Explaining Conditional Access

Conditional Access is a feature within Azure AD Premium P1 and P2 (and is also now part of Microsoft 365 Business) that is designed to provide a balance between security and productivity in modern workplace environments where there is an increasing demand from employees to work on company documents and data from anywhere and on any device. Conditional Access enables Microsoft 365 administrators to control requests from devices and apps when they attempt to access company resources.

This is achieved with granular access control policies that can be used to define and apply conditions to determine whether access is granted or denied. Some examples of how these conditions can be triggered are the following:

• Location
• Device type
• Device state
• User state
• Application sensitivity

So, how does this work? Well, the most basic description of a Conditional Access policy is when this happens > then do this. This is essentially an action and a consequence and is shown in the following table:

This combination of the condition with the access control is what makes up the Conditional Access policy. The access control result is either a step that must be completed by the requesting party in order to gain access, or it can be a restriction that is applied after sign-in that determines what they can or cannot do.

Conditional Access policies can be configured by Microsoft 365 administrators from the Azure portal by going to https://portal.azure.com, selecting Azure Active Directory, and then navigating to the Security section and Conditional Access:

Figure 3.1 – Conditional Access

This takes you to the following page:

Figure 3.2 – Conditional Access-Policies

As we learned in Chapter 1, Planning for Hybrid Identity, some legacy baseline policies are still available. However, these policies will be deprecated by Microsoft in the near future and should not be used. The recommended practice is to define your own policies to meet your organizational needs. Let's look at configuring a simple Conditional Access policy and applying it to a user.

Creating a simple Conditional Access policy

In the following example, we will create a Conditional Access policy to trigger the following conditions and results:

To create the policy, we need to go to the Azure portal and select Conditional Access | Policies | New Policy:

1. You will see the following screen. Enter a name for your policy. In this example, we will call it Enforce MFA for James Smith when accessing Exchange Online:
   

   Figure 3.3 – New conditional access policy

2. Under Users and Groups, choose Select users and groups and we can select our targeted users or groups (in this case, James Smith):
   

   Figure 3.4 – Selecting users and groups

3. Next, under Access Controls, select Grant Access and choose Require multi-factor authentication.
4. Click Select, and then set Enable policy to On and click Create:
   

   Figure 3.5 – Creating the policy

5. The policy is created, as shown in the following screenshot, and the result is that James Smith will be required to complete an MFA authentication whenever he logs in to Exchange Online (regardless of his location):

Figure 3.6 – Conditional Access policies

Important note

Should you wish to explore the complete range of assignments and access controls, please refer to the References section at the end of this chapter.

So, now you understand the basic principles of Conditional Access in Azure AD. Next, we will examine how Intune can take the capabilities of Conditional Access even further.