
close
close
At this week’s Ignite conference, Microsoft announced the general availability of Microsoft Graph API support for Azure Active Directory (AD) Conditional Access. Conditional Access is Azure AD’s policy engine, which is used to set granular and adaptive access controls on applications that use Azure AD for identity management. Microsoft says that the new controls will protect users more comprehensively and at scale. In addition to the Microsoft Graph API, insights and recommendations for Conditional Access are now provided in the Azure AD advisor tool.
In a blog post by Corporate Vice President of Microsoft Identity, Joy Chik writes:
advertisment
Zero Trust principles are at the core of how we build and invest in identity. We never trust, and we always verify. Zero Trust starts with cloud identity, using real-time risk assessment powering fine-grained access controls. Many of you use Azure AD Conditional Access as your Zero Trust policy engine. Now, with Conditional Access insights in public preview, recommendations that identify gaps in your policies help you stay more protected. For example, a common recommendation is to block legacy authentication by default to protect your accounts from malicious authentication requests.
To help simplify configuration, the Azure AD Conditional Access API is now generally available in Microsoft Graph. You can use PowerShell or another custom scripting to automate and scale policy management.
Conditional Access is part of Microsoft’s zero-trust network solution, a security framework for remote access where the idea is that you shouldn’t trust anyone, not even your own employees. Every person accessing your network must be verified. Policies limit the access employees have to corporate IT resources. Policies should provide just enough access to complete work-related tasks and nothing more. And that’s where Conditional Access comes in.
Users access corporate apps remotely through Azure AD’s Application Proxy. Conditional Access works with Application Proxy to ensure certain conditions are met before access is granted. For example, some conditions might include whether the user’s device is fully patched, whether the device’s IP address is in a defined range, and the user’s group membership.
advertisment
For more information on the technologies behind Microsoft’s zero-trust solution, check out Choosing between Virtual Private Network and Zero Trust Remote Access Solutions on Petri.
Microsoft describes Graph as a gateway to data and intelligence in Microsoft 365. Not only is it a unified programmability model for accessing data in Microsoft 365, but also it can be used to manage features. You can find more information on Microsoft’s website here.
There isn’t a PowerShell module specifically for working with Conditional Access. Instead, you need to know how to work with PowerShell and the Graph API. The Microsoft Graph PowerShell SDK makes working with Graph and PowerShell easier. The PowerShell modules included with the SDK are also published in the PowerShell Gallery, so you can install them independently of the SDK.
Conditional Access policies are defined programmatically using JSON and then ‘posted’ to Microsoft Graph. Unfortunately, at the time of writing, there’s no easy way to get the JSON for a policy from the Azure management portal. But you can extract the JSON for existing policies using PowerShell and the Microsoft Graph API.
advertisment
Tapping into the Microsoft Graph programmatically isn’t as simple as it could be. But Conditional Access insights are at least easy to use. Nevertheless, Microsoft Graph API Conditional Access support is more likely to be used by large organizations that have the resources to make it work without too many problems. And at a time when more users need to work remotely, these two new Conditional Access features will prove useful.
More from Russell Smith
advertisment
Petri Newsletters
Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.
advertisment
More in Azure Active Directory
Microsoft's Azure AD Conditional Access Service Can Now Require Reauthentication
May 13, 2022 | Rabia Noureen
Microsoft Simplifies IT Monitoring with New Azure Managed Grafana Service
Apr 19, 2022 | Rabia Noureen
Most popular on petri
Log in to save content to your profile.
Article saved!
Access saved content from your profile page. View Saved
Join The Conversation
Create a free account today to participate in forum conversations, comment on posts and more.
Copyright ©2019 BWW Media Group