What are Azure Active Directory(AAD) Conditional Access policies?

Conditional access allows for more precise control over which people may perform particular tasks, which resources they can access, and how to protect systems and data.

Microsoft Entra Conditional Access (CA) leverages signals, including device, location, and user, to automate processes and implement resource access controls for organizations. CA policies can be used to implement MFA and other access constraints. When necessary for security, CA policies let you ask a user for multi-factor authentication (MFA) and let them go when it’s not necessary. With CA, you may set up new rules that satisfy your needs and alter security defaults.

Some Common Policies

Plan your CA policy solution by determining whether or not the following results require the creation of policies.

• Make MFA mandatory – Typical scenarios involve requiring MFA for administrators, particular apps, all users, or network locations you don’t trust.
• Respond to possibly compromised accounts – Three default policies can be enabled: mandate MFA registration for all users, ask high-risk users to reset their passwords. and mandate MFA for users whose sign-in risk is medium or higher.
• Managed devices are necessary – Your users’ productivity will increase as more devices become compatible with your cloud resources.It’s likely that you wish to prevent devices with insufficient security from accessing specific resources in your environment.Make it such that users can only access those resources through a managed device.
• Use of authorized client applications is required – Employees use their mobile devices for work-related as well as personal use. In Bring Your Own Device (BYOD) settings, you have to decide whether to control the device itself or just the data on it.To protect the data of your firm, you may need to employ authorized cloud apps if you are only in charge of data and access.
• Block access – This feature allows you to prevent any member of your organization from logging on to your tenant and overrides any other assignments for that person.It can be utilized, for instance, if you are onboarding an application to Microsoft Entra ID but aren’t yet ready for users to log in. Additionally, you have the option to prevent apps with legacy authentication from accessing your tenant resources or to prevent specific network locations from accessing your cloud apps.

Microsoft Azure is Microsoft’s primary cloud offering. The Microsoft cloud lives within Microsoft Azure, which is a combination of ultra-redundant data centers located all over the world that offer storage, power, cooling, and all the necessary infrastructure to host cloud servers. So, Microsoft Azure provides X as a service solution. So what does it mean? It means it offers software as a service, platform as a service, infrastructure as a service, and directory as a service. Essentially, everything is a service. A platform-as-a-service solution is essentially a platform that is there, managed by the provider, and you are using that platform to manage your solutions on top of it. Infrastructure as a Service allows you to build a network on top of an underlying solution. For example, building out virtual machines, virtual networks, and so on. Software as a Service is completely managed software by a provider that you just plug into.

Azure AD, or Microsoft Entra ID, is an identity provider that can authenticate security principals. So a security principal is really what we are using when we are authenticating to anything that is an identity provider, in this case, Microsoft Entra ID.