Azure AD Conditional Access Policies Explained

Microsoft Azure is Microsoft’s primary cloud offering. The Microsoft cloud lives within Microsoft Azure, which is a combination of ultra-redundant data centers located all over the world that offer storage, power, cooling, and all the necessary infrastructure to host cloud servers. So, Microsoft Azure provides X as a service solution. So what does it mean? It means it offers software as a service, platform as a service, infrastructure as a service, and directory as a service. Essentially, everything is a service. A platform-as-a-service solution is essentially a platform that is there, managed by the provider, and you are using that platform to manage your solutions on top of it. Infrastructure as a Service allows you to build a network on top of an underlying solution. For example, building out virtual machines, virtual networks, and so on. Software as a Service is completely managed software by a provider that you just plug into.

Azure AD, or Microsoft Entra ID, is an identity provider that can authenticate security principals. So a security principal is really what we are using when we are authenticating to anything that is an identity provider, in this case, Microsoft Entra ID.

We use the term Active Directory to refer to Active Directory Domain Services most of the time, and this role does three main things in Windows Server. It manages users and groups, manages computers, and supports directory-aware applications. Apart from that, there are other Active Directory roles as well. Directory-awareThere are Active Directory Federation Services, Certificate Services, Lightweight Directory Services, and Rights Management Services. So, the point is that Active Directory in itself is not a single service, but is a collection of multiple services designed to perform different tasks.

Azure Active Directory follows a similar structure. It also facilitates the management of users, groups, computers, and applications and it’s not a single service. It’s an umbrella of multiple services, each one of which serves a very strategic function.

Azure AD and Windows Server complement each other well. You can use the AD connect tool to integrate your on-premises Windows Server Active Directory with Azure AD for a hybrid identity infrastructure.

Conditional access allows for more precise control over which people may perform particular tasks, which resources they can access, and how to protect systems and data.

Microsoft Entra Conditional Access (CA) leverages signals, including device, location, and user, to automate processes and implement resource access controls for organizations. CA policies can be used to implement MFA and other access constraints. When necessary for security, CA policies let you ask a user for multi-factor authentication (MFA) and let them go when it’s not necessary. With CA, you may set up new rules that satisfy your needs and alter security defaults.

Some Common Policies

Plan your CA policy solution by determining whether or not the following results require the creation of policies.

• Make MFA mandatory – Typical scenarios involve requiring MFA for administrators, particular apps, all users, or network locations you don’t trust.
• Respond to possibly compromised accounts – Three default policies can be enabled: mandate MFA registration for all users, ask high-risk users to reset their passwords. and mandate MFA for users whose sign-in risk is medium or higher.
• Managed devices are necessary – Your users’ productivity will increase as more devices become compatible with your cloud resources.It’s likely that you wish to prevent devices with insufficient security from accessing specific resources in your environment.Make it such that users can only access those resources through a managed device.
• Use of authorized client applications is required – Employees use their mobile devices for work-related as well as personal use. In Bring Your Own Device (BYOD) settings, you have to decide whether to control the device itself or just the data on it.To protect the data of your firm, you may need to employ authorized cloud apps if you are only in charge of data and access.
• Block access – This feature allows you to prevent any member of your organization from logging on to your tenant and overrides any other assignments for that person.It can be utilized, for instance, if you are onboarding an application to Microsoft Entra ID but aren’t yet ready for users to log in. Additionally, you have the option to prevent apps with legacy authentication from accessing your tenant resources or to prevent specific network locations from accessing your cloud apps.

Deploying CA has the following benefits:

• Boost productivity- Users are only interrupted with a sign-in requirement like MFA when one or more indications indicate that it is necessary. You can regulate through CA policies when users are required to utilize a trusted device, when access is denied, and when they are prompted for MFA.
• Handle Risk- By integrating policy conditions with automated risk assessment, suspicious sign-ins are immediately detected, addressed, and/or prevented.When you combine conditional access with identity protection—which looks for anomalies and suspect activity—you can use it to track instances in which resources are gated or blocked.
• Regarding governance and compliance- With CA, you may provide terms of use for consent, audit application access, and restrict access in accordance with compliance regulations.
• Manage Cost- By switching access policies to Microsoft Entra ID, CA may rely less on on-premises or proprietary solutions, which saves infrastructure expenses.
• Zero trust- Conditional Access facilitates the transition to a zero-trust setting.

In the Azure portal, select Conditional Access from the Security settings after opening your Active Directory Tenant. The following are the steps to follow:

• As a Global Administrator, Security Administrator, or Conditional Access Administrator, log in to the Microsoft Entra admin center.
• Navigate to Conditional Access, Identity, Protection, and finally Protection.

• To establish a policy, select New policy under the Conditional Access settings.
• Give a name to your policy.We advise organizations to develop a significant standard for the policy names.
• Select Users and groups under Assignments.
• Click Include and choose All users.

• Select Users and groups under Exclude.

• Choose All cloud apps under Include under Cloud apps or actions.

• Next, Location under Conditions.
• Configure should be set to Yes.
• Click Include and choose Any location.

• Select Selected location under Exclude(Choose the location you want to block the access from).

• Select the option. Choose Block Access under Access controls, then click Select.
• Confirm your configuration and turn on the Enable policy.To create a Conditional Access Policy, select create.

• And you created a conditional access policy for blocking access to a location!(Remember it’s oneof the common policies discussed above!).

What is Microsoft Entra?

Microsoft Entra is actually a suite of products.When we talk about Microsoft Entra ID, it is what Azure AD used to be and it is a pure directory service.It’s also a repository for all of your security principals,your accounts.It is a mechanism to provide identity management,and it is what you use to authenticate all of your user population,internal or external, so users that are part of your employees of your organization and even guests,people that are external that you collaborate with.That authentication is what is going to provide them with an authorization to access the various resources that you want to give them access of it.There are different flavors when we are talking about active directory and Entra ID. If you are working with an identity management solution on premises on your network,you have something called Active Directory, not Azure Active Directory, but active directory or that is the name of the on-premises solution, Active Directory Domain Services.You have servers that manage that active directory,which are called domain controllers and you control everything related to your user accounts.

Is Entra ID & Azure Active directory same?

Active directory is the directory service that was introduced on Windows Server as a directory mechanism to be able to manage users and group and provide access to resources.When Azure was provided as cloud service from Microsoft,soon after, Azure AD became the mechanism to provide access and to manage identities within a Microsoft cloud environment.So in 2023, Microsoft started the renaming process from Microsoft Azure AD to Microsoft Entra,which is a suite of products.

Are CA policies , if-then statements?

Indeed, if-then statements make up CA policies. Use these access controls if an assignment is satisfied. Conditions are referred to as assignments when the administrator sets up CA policies. You can impose access controls on the apps used by your organization based on specific assignments by using CA policies.

Assignments specify which individuals and groups will be impacted by the policy, which cloud applications or actions it will apply to, and the scenarios in which it will do so. Access control settings allow you to restrict access to some cloud apps and to give or deny access to others.