Getting Started with Azure Conditional Access Policies

Azure Active Directory Conditional Access Policies allow you to apply access controls to applications and services. Conditional access policies can be used to apply restrictions to users, devices and applications based on a set of policy conditions.

Licensing Requirements

• Azure AD P1 (minimum license required)
  
• Azure AD P2 (includes risk based authentication)

Azure AD P1 is included in these subscriptions:

Microsoft 365 E3 (includes Azure AD P1)
Microsoft 365 E5 (includes Azure AD P2)
Enterprise Mobility + Security E3 (includes Azure AD P1)
Enterprise Mobility + Security E3 (includes Azure AD P2)

What can you use conditional access policies for?

Examples of conditional access policies:

• Require MFA for users with admin roles
• Users must use MFA when accessing any cloud apps in Azure
• When users are accessing an application they must use a domain-joined computer and MFA
• Block or grant access from certain locations (e.g. block countries or allow trusted IP ranges to bypass MFA)

How do conditional access policies work?

Conditional access policies are applied by targeting users and cloud apps then applying conditions and finally granting or blocking access.

Target Users and groups > Cloud Apps > Conditions > Controls (Grant or Block)

Example: All guest and external users > All cloud apps > Grant Access and require MFA
Example: All users > All Cloud Apps > Client app browser > Grant Access and require MFA

Locations can be included or excluded

You can define trusted locations to use for policy conditions e.g. do not require MFA from head office IP address. You can also use locations to block access e.g. block countries Russia and China

• If multiple conditional access policies are applied, then all policies that apply must be satisfied
• If you have more than one policy condition configured, then these are ANDed together so all conditions must be met in order to trigger the policy
• If a block policy is applied, then this overrides any other policies and access will be blocked by default

Conditional Access Best Practices

Emergency Access Account

Make sure you have an Administrator account that you can use as a "break glass account" in case a policy is mis-configured and you lose access to your Azure tenant. The account should be a cloud only global admin with no MFA and a strong password.

Policy Exclusions

Create an AD Group to use for policy exclusions and add any users you want to exclude from the policy to the group.

Add at least one Global Administrator account to the exclude group. You should also add your own admin account to the exclude list when creating or editing policies.

You might also need to exclude some service accounts from conditional access policies. For example: backup accounts, AD sync account and other service accounts that might interact with Azure or Office 365.

Blocking Policies

Avoid policies that block all users and all cloud apps. These are not recommended because they can block your entire organisation.

Compliant Devices

Be careful with policies that require domain joined or compliant devices. These can also block access to all users if you don't yet have a compliant device.

Testing Policies

Enable policies in report-only mode so you can monitor the Azure AD sign-in logs to see if the policy is working as expected.

Apply polices to a test group of users and test them before applying to all users.

Some policies can take up to 24 hours for the policy to go into effect (e.g. blocking legacy authentication).