Common mistakes with Conditional Access
Ashok Babu Singu
Lead - Infrastructure Services | Windows Server Administration | Active Directory | Azure | Azure AD| Exchange Online | O365 | SCCM |
A common mistake I see with conditional access is thinking ticking all the boxes is the same as selecting all devices/apps. On the surface, it seems benign however imagine a use case where the client app does not match one given in the list. Perhaps I spoof a user agent (or leverage some automated tool which has a unique user agent)... then the policy would not apply and I would walk past the policy. The same scenario applies to other sections of conditional access such as Device Platforms.
?If the intention is to evaluate all device platforms then I think you should select configure to "No" rather than tick "any devices" because then you can be sure there is no gap (perhaps exclusion has been set in the exclude tab). Likewise, if the goal is to exclude a device platform then ticking "any device" and setting the exclusion on the exclude tab is a better option than only ticking devices to include. Also, imagine the use case where Microsoft adds another device platform e.g. the Windows phone.
When it comes to conditional access I think configuring more "less is more" policies is generally better for reducing gaps. I wonder if anyone feels any different about this but the only real drawback is that non-applied policies can pad out logs where it may not be really necessary (like AADNonInteractiveUserSignInLogs) which could lead to higher ingestion cost (unless you're applying a data transformation).