How to Set Up Conditional Access in Azure AD (Office 365)?

In a traditional on-premises infrastructure, the system administrator has complete control over user access to corporate resources. When using cloud solutions, access to resources can be carried out both from the corporate network and outside.

What is Conditional Access in Azure AD?

Condition Access (CA) is an Azure Active Directory feature that can be used to allow or deny access to company resources based on user, device, location, 2FA, and several other factors. Conditional access allows you to dramatically increase the security of your resources without complicating user access.

How Does Conditional Access Work?

The Conditional Access mechanism validates each process of connecting to the resource based on a customized scenario and a decision determining what to do with that connection. In a Condition Access policy, you can deny access or allow without or with conditions.

Conditional Access allows you to use different conditions when granting a user access to a resource:

• Is the user a member of a specific Azure AD group?
• What cloud application is the user trying to connect to?
• Whether it is connected from a controlled device or not (Intune/Hybrid Azure AD joined)?
• From which IP address/subnet the user is trying to connect? Does the user is connecting from outside the company network?
• What type of client the user is using (an app on a computer, phone, or browser)?
• etc.

You can combine these conditions to provide the highest level of protection when accessing your corporate resources.

Note. Be careful when creating Conditional Access policies. It is advisable to exclude the Global Admin group from your Conditional Access policies to save yourself from losing access to Azure tenant.

Who Can Use Conditional Access?

• Azure Active Directory (AAD) Conditional Access policies are available with Microsoft 365 Business subscriptions (previously only available for Azure AD premium subscribers).
• Tenants with the Security Defaults disabled.

Where to Find the Conditional Access Policies?

Log in to the Microsoft Entra admin center using your administrator credentials. Navigate to Identity → Protection → Conditional Access. By default, there are no pre-installed conditional access policies.

Conditional Access Policy Templates

You can create a new policy from scratch or use templates (currently in preview mode). Templates are a collection of conditional policies designed for different profiles and categories. There are 16 conditional access policy templates available.

Conditional Policies for Identities

Allow you to make sure all identities perform strong authentication when connected:

• Require multifactor authentication for admins — the policy requires the mandatory use of MFA for some administrative roles;
• Securing security info registration — when and how users register for Azure AD multifactor authentication and self-service password;
• Block legacy authentication — the policy blocks access via legacy authentication protocols that do not support multi-factor authentication (MFA);
• Require multifactor authentication for all users;
• Require multifactor authentication for guest access;
• Require multifactor authentication for Azure management — MFA requirement for users to sign in to services based on the Azure Resource Manager API (Azure Portal, Azure CLI, PowerShell);
• Require multifactor authentication for risky sign-ins — if the sign-in risk is detected to be medium or high (requires an Azure AD Premium 2 License);
• Require password change for high-risk users.

Conditional Policies for Devices

Allow you to configure rules for checking devices connecting to your network:

• Require compliant or hybrid Azure AD joined device for admins;
• Block access for unknown or unsupported device platforms;
• No persistent browser session — allows to prevent browser sessions from remaining signed in after the browser is closed and setting a sign-in frequency to 1 hour;
• Require approved client apps and app protection — implementing modern auth client apps with Intune app protection;
• Require compliant or hybrid Azure AD joined device or multifactor authentication for all users — for Windows and macOS devices only;
• Use application-enforced restrictions for unmanaged devices.

How to Set Up Conditional Access in Azure AD

1. In the Microsoft Entra admin center, navigate to Identity → Protection → Conditional Access.
   
2. Click New policy from template.
   
3. You can choose the template that best suits your requirements. Select the “Block legacy authentication” template in this example and click the “Review + Create” button.
   
4. Choose the “Report only” policy state for now. Turning on the policy immediately could cause unnecessary and unplanned disruptions. Click Create.
   
5. Next, click the new conditional access policy to open it.
   
6. Click Users. As you can see, this conditional access policy includes all users. You can customize the included scope as needed.
   
7. Click the Exclude tab to see that the user who created the conditional access policy is excluded. This is to avoid locking out the user account in case of a configuration error. You can customize the exclusions as needed.
   

Note. Check our guide on how to resize Azure VM disk.

Testing and Confirming by Checking the Sign-In Logs

So, how do you know the conditional access policy worked? In this example, test it by deliberately using legacy authentication to trigger the policy. For example, send an SMTP email via PowerShell using basic authentication.

$credential = Get-Credential 
Send-MailMessage -SmtpServer smtp.office365.com -Port 587 -From [senderAddress] -To [recipientAddress] -Subject 'test message' -UseSsl -Credential $credential

Back in the Microsoft Entra admin center, navigate to Identity → Monitoring & health → Sign-in logs, and look for the user’s sign-in entry. In this example, the user is Alex Wilber.

Click the “Report-only” tab and look for the conditional access policy and the result. As you can see below, this sign-in attempt was captured, and the result is “Report-only: Failure” because it triggered the “Block” action.

Once you open the details, you can see which assignments and conditions matched and the resulting access control action taken.

Testing several more times while using different scenarios is recommended until you’re satisfied with the conditional policy. Once confirmed, you can change the conditional policy status from Report-only to On.

Conclusion

Implementing Conditional Access in Azure Active Directory offers a robust and flexible approach to enhance security while maintaining user accessibility to corporate resources in cloud environments. By allowing administrators to define access conditions based on factors such as user identity, device characteristics, location, and more, Conditional Access enables organizations to achieve a higher level of protection against unauthorized access and potential security breaches.

Conditional Access involves scrutinizing each connection attempt against a tailored set of criteria and determining the appropriate action to take for that connection. This dynamic approach allows administrators to deny access outright, allow access without conditions, or permit access with specific requirements met. Organizations can establish a comprehensive security posture without overcomplicating user access by leveraging different conditions and combining them as needed.

Conditional Access policies can be created from scratch or using predefined templates, each serving distinct identity and device-related scenarios. These policies cater to various security needs, such as enforcing multifactor authentication, restricting legacy authentication methods, and ensuring compliant and approved devices. Administrators can tailor policies to their specific requirements, optimizing security measures while aligning with business needs.

While implementing Conditional Access, it’s crucial to exercise caution and prudence. For example, excluding the Global Admin group from these policies can prevent the risk of accidentally locking administrators out of the Azure tenant. Furthermore, administrators should test policies in a controlled environment using the “Report-only” mode before enabling them fully. This approach allows for identifying potential disruptions and unintended consequences, ensuring a smooth transition to enhanced security measures.