Day 32: Azure Az-900: Azure Conditional Access

Securing access to organisational resources is more critical than ever. Microsoft Entra ID offers a robust tool called Conditional Access that helps IT administrators manage access based on identity signals. These signals include who the user is, where they are located, and the device they are using to request access. Let’s explore how Conditional Access works and why it’s essential for protecting your organisation’s assets while empowering users.

What is Conditional Access?

Conditional Access is a security feature in Microsoft Entra ID that controls access to resources by evaluating identity signals. The primary goal of Conditional Access is twofold:

1. Empower users to be productive wherever and whenever they need.
2. Protect the organisation’s assets by ensuring that only authorised users gain access to sensitive resources.

This tool provides a nuanced approach to multi-factor authentication (MFA), making the user experience more seamless and secure. For instance, a user working from a familiar location might not need to provide a second authentication factor, while a user signing in from an unexpected location might be prompted for additional verification.

Key Signals Used in Conditional Access

The diagram provided illustrates the various signals that Conditional Access considers when evaluating access requests:

1. User or Group Membership: Policies can target specific users or groups, including administrative roles, providing fine-grained control over who can access certain resources.
2. Named Location Information / IP Location Information: IP address ranges are used to permit or deny access based on geographical locations. This helps in ensuring that access is granted only from trusted locations.
3. Device: Policies can be applied based on the platform or status of a user’s device, ensuring that only compliant devices are granted access.
4. Application: Different Conditional Access policies can be triggered depending on the specific applications users are trying to access.
5. Real-time Sign-in Risk Detection: Signals in Azure AD Identity Protection detect risky sign-ins. If risks are identified, policies can prompt actions such as requiring password resets, multi-factor authentication (MFA), or blocking access until further administrative review.
6. Cloud Apps or Actions: Conditional Access can include or exclude specific cloud applications or user actions, tailoring access controls to suit organisational needs.
7. User Risk: For customers with Identity Protection, user risk can be evaluated as part of a Conditional Access policy. This assesses the probability that a given identity or account has been compromised.

During the sign-in process, Conditional Access collects signals from the user, evaluates these signals, and makes an access decision. The decision can be:

• Allow Access: If the signals are within expected parameters (e.g., user is in a known location).
• Challenge for MFA: If the signals are unusual or indicate potential risk (e.g., user is signing in from an unexpected location).
• Deny Access: If the risk is deemed too high (e.g., sign-in from a high-risk location).

The enforcement action, based on the decision, ensures that access is granted securely and appropriately.

Practical Applications of Conditional Access

Conditional Access can be utilised in various scenarios to enhance security:

Requiring MFA for High-Risk Access

For instance, requiring MFA for administrators or users signing in from outside the corporate network.

Restricting Access to Approved Applications

Limiting which email applications can connect to your email service, ensuring only secure and compliant apps are used.

Enforcing Access from Managed?Devices

Allowing access only from devices that meet security and compliance standards, ensuring organisational data remains protected.

Blocking Access from Untrusted Sources

Preventing access from unknown or high-risk locations, thereby reducing the risk of unauthorised access.

Benefits of Conditional Access

• Enhanced Security: By evaluating multiple identity signals, Conditional Access significantly reduces the risk of unauthorised access.
• User Productivity: Users can work securely from any location without unnecessary authentication barriers.
• Granular Control: Administrators can create detailed access policies tailored to specific roles, applications, and devices, ensuring appropriate security measures are applied.

Implementing Conditional Access is a strategic step towards strengthening your organisation’s security posture while maintaining an efficient and user-friendly environment.