How to Build a Conditional Access Policy

In a recent blog post, we discussed how organizations can use Azure AD Conditional Access to secure their Microsoft 365 environment. To summarize, Conditional Access is a simple but powerful tool that simultaneously improves usability for end users while reducing risk in today’s “anywhere, anytime” world of work.

Simply put, this built-in technology allows administrators to create a series of “if-then” policies that will either grant or block users’ access to digital assets using identity-based controls. If you’re unfamiliar with Conditional Access, we recommend reading our first article and then coming back to this one. Here, we’re going to dive into the basics of setting up a Conditional Access policy and review common examples that may be useful to your business. 

Phases of Conditional Access Policies 

Conditional Access policies are enforced in the following two phases: 

  1. Collecting session details — When a policy is enabled, Conditional Access looks for policy-based controls like device type and network location for the related session. 
  1. Policy enforcement — Once the identity is determined, the system looks for any session details that haven’t met the criteria of the policy. If the policy is configured to block access based on this, enforcement kicks in. Otherwise, the user is prompted to satisfy the policy’s requirements before granting access, such as completing MFA, connecting through an approved device, etc. 

Setting Policy Assignments 

According to Microsoft, the assignments portion “controls the who, what and where” of the policy. Assignments include:

  • Users and user groups the policy will be applied to, which can include all users, specific groups, directory roles or external users. 
  • Cloud apps or actions that either include or exclude users based on the app they’re using or other user actions.
  • Sign-in risk based on the risk detection generated in Azure AD Identity Protection, if your organization uses it. 
  • Device platforms and operating systems if you wish to enforce specific policies based on device type. 
  • Locations based on originating IP, if you wish to block or grant access to users originating in certain geographic locations. 
  • Device state if you wish to grant access only to devices that are approved by Intune. 

Setting Access Controls 

Access controls are exactly what they sound like—the control you put in place based on the criteria of the policy. There are two types of access controls: 

Grant Access Controls

Here, administrators can choose to either block or grant access to a user based on the policy criteria. Block controls should be used strategically and with thoughtfulness as not to create unnecessary barriers and inefficiencies to staff performing their work. 

Grant controls can trigger enforcement requirements such as:

  • Multi-factor authentication
  • Device to be marked as compliant (Intune)
  • Hybrid Azure AD joined device
  • Approved client app
  • App protection policy
  • Password change
  • Terms of use

Session Access Controls 

Session controls are designed to limit a user's experience. For example: 

  • App-enforced restrictions (within Exchange and SharePoint) 
  • Conditional Access App Control which uses Microsoft Defender for Cloud Apps to block downloads, copy/pastes of certain information and printing of sensitive documents
  • Control sign-in frequency for modern authentication 
  • Allow users to remain signed in after opening and closing their browser, and more. 

Examples of Common Conditional Access Policies 

If you’re just getting started with Conditional Access, Microsoft provides a library of basic policy templates that can serve as a jumping off point for your organization. Keep in mind that these templates are standardized and should always be customized to your organization's unique needs. 

To find policy templates, simply navigate to Azure portal > Azure Active Directory > Security > Conditional Access> Create new policy from template.

Some of these common policy templates include:

  • Blocking access by location
  • Requiring multi-factor authentication for all users
  • Requiring compliant or Azure AD approved devices for login
  • Blocking access for unknown or unsupported device platforms
  • Using application enforced restrictions for unmanaged devices, and more… 

It’s important to note that these policy templates are created in report-only mode. We recommend you test and monitor the usage of each policy before fully turning them on. 

Need Guidance? Let’s Get Started 

Now that you have a better understanding of what Conditional Access is and how to create a basic policy, it’s time to get strategic about your organization's data security requirements. At IX Solutions, we take the time to understand your business’ complex systems, workflows and security landscape before making strategic recommendations about Conditional Access. Ready to get started? 

Contact Us Today< Back to all posts