What is Conditional Access?
Azure Active Directory Conditional Access is a feature that helps businesses improve both cybersecurity and compliance. By applying such policies, organizations will refine the authentication process reducing the risk of unauthorized access.
Usually, it is the legitimate account owner typing in the username and password pair. Once logged in, the user can access all the data, applications, and business resources he/she has been granted permissions for. But sometimes, it is the attacker who tries to login with the user’s credentials, putting your organization at risk.
To reduce this risk, organizations can put additional authentication measures in place, such as multi-factor authentication (MFA) requiring the user to type the unique code sent to their mobile device, a fingerprint, etc.
This strategy is efficient. Microsoft reports that 99.9% of organization account compromise could be stopped simply by using the MFA security feature. The problem is that sometimes MFA can be insufficient, like when it is a privileged administrator accessing highly sensitive resources. In such a case, additional evidence that the authentication request is legitimate is recommended.
The Conditional Access feature helps organizations strengthen the authentication protocol. For instance, you can create a policy that requires the administrator, so not the regular users, to complete the MFA step.
You can utilize variables like the user’s location and the type of authentication protocol being used. For instance, you can block all requests that come from certain countries, allow all requests from your headquarters location, and require MFA for all the rest.
Conditional Access Policies
When creating Conditional Access policies there are several basic actions you should take, such as:
- Verify the user’s identity during sign-in.
- Verify the security of the device used for the connection.
- Require MFA for users, inclusive of any administrators.
- Implement Geo-blocking
- Disable legacy protocols that don’t support MFA (POP, IMAP, SMTP, ActiveSync.
While multi-factor authentication contributes to a more secure account, burdening users with MFA challenges is not always the best approach. If users are required to go through MFA requests each time they open their accounts, they can fall into the trap of approving challenges without verifying the legitimacy of each request. Unfortunately, this could mean that someone accidentally accepts a sign-in request generated by a hacker. Therefore, user experience is extremely important when implementing Conditional Access policies.
So, instead of challenging a user with MFA at each login, create a strategy that combines signals to verify the identity of the user, as for instance, the user’s known location. By using multiple signals before requesting MFA, this will drastically reduce the number of requests the user receives.
Business Data Protection
Conditional Access supports many features besides multi-factor authentication. Some organizations ignore the fact that anybody can install Outlook or OneDrive on a personal device, and then copy mailbox and data to that device. So, when an employee leaves, the company has no control over any data copied to these personal devices. Ensuring that users can copy business data only to company devices is crucial for compliance and security purposes.
Less is More
When the organization wants to change a policy, or the responsible team needs to investigate a sign-in, a high number of conditional access policies can make the task very challenging. Therefore, you should think about the bigger picture since the beginning of this process and combine as many conditions as possible into one policy.
Try to group policies based on different signals, such as: the type of data, type of user, and the ownership of the device.
When it comes to type of data, access to SharePoint should be stricter compared to Microsoft To-Do, which does not contain as much sensitive data.
Based on the type of user, administrator accounts need stricter policies than regular users.
The ownership of the device is very important because there is a big difference between the management of personal and corporate devices. Personal devices should not be trusted with as much data as corporate devices. The latter category usually has adequate security controls in place.
Documentation is Necessary
As the number of active policies increases, documentation becomes important. It should include details of the configuration and a description of each policy. This will help you revert the policy to the original state and remind you why it was implemented in the first place. While this might not be necessary for smaller organizations, it is mandatory for enterprises.
Besides documenting policies, be sure to document exclusions and not just mentioning the ones that are active, but more importantly: who added the exclusions and why. This way you can review the exclusions and decide whether they are still useful.