Conditional Access

Download as pptx, pdf, or txt
Download as pptx, pdf, or txt
You are on page 1of 39

Endpoint Management with

Security Workshop
Conditional Access
Agenda Conditional Access overview
Conditional Access assignments, conditions and controls
Other considerations
Common Conditional Access policies
Q&A
Conditional Access overview
What is Microsoft Entra Conditional Access?
Conditional Access is a capability of Microsoft Entra ID that enables you to enforce controls on the
access to applications in your environment based on specific conditions from a central location.

Location and User- Device-based Application-based Risk-based


based conditional conditional access conditional access conditional access
access
Conditional Access – general overview
Enforce strong protection policies and risk assessment to grant access to employees and partners

Verify every Apps


Signals access attempt and data

User and
location Device
Allow access

Require MFA

Limit access
Real-time
Application
risk

Block access
Microsoft Entra Tenant

Global Admin credentials

Conditional Microsoft Entra P1 / EMS E3 / Microsoft 365 E3 or higher


Access Policy licenses

prerequisites Optional:
• Microsoft Intune (or 3rd party MDM) for device management and health
attestation

• Microsoft Entra ID Protection for risk-based conditional access


Conditional Access Policy – building blocks

Assignments Conditions Controls

Compliant MFA

Policy Application Policy Evaluation Apply Restrictions


Conditional Access Policies – when they are enforced?
Conditional access policies are enforced
after the first-factor authentication has been completed

Using Microsoft Entra MFA or an


7 external 3rd party such as a Duo
MFA service MFA Custom Control
Is MFA required?

6
Conditional access policies may request
second-factor authentication if so configured
[email protected]
8
3 5
4

2 1
9
How are Conditional Access Policies applied?

All policies are evaluated* If policy applies, Block always wins and To “unblock” a user, This will likely require
for application and their controls are enforced cannot be “unblocked” exclude them from the the creation of an
respective conditions are (controls within each blocking policy “exception” policy for to
AND’ed policy may be AND’ed cover the new scenario
or OR’ed)

*
Conditional access policies are assessed for all sign-in and authorization requests, not for each application request
Conditional Access Policy lifecycle

Insights Configuration
Report-only mode Templates
Conditional Access Insights Summary view
Enhanced troubleshooting Conditional Access API

Evaluation Targeting device groups


Target actions
Integrations with MDCA
Conditional Access Policy states

Conditional Access Policy can be set to:


On – policy assignments and conditions are evaluated, and Enable policy
controls are enforced
Report-only On Off
Off – policy is turned off
Report-only - policy assignments and conditions are evaluated
but controls are not enforced.
Admins can use Microsoft Entra sign-in logs to verify if the policy
works as expected before fully turning it on.
Conditional Access Policy
What-If tool
Understand the impact of Conditional Access policies in
your environment.

Instead of testing policies by performing multiple sign-ins


manually, the tool enables to evaluate a simulated sign-in
of a user.
Conditional Access vs. Security Defaults

Conditional Access Conditional Access can’t be


The flexible way of controlling access to cloud apps, enablement combined with Security Defaults
of MFA for users, blocking legacy authentication, implementing
risk-based and compliance-based access, and more.

Recommended approach for most organizations.

Security Defaults

Enables MFA for all cloud apps and for all users.
Blocks legacy authentication for all users.
Doesn’t support risk-based or compliance-based access.
Can’t handle emergency / break-glass counts.
Recommended (and default) as starting point, but likely to be retained
primarily by small business organizations, with careful consideration.
Assignments
Assignments – to which users,
groups and service principals
does the policy apply?

Users and groups


Include or exclude specific users and/or groups or
directory roles.

Workload identities
Include or exclude specific service principals.

How to use
Both these filters support both including and excluding.
This allows to focus a policy on some users, groups or
service principals, and it allows other ones to be
exempted from it.
Assignments – to which cloud
applications, user actions or
authentication context does
the policy apply?
Cloud Applications
Conditional Access Policy will be applied when a user signs into
Microsoft Entra to access specific apps or to all cloud apps.
Cloud apps filters support both including and excluding. This
allows to focus a policy on certain apps, and it allows other apps
to be exempted from it.

User actions
Conditional Access policy will be applied when a user registers
their security information (e.g. for purpose of MFA) or
registers/joins a device to Microsoft Entra.

Authentication context
Conditional Access policies publishes authentication
contexts to applications to further secure data and actions
in them.
Conditions
Conditions

Conditional Access policies triggers based on Conditions.


