In August last year, I published eight articles in a series on Conditional Access, and later when finished I decided to bundle those articles in a paper which I made available on the TechNet Gallery. In March this year, Microsoft decided to retire the TechNet Gallery, so I had to find another solution to host this paper and some of the additional workflows and spreadsheets I posted as well. For now I’ve decided to host these on GitHub since that is an easy accessible location as well.

The articles I wrote at that time, will remains as is, and I’ve decided to update the paper once in a while to reflect the current status of Conditional Access. Even though some of the information in the articles is outdated, I still think that they can be of value.

Below I’ve summarized the articles I published last year:

So what’s new?

The following updates have been made:

Workflow Cheatsheet

The goal of the cheatsheet was to have an A4 sized flowchart which can help you while you are either trying to understand your current policies, troubleshooting or just want to make sense of how Conditional Access policies work.

Machine generated alternative text:
user and 
location 
Application 
Signals 
User connects to a cloud 
app on itsdevice 
Verify every access 
attempt 
Allow access 
Require MFA 
Block access 
ot effective, b 
applicability 
logged 
Apps and data 
101010 
010101 
101010 
Rules: 
All policies are enforced in two phases: 
In the first phase, all policies are evaluated and all access 
controls that arent satisfied are collected. 
In the second phase, you are prompted to satisfy the 
requirements you havent met. 
If one of the policies blocks access, you are blocked and not 
prompted to satisfy other policy controls. If none of the 
policies blocks you, you are prompted to satisfy either one or 
all selected policy controls. (see picture on the right) 
External MFA providers and terms of use come next. All 
assignments are logically ANDed. If you have more than one 
assignment configured, all assignments must be satisfied to 
trigger a policy. 
Block access thrumps all other configuration settings 
RequiR a 
Require to 
re AD joined 
Requi re app @ 
Requi re app protection policy 
*hey "feted a "S 
Real-time 
-Reporting-only------------ 
NO 
. No 
Policy 
enabled 
Policy 
assigned to 
user, role or 
group user 
is mem ber 
Of? 
Policy 
assigned to 
cloud app? 
Yes 
Is the sign- 
in risk 
condition 
ena bled ? 
Does the 
user meet 
the sign-in 
risk 
requireme 
Yes 
No 
No 
Policy 
No 
assigned 
to user 
actions? 
No 
No 
The policy i 
t applicabl 
All/One selected: 
Require Multi Factor 
Authentication 
Require device to be marked as 
compliant 
Require Hybrid AD joined device 
Require approved client app 
Require app protection policy 
Terms of use (Custom) 
he user is allowed acce 
to the cloud a 
e user is allowed acce 
to the cloud app (Lim ited 
Is the client 
app con dition 
enabled? 
Yes 
Does th e 
No 
policy in clu de 
the client 
app? 
Y es 
Is the device 
state con dition 
enabled? 
Yes 
Does the 
No 
policy in clu de 
the d evice 
state? 
Yes 
Does th e 
policy grant 
access? 
Does the d evice 
and/or app 
meet the 
requirements? 
Are any 
session 
controls 
ena bled ? 
Yes 
Use app 
enforcement 
restrictions 
enabled? 
No 
Use 
Conditional 
Access App 
Control 
ena bled ? 
No 
No 
No 
No 
Is the d evice 
platform 
con dition 
enabled? 
Does th e 
No 
policy in clu de 
the d evice 
platform? 
Is the location 
con dition 
enabled? 
Yes 
Does th e 
No 
policy in clu de 
the location ? 
Yes 
Access is 
blocked 
Persistent 
browser 
session 
defined? 
No 
Is sign-in 
Frequency 
defined? 
ssion isactive a 
—Yes> either always or neve 
ersistent 
ssion is active withi 
—Yes> 
specified frequency 
esson Is reverse proxi 
through MCAS 
Date: 
May 2020 | Version 1.1 | Author: Kenneth van Surksum I www.vansurksum.com

Download: Conditional Access Workflow – v4.pdf

Implementation workflow

The goal of the implementation workflow is to help you get started when you want to implement Conditional Access, based on the information in the paper the workflow can be really helpful to make the necessary steps visible. I’ve updated the workflow by removing the Baseline policies, for which Microsoft decided not to continue with them in favor of Security Defaults, see:  Microsoft deprecates Conditional Access baseline policies in favour of Security Defaults, here is what you need to know and do. Instead I create references to the Microsoft recommended Conditional Access policies which have the same functionality as the Baseline policies.

Download: Conditional Access Implementation Workflow – V1.2.pdf

Documentation spreadsheet

The documentation spreadsheet (in Microsoft Excel format), can help you to document your current Conditional Access policies, or document the policies you want to create. I found out myself that If you document all your conditional access policies, you automatically see if some policies can be simplified or combined. In the end, it’s better to keep your policies simple and easy to understand.

To give you a start, I also integrated the described policies from the workflow in the documentation spreadsheet to give you a starting point.

Download: Conditional Access Policy Description-v1.1.xlsx

Conditional Access Demystified Whitepaper

The paper has been updated with the latest information to my knowledge, between august last year and May 2020 some things have changes, and I’m sure some things will change again in the next coming months.

In the paper I created some references to articles or implemented information from them which I wrote in the meantime, like:

Download: Conditional Access demystified-v1.1.pdf

Conclusion

Updating the conditional access material requires a lot of work and validation, but I hope it was worth it. If it can at least help some people, I’ve reached my goal.

If you have any comments, or find some things which are wrong, please let me know in the comments or by reaching out to me on social media.