Today, Microsoft 365 is the backbone of many modern businesses. With a suite of productivity and collaboration tools all readily available in an affordable, easy-to-access package, it’s clear why over a million businesses worldwide use the software to run their day-to-day operations.
Microsoft 365 boasts many benefits ranging from the breadth of its capabilities to its built-in security features, easy administration, flexible payment models and beyond. But perhaps the most relatable benefit is that the cloud-based productivity suite enables employees to work wherever, whenever—as long as they have access to the internet.
The challenge: Data loss prevention in Microsoft 365
While the “anytime, anywhere” aspect is a major enabler in today’s world of work, it also carries security implications for businesses using the platform's out-of-the-box (or default) security settings. Because the technology can be accessed by employees from any location or device (regardless of whether they're approved by corporate IT), there are inherent risks related to data loss prevention.
These data loss risks include:
- Mail and documents can be downloaded and stored on external and personal devices
- Tools like OneDrive and SharePoint can be synced to employee’s at-home PCs
- IF MFA isn’t enabled (which it isn’t, by default), the platform can be accessed with just a username and password. If we learned anything from the recent Uber hack, it’s that MFA is a must!
While some organizations are willing to accept this risk, any CIO or senior security professional would argue that additional controls are needed to balance data loss prevention with ease of use for the end user.
The solution: Azure AD Conditional Access
Microsoft has tackled these challenges by extending the security perimeter beyond an organization’s network with user and device identity-driven signals. Conditional Access is at the heart of it all—compiling these identity-driven signals to enforce organizational policies.
At their core, Conditional Access policies are a series of if-then statements designed to empower your employees to work “anytime, anywhere” while also protecting the organization’s assets.
Common conditions used in Conditional Access
Let’s dive into some common use cases and signals Conditional Access uses to determine whether a user will be granted or denied access to an environment.
1) Membership in User Groups
Organizations can set up custom users groups that determine whether or not an individual has access to certain information. For example, an “Executives” user group might have access to more privileged data than the “Marketing” user group.
Using IP ranges and geographic locations, organizations can restrict who gets access to information based on their physical location (from as wide as their originating country all the way down to the organization’s internal IP).
3) Cloud Apps
It’s possible to create different policies for different Microsoft 365 apps. For example, you might choose to have more limited access to SharePoint than you do to Outlook or Teams.
4) Device Types & Platforms
You can limit access to certain device types or platforms (like iOS, Windows or Android).
These are just a few of the common controls that can be applied to your Conditional Access policies. All of these factors are totally dependent on the nature of your business and should be discussed in-depth with your IT and leadership teams.
Is Conditional Access readily available to your organization?
The good news? Many organizations have Conditional Access readily available and included in their Microsoft 365 subscription. The not-so-good news? It’s entirely possible you aren’t using it yet! Let’s review the licensing requirements to see if you’re eligible.
Using Conditional Access requires Azure AD Premium P1 licenses or a Microsoft 365 Business Premium license. Risk-based policies require access to Identity Protection, which is a feature of Azure AD P2. If you’re unsure whether your licensing will enable you to implement Conditional Access and secure your organization, give our team a call.
Need guidance? We’re here to help
Not sure where to get started with Conditional Access? Stay tuned to our blog for more content on building Conditional Access policies. If you’re eager to get started today, give our team a call. We’re here to meet you wherever you are and provide sound strategic guidance that will help you better secure your assets and enable your users—starting today.