Conditions are logically ‘ANDed’.

"When this happens" is called conditions.

Conditions available:

• User risk
• Sign-in risk
• Device platforms
• Locations
• Client apps
• Filters for devices

NOTE: risk-based conditions require


Microsoft Entra Premium P2 or EMS E5 or Microsoft 365
E5
Conditions: Device platforms

Device platforms
• All platforms (including unsupported)
• Android
• iOS
• Windows Phone
• Windows
• macOS
• Linux

If you choose Any device, you can exclude


specific platforms on the Exclude tab
Conditions: Filter for devices

Ability to target or exclude specific devices.


Devices can be targeted by various attributes, for
example:
• Device ID
• Display name
• Manufacturer
• Version of operating system
• Is device managed by MDM?
• Is device marked as compliant?
• Others…
Controls
Control types: Grant or Session
Each control is either a requirement that must be fulfilled by the person or system signing in, or a restriction on what the user can do after
signing in.
There are two types of controls:

• Grant controls - To gate access or require additional factors of auth


• Session controls - To restrict access within a session

Grant controls: Session controls:


With grant controls, you can The session controls are
either block access altogether enforced by cloud apps and
or allow access with additional rely on additional information
requirements by selecting the provided by Microsoft Entra to
desired controls. the app about the session.
Grant controls
Controls: Block access

This explicit block overrides any grants.

Used when access to specific applications is not allowed


for specific conditions.
Controls: Require MFA

Requires the user to be authenticated using multiple factors


This could be:
• Azure MFA Service
• Presence of claim in token issued by trusted federation service:
https://schemas.microsoft.com/ws/2008/06/identity/claims/
authenticationmethod =
http://schemas.microsoft.com/claims/multipleauthn

• Windows Hello for Business Primary Refresh Token (PRT) with


strong authentication:
“ACR” : 2
Controls: Require compliant
device
Device is registered in Microsoft Entra and is marked
compliant by:
• Intune
• 3rd party MDM that manages Windows 10/11 via Microsoft Entra
integration

Note: 3rd party MDM is only supported for Windows


10/11. iOS and Android devices must be managed by
Intune.
Multiple grant controls

Require all the selected controls Require one of the selected controls

OR

Users will be granted access to application when they use Users will be granted access to application when they use multifactor
multifactor authentication AND sign in from a device authentication (from either managed or unmanaged device) OR sign
managed by MDM which marked it as compliant in from a device managed by MDM, which marked it as compliant
(then single factor authentication is acceptable)
Session controls
Session Controls

Allows administrators to make use of session controls to


enable limited experiences within specific cloud applications

Organizations can use this control to require Microsoft Entra


to pass device information to the selected cloud apps.

The device information enables the cloud apps to know


whether a connection is initiated from a compliant or
domain-joined device*

*Only supported in SharePoint Online and Exchange Online


Session Controls: Conditional
Access App Control (using
Microsoft Defender for Cloud
Apps)
Used to define who (users or groups) and what
applications are:
• Routed to reverse proxy provided
by Microsoft Defender for Cloud Apps
• Their actions verified against access and session policies

MDCA access and session policies can:


• Prevent data exfiltration
• Protect on download
• Prevent upload of unlabeled files
• Monitor user sessions for compliance
• Block access
• Block custom user activities
Other considerations
Break-glass accounts

It is possible to lock out access when applying a misconfigured


Conditional Access policy to all cloud apps or to Azure Resource
Management API (i.e. Azure portal).

We recommend excluding specific break-glass account(s) from


the policy.

Ensure password for any break-glass account is stored securely.


Directory Synchronization
service accounts
Don’t forget about service accounts used by Microsoft
Entra Connect for directory synchronization

Especially if MFA is required to grant access, exclude them


from Conditional Access
Common Conditional
Access policies
Templates of common
Conditional Access policies
Easily create common Conditional Access policies
based on templates provided by Microsoft

Settings preconfigured appropriately to the goal of


the policy

Excluded users taken care of

Default policy state set to “report-only”


Next steps
Next steps (a) Continue with the Microsoft Defender for Endpoint session
Conditional Access documentation
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/

Common Conditional Access policies


Resources https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/con
cept-conditional-access-policy-common

Troubleshooting Conditional Access using the What If tool


https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/trou
bleshoot-conditional-access-what-if
Thank you.

You might also like