Personally I think that Conditional Access is the coolest tool that Microsoft has ever released. The reason for that is, it makes your identities and data more secure, it is easy to implement and in some cases it has a little or none impact on the end users work.
I started working with Conditional Access from Microsoft over 2 years ago, and it has been a journey, at the beginning there was few conditions and there was a lot of situations where it was not good enough, at that time Conditional Access was build in the old Azure Portal and for the Intune part is was in the Silverlight portal. The AzureAD and Intune Team is still building new features in Conditional Access that makes our every day more secure and easier to manage.
This is the first blog post in a series that I have planed over the summer as this is the first on I start with covering the basics. I get a lot of ask if I can do scenario based Conditional Access, I will do that in other blog post in the series.
This blog post is provided up in parts:
- First the concept of Conditional Access
- Second the license part
- Third what Admin rights do you need
- Firth the Baseline policy: Require MFA for admins (Preview)
- Fifth create you first Conditional Access rule
- Sixth how is the end-user experience
First the concept of Conditional Access:
I love this illustration because it makes Conditional Access simple
We have a condition, a user on a device in a location trying to access a service with a app.
Then we have the Control, what to do when we have this condition, Allow access, require MFA or Deny access to service On-premises or a cloud service.
A example: A Admin user logins in to Office 365 and get a MFA request no matter from where or on what device.
Microsoft has build a default Conditional Access rule “Baseline policy: Require MFA for admins (Preview)” to accomplish that – more on that rule later in this blog post.
Second the license part:
In general Conditional Access requires EMS E3 licenses, that it a truth with modifications. It is easy to say because then you have both Azure AD premium and Intune license, and then there is still Conditional Access conditions that requires other licenses.
Note: This is my apprehension of the license rules – you need to check with your license partner to ensure that you are compliant!
Lets take a look at the conditions:
- Sign-In risk
- This it only visible in AzureAD tenants that have Azure AD P2 license.
- It gives the possibility to detect on user risks
- The options are: High, Medium, Low, No risk
- Device Platform
- This requires AzureAD P1
- It gives the possibility to select on what devices type it applies to.
- The options are: All platforms (including unsupported), Android, iOS, Windows Phone, Windows, macOS
- Client app (Preview)
- This requires AzureAD P1
- It gives the possibility to select from what kind of App it applies
- The options are: Browser Mobile apps and desktop clients
- Device state (preview)
- This requires Intune for compliant otherwise Azure AD P1
- It gives the possibility to apply to all devices but exclude based on device state
- The options are: Device Hybrid Azure AD Joined or Device marked as compliant
Lets take a look at the controls:
First you can block or grant access – grant access has the possibilities
- Require multi-factor authentication
- This requires Azure AD P1
- The end user need access to a Phone or a device with the Microsoft Authenticator app
- Require device to be marked as compliant
- This requires Intune
- The compliant policy are set in Intune on enrolled devices
- There is a extra option in the compliant policy to set a devices risk, this requires 3 part. license (Windows Defender Advanced Threat Protection, Lookout for Work, Symantec Endpoint Protection, Check Point Sandblast Mobile, Zimperium, Pradeo
- Require Hybrid Azure AD joined device
- This requires Azure AD P1
- The Windows Device needs to be Hybrid Azure AD Joined
- Require approved client app
- This requires Intune and AzureAD P1
- This feature support Intune Mobile Application Management (MAM)
- This feature is only supported on IOS and Android
- Microsoft is updating the list of approved client here
Third what Admin rights do you need:
You have the rights as a Global Admin, but not every body should be a Global Admin. There is also a Conditional Access Administrator role to get access to create and manage Conditional Access rules.
Note: To deploy Exchange ActiveSync conditional access policy in Azure, the user must also be Global Administrator
For management of the compliance policy in Intune you need to be a Intune Service Administrator or having a admin role directly in the Intune service.
The Intune Built-in Role “Policy and Profile manager” have the rights for Compliance policy or create a custom Intune admin roles with rights to “Device compliance policies”
Firth the Baseline policy: Require MFA for admins (Preview) :
This a rules that Microsoft has created in all tenants so that the admin account will be more secure.
In the Azure AD admin center https://aad.portal.azure.com
Go to Azure AD go down to Security and select Conditional Access
Then you can see the the “Baseline policy: Require MFA for admins (Preview)”
It is very important that you into this Conditional Access policy to see it you need to change the default setting in your environment.
Note: Automatically enable policy in the future. By selecting this option, you let Microsoft decide when to activate a policy.
You can also select to use this policy immediately and it will take effect now.
You can use the Exclude users and groups if you have privileged accounts that are used in your scripts – or you can migrate the effected users to a more modern and secure way.
Note: Baseline policies are available in all editions of Azure AD. So every body with a Office 365 subscription needs to take responsibility that the settings match there environment.
Fifth create you first Conditional Access rule:
If you select not the use the Baseline policy: Require MFA for admins you need to create your own to secure your admin account.
You want the end goal – to secure your admin roles with MFA, but in a more controlled way.
Start by click New policy
Enter a name for the Conditional Access rule
Under Assignment:
- Click users and groups selected
- Select users and groups
- Select Directory roles – at the moment there is 24 predefined roles
- Select all the admin roles you want to protect with MFA
Under Assignments:
- Select Cloud Apps
- Select All cloud apps (You can also select single or multiple cloud apps, like Office 365 Exchange Online, Microsoft Azure Management and others)
Note: Don’t lock yourself out! This policy impacts the Azure portal. Before you continue, ensure that you or someone else will be able to get back into the portal.
Under Assignments:
- Select Conditions
- Select Locations
- Configure – select Yes
- Select Any locations
- Click Exclude
- Select “Selected locations”
- Select “MFA Trusted IPs”
I will cover in a later block post how to setup trusted locations
Under Access Controls:
- Select Grant
- Select “Require multi-factor Authentication”
- Enable policy – Select On (As long the policies is set to off it does not have any effect)
Sixth how is the end-user experience:
When a user with a admin roles is trying to login to Azure AD next time – the user will be meet with this message:
Additional security verification is need to enroll in the Azure MFA SMS or phone call is need to verify the user.
The end user need to pick up the phone and press # to verify
After the enrollment process into MFA you will get this message at the next login to AzureAD:
To the conclusion: Conditional is easy to deploy, there is so many different ways to secure your identities and corporate data. If you have AzureAD P1 licenses there is no excuse not to get started, at least for the Admin users, and if you do nothing Microsoft will enable Conditional Access for most privileged roles in AzureAD.
There is many more options for Conditional Access, and I will try to describe use cases that I have implemented at customers in the next block posts.
How to get started with Conditional Access – Enable MFA on O365 web access
How to get started with Conditional Access – Disable legacy authentication
Mobile-First Cloud-First 
Nice article Per! you might emphasize more that for both baseline and MFA policies you should always exclude the emergency access accounts as recommended here: https://docs.microsoft.com/en-us/azure/active-directory/admin-roles-best-practices
Is it possible to use Conditional Access to restrict access on Local Networks instead of a NAC solution. Somehow get a basic set of conditions, domain/hybrid, updated, patched, defender security status green, either with some PKI or not.? or maybe in the future?
Hello, great write up, i am trying to set up conditional access for certain web apps including the office.com portal, but so far i can only get the office portal to trigger if i choose all web apss, this option will not work for us so i need to determine what specific cloud app is tied to office.com. I have tried exchange,sharepoint and just about every microsoft named cloud app. Any insight would be greatly appreciated!