So far in this series, we have covered how to implement enhanced password complexity on-premise and in-cloud with Azure AD Password Protection, limit the use of the local administrator account with LAPS, and now onto part 3 where we will look at how to secure access to cloud-based resources with conditional access.
- Implementing Modern Security Tools – Part 1 – Azure AD Password Protection
- Implementing Modern Security Tools – Part 2 – Microsoft LAPS
- Implementing Modern Security Tools – Part 3 – Conditional Access
- Implementing Modern Security Tools – Part 4 – Password Reset
What is Conditional Access?
Conditional access is often confused with multi-factor authentication, as the two technologies aid to provide you with a set of security rules to prevent unauthorised access to your data.
Conditional access defers from multi-factor authentication however in its ability to use many different checks based on conditions such as,
- The type of device
- The individual user or group
- Operating system used
- Geographical location
- Application used
The below diagram visualises how the authentication process takes place through Azure Active Directory in order to consume cloud-based resources, however, with Azure App Proxy the same methods can be used to protect your on-premise environment.
USE CASE EXAMPLE
Let us consider an example where we have an employee who works in the IT department of a company. The company policy states that all corporate data must not be accessible outside their business location, in this example we will use Ireland.
Historically, this employee might of required VPN access to manage company resources, with cloud based computing however, it’s an always on, always accessible world. By implementing conditional access, the company can now control from where and from what device their employees have access
CONFIGURATION – AZURE ACTIVE DIRECTORY PORTAL
We will now use the Azure Portal to configure a conditional access policy. Taking the above example, I will show you how to limit based on a basic rule specifying a trusted location, in this example a country. In production of course, this is more likely to be a series of corporate internet facing IP addresses.
- Launch the portal (https://portal.azure.com) and click on the Azure Active Directory blade;
- Click on Conditional Access
- Create a new policy by clicking on the “+ New Policy” button
- Click on “Users and groups”
- Click on “Select users and groups”, then tick the “Users and groups” checkbox
- Type in and select the name of the user who you want to control access for;
- Click on Select and Done
- Now we will select the conditions where we will block and allow user access, click Conditions;
- At this point all locations are selected, so we now want to set an exclusion, click Exclude
- Select the trusted network or geographic area you wish to exclude, in this instance we are selecting Ireland
- Now we have to select the applications to restrict access to
- Click on Cloud Apps and either select the individual app or all cloud apps as required
Testing Conditional Access
At this point we have configured a conditional access profile to block connections outside of the trusted network. Now lets see what happens when the end user attempts to access the site.
- Azure AD Logon Screen
- Trusted location experience;
- Untrusted network experience;
As you can see, as expected the user log on is blocked when a log on attempt is carried out from an untrusted location.
Reviewing The Logs
When setting up your conditional access policies, you will more than likely need to check the logs during testing. Thankfully Microsoft Azure AD has great logs out of the box, so simply select the Azure Active Directory blade, scroll down to the monitoring section and click on “Sign-Ins”.
Below you will see the log entry associated with the blocked action above;
Device Compliance, Multi-Factor Authentication and Platform Options
Aside from blocking based on trusted networks there are several enhanced authentication options that can be used within the conditional policy, these include;
- Multi-factor AuthenticationUse Azure Multi-Factor Authentication in conjunction with your Authenticator app, SMS or phone call authentication
- Require device to be marked as compliant
This option requires the device to be enrolled within Microsoft Intune and compliant with the assigned device policies
- Require Hybrid Azure AD joined device
Devices must be known to both the corporate and Azure domains
Conditional Access provides a highly flexible means of protecting access to company resources, for those consuming Microsoft 365 licenses I would strongly suggest looking to add this to your security arsenal, taking particular care of those highly privileged accounts.