Introduction to Conditional Access

Posted on by No Comments ↓

This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .

Security for Beginners Course

There is now a new course available for beginners who would like to dive into the world of security. It’s a course designed to help you get started with the fundamentals behind security. You will get to know concepts such as IAM, zero trust, the shared responsibility model, and so much more!

If you haven’t already, I would recommend you get started with the course.

 

NicklasOlsen_0-1710183884133.png

 

Authentication

In today’s world, we would have to make sure that we tried everything we could to keep our IT environment secure. There are many ways to protect your environment; one of the possibilities is to make use of conditional access.

You’ve probably experienced before that you would have to verify that you are the one logging in to your Microsoft account.

That concept is called authentication and is split into three different factors.

  • Something you know.
  • Something you have.
  • Something you are.

If you haven’t already read the security course for beginners, you should look at and read about authentication. It will give you valuable insights before you continue with this blog.

 

Conditional Access

Have you worked with a programming language before? If so, you probably know some of the theory behind conditional access. Conditional access works like an if statement, so if a user wants access to company resources, then the user must authenticate with MFA (Multi-Factor Authentication).

One last thing you would have to know about conditional access is the three different phases it operates with. What I’m talking about is signal, decision, and enforcement.

Signals can be many, but an example of some is a user, device, or location. The signal is evaluated, and the decision comes into place. If the user logs in from a non-trusted location, the decision is to require MFA. Finally, enforcement comes into place and enforces the decision to require MFA.

NicklasOlsen_1-1710184006489.png

 

License Requirements

Before you can make use of conditional access, would you have to make sure that you have the correct licenses for your users. Conditional access isn’t available for all licenses; your users would need to have at least a Microsoft Entra ID Premium P1 license. The P1 license is included in other licenses, such as Microsoft 365 Business Premium.

 

 

Conditional Access Overview

Now is the time to take a look inside the Entra portal. I will not configure any policies in this blog, but I highly recommend that you read through Microsoft documentation before starting creating policies. Worst case, you might lock yourself out of your Microsoft tenant if a policy is configured incorrectly.

You can go to the new Entra portal or the traditional Azure portal, to find the conditional access overview. I will jump into the Entra portal and unfold the “Identity” tab.

Once the identity tab is unfolded, would we have to unfold “Protection”. Finally, let’s get into the conditional access overview.

 

NicklasOlsen_2-1710184099540.png

 

When you have found your way to the overview, navigate to the policies page. If you haven’t set up policies before, your page will most likely look similar to mine.

 

NicklasOlsen_3-1710184123278.png

 

There are two ways to create a conditional access policy. You can either click on a new policy or a new policy from the template. When clicking on the new policy option, you would have to configure your policy from scratch.

 

However, if you select the create new policy from template option, do you have several pre-configured templates available. These templates are created by Microsoft.

 

NicklasOlsen_1-1710530882139.png

You need to exclude a emergency account from both the template option and the policy you are creating from scratch, to prevent tenant-wide account lockout. You can read more about user exclusions here.

 

As mentioned before, don't start creating policies before reading Microsoft documentation.

 

Reporting

When you have to monitor your policies, you have two different options available. The first option is sign-in logs, sign-in logs are generated every time a user sign in. However, sign-in logs include much more than that; they also include helpful reporting for conditional access policies. All policies that are not configured as report-only are displayed under the conditional access tab within a sign-in log.

 

NicklasOlsen_2-1710531443308.png

 

If you have configured a policy to report-only mode, your policy will be listed under the tab report-only next to the conditional access.

 

Insights and reporting

The last option for reporting is insights and reporting in the conditional access overview. It's available to you right under the policies tab.

Insights and reporting will provide you with a complete overview of how your policies will impact your users. 

 

NicklasOlsen_3-1710531639251.png

 

Before you can utilize that option, do you have to configure a log analytics workspace in Azure. That requires you to have a subscription in Azure.

 

Microsoft Learn references

Look at the below Microsoft Learn path to get training in implementing policies.

Plan, implement and administer conditional access

 

For more in-depth information about conditional access, look at the link below.

Conditional access documentation

 

Did I catch your interest earlier, when talking about the templates available? Look at the reference below for more information on the predefined policies.

Conditional access templates

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.