Creating a Conditional Access Policy in Azure AD

  • Post category:Solutions
  • Reading time:5 mins read

Azure conditional access policy is a great way to protect your organization’s data and activities better. They give you the flexibility to decide what level of risk is acceptable for different sets of people. They also allow you to deal with issues in an ongoing manner without having to re-evaluate risks constantly. In this blog post, we will talk about Conditional access policy in depth and how to create a conditional access policy. Let’s get started!

What is Azure Conditional Access Policy?

Azure Conditional access policy is a feature that provides IT teams with an additional layer of security and control. It enables them to configure policies that require multifactor authentication, block devices from accessing data, block applications or users from accessing data for specific periods of time.

You can combine multiple conditions to create more granular and specific conditions for Conditional Access.
For example, when accessing a sensitive application, an administrator may consider sign-in risk information from Identity Protection and their location.

Sign-in risk

Conditional Access policies can check sign-in risks for customers who have access to Identity Protection. This is the probability that the identity owner will not authorize an authentication request.

User risk

A conditional access policy offers the user an opportunity to evaluate the risk associated with their identity or account. User risk represents the likelihood that an individual’s identity will be compromised.

Device platforms

Microsoft Active Directory identifies the device platform based on information provided by the device itself, such as user-agent strings. 

Azure AD Conditional Access supports the following device platforms:

  • Android
  • iOS
  • Windows Phone
  • Windows
  • macOS

Locations

Organizations can specify whether a location should be included when configuring a condition. In addition to these named locations, there may be information about public IPv4 networks, countries or regions, and even areas that don’t correspond to a specific country or region. Only IP ranges subnets can be marked as a trusted location.

Client apps

Whenever a Conditional Access policy is created, it will automatically apply to all client app types without any additional configuration.

The conditional Access policy can be enforced in 2 phases:

  • The first phase is to collect session details. To evaluate a policy, you will need to know the network location and device identity of the session. First-phase policy evaluation occurs for policies in report-only mode and for policies enabled.
  • The second phase is policy enforcement. Identify any requirements that have not been met based on the session details gathered in phase 1. The block grant control will stop the enforcement of a policy that blocks access if it is configured to block access.

Pre-requisite: 

  1.  Need an Azure portal.
  2. Azure AD Premium P1 license is a must to create a conditional access policy. You can take a trial license from the portal.
  3. There should be at least one test user who is not having any Global admin role. To create a user, check our lab (Create user).

Let’s create a Conditional access policy

  • Login to azure portal https://portal.azure.com
  • From All services blade search and open Azure Active directory.
  • On Azure Active directory blade under Manage click on security and then conditional access policy.

azure ad

  • On Conditional access policy please click on +New Policy
  • On +New Policy blade give name to your policy
  • Scroll down under Assignments and click on 0 users and groups selected to select users and 
  • Groups for assignment on the policy

conditional access policy

  • After clicking 0 users and groups selected a wizard will open in right hand side under Include select users and groups another wizard will open in right-hand side please select the TEST user do not select Global administrator user after selecting TEST user click on SELECT

 conditional access

  • Now we will select applications on which we have to apply policy click on Cloud apps to and select all applications in the next wizard under Include

azure sign in

  • Leave conditions tab as default
  • Now click on grant and select require hybrid Azure AD joined device after that click on select 

 azure ad premium

  • Now under Enable policy click on turn ON and click on create

Now let’s test this policy working

  1. Go to browser and search for https://www.office.com/ 
  2. Login to office using TEST user that you selected in Conditional access policy 
  3. Once you give user ID and password and authentication succeeds it will give you an error as you You can’t get there from here which means your policy is working fine as your device is not hybrid joined you cannot access the office app.

azure conditional access

Congratulations!! You have successfully created a CA policy and tested it.

Check our other blog on blocking legacy authentication using conditional access policy.

NOTE: Delete the policy after testing.

  • Please be very careful while creating policies you may block yourself on Azure portal itself if wrong user is selected and it will lead to account lockout.
  • Do comment if you are blocked or face any issues Thinkcloudly team will definitely provide direction to solve your issue.

Conclusion:

If you are looking for a way to protect data on your network, Azure Conditional Access Policy is one of the most important features. It helps prevent unauthorized access by requiring that devices be enrolled in order to connect with resources or services that require authentication. The best part? You can use it without changing any of your existing security measures! To learn more about how this feature works and what benefits it offers, read our blog post here. We also have courses available if you want to learn more about cloud computing so contact us today!

Leave a Reply