How to use Conditional Access in Microsoft Entra ID

Introduction

In on-premises environments you can use various controls to allow or deny access for users or devices. All depends from the features of the equipment that you have. 

But in cloud environments the security risk is much higher, and the security controls are different.

 

What is Conditional Access

Conditional Access is an Azure control feature that can manage the access based on the identities, locations ,2FA and other factors. It's not first line of defense to protect you from Dos attacks, but can significantly increase the security of your environemnt without complexity.

 

How it's working

Conditional Access it's working with policies. It will validate  each resource that will try to connect in your environemnt based on the policy that you will create consists of multiple conditions . The Condiotional access policies It uses various conditions that I will describe in the next paragraphs.

 

Who can use Conditional Access

Conditional Access required Microsoft Entra ID P1 license and above.

However, specific features like Risk-based policies require Microsoft Entra ID P2 license and above.

For more details you can read in Microsoft Entra Plans & Pricing

 

How to enable and configure the Conditional Access

Let's see how can use the Conditional access to manage each resource that connected in your environment.

  • Login to the Azure Portal and open the Microsoft Entra.
  • Click on the Security.
Microsoft Entra ID - Security

 

  • Expand the Protect and click on Conditional Access.
Conditional Access Policy

 

  • Click on Create New Policy
  • The following conditions must be filled to continue with the next step
    • Users - Select the Users that you want to apply this condition
    • Target resources - You have 4 options to select. But for today will use the Cloud apps. Select if you want to assign for a specific cloud app or all cloud apps.
    • Network - You can select from trusted network, locations or networks and location that you have created. It's an optional selection
    • Conditions - You can select the access based on Device Platforms (Android, Windows), Locations, Client Apps (Browser, Mobile Apps ...),Filter Devices ...
    • Access controls - Grant or Block Access based on controls like Require MFA, Require authentication strength ....)
    • Sessions - Can make use of session controls to enable limited experiences within specific cloud applications. Works only with supported apps. It's optional.
  • In the End you have the option to Enable, Disable the Policy or keep it in Review Only mode.
  • In the Review only mode you can see only the logs in Sign in logs but hasn't any impact in the connectivity.
  • When you are ready click Create.
Conditional Access Policy - Assignments

 

We explain how to use the Conditional Access. Let's see how to create a conditional access with MFA.

 

How to create a Conditional Access to allow login in Admin Portal only with MFA

Let's login to the Microsoft Entra ID

  • Click on the Security
  • Expand the Protect and click on Conditional Access.
  • Click on Create New Policy.
Conditional Access Policy

 

  • Click in the Users. Click on Select Users or groups. Click on Users and groups.
  • Select a user that have access to the Admin Portal
Conditional Access Policy - Select User

 

  • Click on Target Resources. Leave the Cloud Apps as it. Click in the Select apps.
Conditional Access Policy - Target Resources

 

  • Click on Select and check the Microsoft Admin Portals. Click Select.
Conditional Access Policy - Target Resources

 

  • If the user that you have selected is the only that has access to the Admin Portal then Enable the Policy as the Report-only to avoid lock out from the Admin Portal.
  • Or create a temp user and test the conditional access policy before you will apply the Conditional Policy to the Admin user.
Conditional Access Policy - Enable Policy

 

  • Now every time that the user tries to login in Admin Portal will be requested to use MFA(Multi Factor Authentication)

Enabling Conditional Access Policy it's not complex task. You can do it in several minutes.

The most important is to have create a small plan in a paper of what exactly you want to do. How and where will be use the Conditional Access.

Have a nice weekend !!!