I started this blog post series with “How to get started with Conditional Access” and will continue with some use cases. This use cases can be combined or be implemented stand alone – it all depends what you are your organisation want to accomplish.

In this use case we just add a extra layer of security on top of Azure Active Directory  – by setting up a couple of Conditional Access rules blocking or requires MFA based on the user risk. This is a recommendation I have when I do EMS projects at customers – and it is a easy way to stop the bad guys from accessing your corporate data.
This feature is from Azure AD Identity Protection – that are combined with Conditional Access.

The layout is to block a user in high risk when:

  • Accessing all services integrated with Azure AD
  • From Mobile apps and desktop clients
  • Inside or Outside of the corporate network
  • On any devices

The layout is to require MFA on a user in medium risk when:

  • Accessing all services integrated with Azure AD
  • From Mobile apps and desktop clients
  • Inside or Outside of the corporate network
  • On any devices

Note: User risk based conditional access requires AzureAD P2

Start the Azure Active Directory admin center

  1. Click Azure Active Directory
  2. Click Conditional Access

CA - Block User risk - 01.png

  1. Click New policy

CA - Block User risk - 02.png

  1. Enter a name that makes sense to you : “CA – Block All High Risk Users”
  2. Select Assignments
  3. Select All users

It is recommended to check if you have users in high risk before enabling this conditional access rules otherwise the user will be blocked at next login

CA - Block User risk - 04.png

  1. Select Cloud apps
  2. Select Selected apps
  3. Select All cloud apps

Important : Don’t lock yourself out! Please read and understand what you are doing so you don’t lock you out of the Azure Management Portal

CA - Block User risk - 05.png

  1. Select Conditions
  2. Select Sign-in risk
  3. Click Configure – Yes
  4. Select high

Note: If you don’t see the section with Sign-in risk you don’t have AzureAD P2 features in your tenant

CA - Block User risk - 07.png

  1. Select Access controls
  2. Select “Block Access”

CA - Block User risk - 08.png

Now the Conditional Access rule are created and will first take effect when you sets the Enable policy to On

  1. Click New policy

CA - Block User risk - 02.png

  1. Enter a name that makes sense to you : “CA – MFA All Medium Risk Users”
  2. Select Assignments
  3. Select All users

It is recommended to check if you have users in high risk before enabling this conditional access rules otherwise the user will be blocked at next login

CA - Block User risk - 10.png

  1. Select Cloud apps
  2. Select Selected apps
  3. Select All cloud apps

Important : Don’t lock yourself out! Please read and understand what you are doing so you don’t lock you out of the Azure Management Portal

CA - Block User risk - 11.png

  1. Select Conditions
  2. Select Sign-in risk
  3. Click Configure – Yes
  4. Select high

Note: If you don’t see the section with Sign-in risk you don’t have AzureAD P2 features in your tenant

CA - Block User risk - 12

Note: Normally I create a require MFA  when the end user is outside the internal network – but in this case if the end user is getting in risk they will be prompted for MFA both on the inside or outside of the network

  1. Select Access controls
  2. Select “Require multi-factor authentication”

CA - Block User risk - 13.png

Now the Conditional Access rule are created and will first take effect when you sets the Enable policy to On.

When we look at the sign in logs from Azure AD and see how many users that are in risk.

Start the Azure Active Directory admin center https://aad.portal.azure.com

Click on Azure AD Identity Protection

Azure Identiry Protetion log - 01

Then you will get access to the overview with a graph of users in risk in your tenant

2Azure Identiry Protetion log - 01.png

 

Read more:

What is Azure Active Directory Identity Protection?