Last Update: May 30, 2024 | Published: Oct 23, 2018
Conditional Access is a security feature that allows organizations to control corporate resource access based on certain conditions. Common reasons for utilizing this technology include the enforcement of multifactor authentication (MFA), requiring stronger authentication measures during authentication, and more. Learn more about how to use Conditional Access to protect your data and devices.
Conditional Access is a core security feature of Microsoft Entra ID (formerly Azure AD). It focuses on access control for applications and identities in Microsoft’s 365 cloud services.
Think of it as a security policy engine that analyzes various signals and attributes of incoming authentication and authorization requests and enforces organizational policies to either grant access or deny access to resources based on those criteria. The scope of settings, conditions, and criteria when setting up these policies affords you the ability to craft one that meets your security and compliance needs.
The main reason we need these policies is due to the quickly evolving security landscape and the fact that traditional access control methods are becoming less robust. The strongest case for why companies need it is the enforcement of multifactor authentication (MFA). CA adds an extra layer of protection by going beyond passwords and mitigating risks like unauthorized access or compromised devices in your organization.
Other reasons include compliance requirements, cybersecurity insurance requirements, Zero Trust security models becoming more prevalent (more on that shortly), and, on a ‘positive’ note, an enhanced end-user experience. IT Pros and admins can configure users on approved network subnets to NOT have to use MFA. A ‘trusted location’, if you will.
Conditional Access aligns with the core principles of Microsoft’s Zero Trust security model. The model = trust is never assumed, and every access attempt is verified.
Here are some high-level bullet points of how CA supports this evolving model.
Conditional Access policies in Microsoft Entra ID allow organizations to control access to specific applications and resources based on specific criteria surrounding the logins – device, time of day, location, etc. IT Pros and admins can create multiple policies to accommodate the nuances and unique circumstances surrounding their infrastructure, where their users log in from, and how they log in.
Based on established controls, policies dictate if a user is granted or blocked from accessing a specific application or service. At their core, they work like if-then statements. If a user wants to access an application like Word Online from an unknown or untrusted location, they will need to use multifactor authentication (MFA) to gain access. If perhaps they are logging in from one of your corporate offices, the MFA prompt will be deemed unnecessary.
There are several common signals (or criteria) used with CA policies. These include:
Essentially, the only decisions you consider are granting access or blocking access. There are nuances of course, but the granularity allows you to create multiple policies for applications.
For instance, when granting access, you put additional requirements on the authorization attempt – Require MFA, require authentication strength (passwords), require an approved client app, or require terms of use, among others.
When you design and implement your Conditional Access strategy, you should follow some common policies. Let me give you a list.
I want to mention a recent feature update Microsoft announced – a new re-authentication policy labeled as ‘Sign-in frequency – every time’. This allows organizations to force users to perform a new authentication each time they access specified applications and/or specific login types.
Let me give you a brief overview of how to find Conditional Access in the Microsoft Entra ID portal and the basic setup.
Want to save some time and get a headstart? You can click the ‘+ New policy from template‘ button to create policies from pre-configured templates Microsoft has graciously created for companies. Various categories of policies include Zero Trust, Remote work, Protect administrator, and Emerging threats.
I will likely create another ‘how-to’ post going into greater detail here to highlight common policies, the various configuration changes you can make, and the various controls and criteria I’ve discussed in this post to put into testing and production.
The main licensing requirement for using Conditional Access is Microsoft Entra ID P1 licenses (or P2). Customers on Microsoft 365 Business Premium also have access to CA. If you want to use risk-based policies, you will need Identity Protection, which needs P2 licenses.
Microsoft Entra ID P1 licenses are $6/month and P2 licenses cost $9/month. You can review this Microsoft website to learn more about pricing.
One interesting note – when licenses required for Conditional Access expire, your policies aren’t disabled. Policies continue to operate, but you are unable to update any of them.
Conditional Access comes into its own when used with Microsoft Intune. While the ability to control where users can log in from and the apps they use is welcome, the real power is in ensuring that devices are compliant with Intune policies.
You might not want users logging in from China if you know that’s not a location where employees are based or travel to but it’s even better if you can determine exactly which devices are being used to access corporate resources and whether they are secure. In a Bring-Your-Own-Device (BYOD) scenario, using Intune and Microsoft Entra ID Conditional Access together is the best way to secure access to your organization’s data.
In today’s ever-changing security and threat landscape, Conditional Access in Microsoft Entra ID stands as a very important tool for enterprises and companies of many sizes to help secure their ever-evolving work landscape. With more workers being geographically diverse and remote, it is essential to validate that your users are who they say they are. This security infrastructure, part of Microsoft’s Zero Trust security model, aims to do just that.
If you have any questions or comments, please feel free to leave a comment below. Thank you for reading.
Related Article: