In this blog post I will go through the process of configuring a conditional access policy within Azure AD.
Conditional Access policies are simply if and then statements, for example, if a user wants to access a resource, then they must complete an action. Example: A staff member wants to access the payroll application and is required to perform multi-factor authentication to access it.
Note: Using this feature requires an Azure AD Premium P1 license
1. Login to the Azure Portal portal.azure.com
2. Click Azure AD or locate via the search box
3. Click Security
4. Click Conditional Access
5. Click New Policy
6. For the purpose of this demo, I have selected:
– Selected Users and groups
– Selected the Sales group
7. Next, click Cloud apps or actions
8. Select what this policy applies to. For the purpose of this demo, I have clicked select apps
9. Select your apps. For the purpose of this demo, I have selected Office 365 only
10. Next, click Conditions
Up to this point I have selected the Sales group and the application Office 365. I will now continue to apply conditions to the Sales group. Click Conditions
11. Click Device Platforms
12. For the purpose of this demo, I want this policy to apply for Sales people using an IOS device, such as an iphone
13. Click Locations
14. Here you could configure a location, for example you could prevent a conditional access policy from applying to your trusted locations but apply the policy everywhere else. Note the exclude option below where you could exclude locations from this policy.
15. Here you can control user access to target specific client applications not using modern authentication.
Note: When not configured, policies now apply to all client apps, including modern and legacy auth.
16. Click device state
17. Here you can control user access when the device the user is signing in from is not Hybrid Azure AD joined or marked as compliant.
18. Next, click grant
19. Here you can decide what you want this policy to do, block or allow access based on conditions. If you allow, you can select what conditions the users have to meet when authenticating. You could also select several options and select require all the selected controls or require one of the selected controls.
20. Finally, you have the option to enable the policy by clicking On. Clicking Off and the policy will not apply. Or clicking Report-Only which will only log events for you to analyse but not apply to users.
21. Click Create
Note: if you receive the below message after clicking create, you must disabled security defaults before you can create your policy.
Security defaults must be disabled to enable conditional access policy.
Out of the box, Microsoft now provide secure default settings that Microsoft manage on behalf of organisations to keep customers safe until they are ready to manage their own identity security. Security defaults is now enabled by default when setting up a new tenant.
You can disable security defaults by:
- Logon in to the Azure portal at portal.azure.com
- Click Azure Active Directory, or search using the search box
- Click properties located in the left pane
- Browse to the bottom of the page, and click the link Manage Security Defaults
22. and here is the policy
Notice the option What If below. This option allows you to test what a conditional access policy would do if applied to a user.