Conditional Access announcements from Ignite November 2021 reviewed

During the Microsoft Ignite conference in November 2021 Microsoft made several announcements related to Azure AD conditional access. You can read those announcements in the following article: “Identity at Ignite: Strengthen resilience with identity innovations in Azure AD“. And this morning Thomas Naunheim, tweeted that he saw the announced functionality appear within his tenant. Time for a quick look. It’s strange though to notice that even though the functionality is available and can be seen, no clear documentation can be found yet, and also no mention of the functionality in the What’s new in Azure Active Directory? documentation. (at time of writing)

In this post I will have a look at the following new functionality:

  • Conditional Access Dashboard
  • Conditional Access pre-build Templates
  • Conditional Access for Workload Identities

The also announced Filters for Devices have already been covered on my blog before, see:

A first look at using Filters for devices as conditions in Azure AD Conditional Access policies

Conditional Access Dashboard

The conditional access dashboard has been revamped and now identifies opportunities to strengthen policies based on analysis of your organization’s sign in patterns.

New Conditional Access overview page

The Overview page provides the following information:

  • The amount of policies and their status, which click through to the Conditional Access policies
  • The amount of users which have no policies applied, which click trough to the Monitoring tab
  • Sign-ins from devices which are either managed or unmanaged, which clicks through the Monitoring tab
  • Applications, which clicks through the Coverage tab
  • Recommendations, with severity, description and link to Policy template mitigating the issue.

The Monitoring tab gives an overview of the Sign-ins by Conditional Access result

Monitoring tab

The Coverage tab provides the following information:

  • Top accessed applications
  • Top accessed applications not protected by Conditional Access
Coverage tab

Conditional Access Templates

When creating a new policy, we now have a new option called “Create new policy from templates (Preview)

Create new policy from templates (Preview) option

When selecting the option you’ll end up in a wizard which allows you to choose whether the template is based on Identities or Devices. Once selected you can select the template from a list of templates.

  • Select policy type
  • Identities based templates
  • Devices based templates

 

The following templates (at time of writing 14) are available

Under Identities:

  • Require multi-factor authentication for admins
  • Securing security info registration
  • