Step 4. Set conditional access policies: top 10 actions to secure your environment

By Debbie Seres, Senior Product Marketing Manager, Microsoft 365 Security Product Marketing

January 30, 2019

Microsoft Entra ID

The “Top 10 actions to secure your environment” series outlines fundamental steps you can take with your investment in Microsoft 365 security solutions. In “Step 4. Set conditional access policies,” you’ll learn how to control access to your apps and corporate resources using conditional access policies, and how these policies can block legacy authentication methods and control access to SaaS apps.

In today’s workplace, users can work from anywhere, on any device. Whether using a company-provided laptop at the office, working from home, traveling for business, or using a personal mobile phone, employees expect to seamlessly access what they need to get work done. While the need for productivity may not change with circumstances, the level of risk of each sign-in does. Not all devices, apps, or networks are equally secure, and hackers will exploit any vulnerability that will give them access to your users and resources. It is critical to safeguard your identities, but it is not enough. You also need flexible security policies that are responsive to conditions.

Set up Azure Active Directory (Azure AD) conditional access policies

Azure AD conditional access lets you apply security policies that are triggered automatically when certain conditions are met. You can block access if the data suggests the user has been compromised or if it’s highly unlikely that the user would sign in under those conditions. You can enforce additional authentication requirements when the system detects a medium risk based on the sign-in conditions (see “Sign-in risk” below).

We recommend that you apply polices that are appropriate for your organization for the following conditions:

Users and user groups: To reduce the risk that sensitive data is leaked, define which users or user groups can access which applications or resources, paying careful attention to sources of highly sensitive information such as human resources or financial data.
Sign-in risk: Azure AD machine learning algorithms evaluate every sign-in and give it a risk score of low, medium, or high depending on how likely it is that someone other than the legitimate owner of the account is attempting to sign in. Anyone with a medium risk should be challenged with Multi-Factor Authentication (MFA) at sign-in. If the sign-in is a high risk, access should be blocked. This condition requires Azure AD Identity Protection, which you can read about in Step 3. Protect your identities.
Location: A location can be risky if it’s in a country with limited security policies or if the wireless network is unsecure or simply because it’s not a location where the organization typically does business. You can modify access requirements for sign-ins from locations that are not on an IP safe list or that are risky for other reasons. Users accessing a service when they’re off the corporate network should be required to use MFA.
Device platform: For this condition, define a policy for each device platform that either blocks access, requires compliance with Microsoft Intune policies, or requires the device be domain joined.
Device state: Use this condition to define policies for unmanaged devices.
Client apps: Users can access many cloud apps using different app types such as web-based apps, mobile apps, or desktop apps. You can apply security policies if an access attempt is performed using a client app type that causes known issues, or you can require that only managed devices access certain app types.
Cloud apps: This condition specifies unique policies for sensitive apps. For example, you can require that HR apps like Workday are blocked if Azure AD detects a risky sign-in or if a user tries to access it with an unmanaged device.

When a condition is met, you can choose what policy Azure AD will enforce:

Require MFA to prove identity.
Change the actions the user can take in cloud apps.
Restrict access to sensitive data (for example: limit downloads or sharing functionality).
Require a password reset.
Block access.

Once set, these policies will apply automatically without any manual intervention (Figure 1).

Figure 1. Azure AD automatically applies the policies you set based on conditions.

Block legacy authentication and control access to highly privileged accounts

Old apps that use a legacy authentication method, such as POP3, IMAP4, or SMTP clients, can increase your risk because they prevent Azure AD from doing an advanced security assessment and don’t allow more modern forms of authentication, such as MFA. We recommend you use client application conditional access rules (Figure 2) to block these apps entirely.

Apply conditional access rules to block client apps using legacy authentication methods.

Figure 2. Apply conditional access rules to block client apps using legacy authentication methods.

You can also use conditional access rules to reduce the risk that highly privileged accounts or service accounts are compromised. For example, if your HR system uses a service account to access the email account, you can make sure it can only run against the service from a specific IP at the appropriate time of day.

Enhance conditional access with Intune and Microsoft Cloud App Security

Azure AD integrates with Intune, so that conditional access policies can consider the Intune device state as part of the policy, letting you set access controls for devices that have old operating systems or other security vulnerabilities. You can also use conditional access in Intune to make sure that only apps managed by Intune can access corporate email or other Office 365 services. Azure AD will enforce these rules.

Cloud App Security Conditional Access App Control extends conditional access to your SaaS apps. You can block downloads from apps, limit activities in the app, monitor risky users, or block access to the app entirely.

Once you have policies in place, we recommend that you use the Azure AD What If tool to simulate possible sign-in scenarios that your users may confront. The What If tool allows you to select a user, the app that user is trying to access, and the conditions of that sign-in to see which policies will apply. (Figure 3.) This step will give you a better sense of how your policies will impact your users. You can also check what policies do not apply to a specific scenario.

One final precaution: Be sure to set up an exception group for each conditional access policy, so you don’t lock yourself out.

The Azure AD What If tool gives you a better sense of how your policies will impact your users.

Figure 3. The Azure AD What If tool gives you a better sense of how your policies will impact your users.

Learn more

Check back in a few weeks for our next blog post, “Step 5. Set up mobile device management,” where we’ll dive into how to plan your Intune deployment and set up mobile device management as part of your Unified Endpoint Management strategy.

Get deployment help now

FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.

Resources