can access your data
- Location: administrators can configure permissions and even prohibit access based on the location of the access request. Conditions can be established to authorize requests from specific locations, such as branch offices, or to require enhanced protection for any sites outside the jurisdiction of your Head Office, such as specific international countries
- Endpoints: employee devices, such as personal laptops and smartphones, can have restricted access. This includes restricting the number of employee-owned endpoints connected to your company’s network. Access can also be restricted to specific devices under the control of your IT department
- User and Group Access: users or groups may be granted varying levels of network access based on their requirements or authorization rank. Employees whose jobs necessitate the usage of sensitive data or resources are given remote access to them. Employees with lesser authorization levels will be denied entry or required to provide further authentication
- Enhanced Admin Experience: Conditional Access technology reduces the workload as an IT administrator by automating cloud and network security. With well-defined conditional access policies in place, the organization is confident that the network login process is adequately secure. Furthermore, the policy eliminates the requirement for MFA at every login attempt, minimizing login problems and, as a result, the number of help desk tickets that are logged
Let’s take a look at some types of policies
These are a few key options at your disposal that can be useful in most, if not all organizations:
What if a legitimate user tries to access a cloud app from a network location you don’t trust?
- With location-based policies, it allows the organization to define if and how users can access company resources from inside and outside the organization’s network. For example, enforce that users always perform MFA from outside your corporate network
What if a legitimate user tries to access a cloud app with a device that is not managed by your organization?
- Using device-based Conditional Access, requirements can be tied to the device that is used by an authorized user to access company resources
What if a user with compromised credentials tries to sign in?
- Leverage Identity Protection’s (Azure AD Premium P2 License) capability to analyze the risk of the user and restrict access
Conditional Access is a powerful zero-trust engine, and it should be the heart and soul of any Microsoft 365 customer’s security design. However, a poorly designed Conditional Access policy can be exploited to gain access. Put this knowledge to good use and contact us today to see how we can help you implement this security must-have to better secure access to your organization’s resources.