Conditional Access
Conditional Access
Conditional Access
Security Workshop
Conditional Access
Agenda Conditional Access overview
Conditional Access assignments, conditions and controls
Other considerations
Common Conditional Access policies
Q&A
Conditional Access overview
What is Microsoft Entra Conditional Access?
Conditional Access is a capability of Microsoft Entra ID that enables you to enforce controls on the
access to applications in your environment based on specific conditions from a central location.
User and
location Device
Allow access
Require MFA
Limit access
Real-time
Application
risk
Block access
Microsoft Entra Tenant
prerequisites Optional:
• Microsoft Intune (or 3rd party MDM) for device management and health
attestation
Compliant MFA
6
Conditional access policies may request
second-factor authentication if so configured
[email protected]
8
3 5
4
2 1
9
How are Conditional Access Policies applied?
All policies are evaluated* If policy applies, Block always wins and To “unblock” a user, This will likely require
for application and their controls are enforced cannot be “unblocked” exclude them from the the creation of an
respective conditions are (controls within each blocking policy “exception” policy for to
AND’ed policy may be AND’ed cover the new scenario
or OR’ed)
*
Conditional access policies are assessed for all sign-in and authorization requests, not for each application request
Conditional Access Policy lifecycle
Insights Configuration
Report-only mode Templates
Conditional Access Insights Summary view
Enhanced troubleshooting Conditional Access API
Security Defaults
Enables MFA for all cloud apps and for all users.
Blocks legacy authentication for all users.
Doesn’t support risk-based or compliance-based access.
Can’t handle emergency / break-glass counts.
Recommended (and default) as starting point, but likely to be retained
primarily by small business organizations, with careful consideration.
Assignments
Assignments – to which users,
groups and service principals
does the policy apply?
Workload identities
Include or exclude specific service principals.
How to use
Both these filters support both including and excluding.
This allows to focus a policy on some users, groups or
service principals, and it allows other ones to be
exempted from it.
Assignments – to which cloud
applications, user actions or
authentication context does
the policy apply?
Cloud Applications
Conditional Access Policy will be applied when a user signs into
Microsoft Entra to access specific apps or to all cloud apps.
Cloud apps filters support both including and excluding. This
allows to focus a policy on certain apps, and it allows other apps
to be exempted from it.
User actions
Conditional Access policy will be applied when a user registers
their security information (e.g. for purpose of MFA) or
registers/joins a device to Microsoft Entra.
Authentication context
Conditional Access policies publishes authentication
contexts to applications to further secure data and actions
in them.
Conditions
Conditions
Conditions available:
• User risk
• Sign-in risk
• Device platforms
• Locations
• Client apps
• Filters for devices
Device platforms
• All platforms (including unsupported)
• Android
• iOS
• Windows Phone
• Windows
• macOS
• Linux
Require all the selected controls Require one of the selected controls
OR
Users will be granted access to application when they use Users will be granted access to application when they use multifactor
multifactor authentication AND sign in from a device authentication (from either managed or unmanaged device) OR sign
managed by MDM which marked it as compliant in from a device managed by MDM, which marked it as compliant
(then single factor authentication is acceptable)
Session controls
Session Controls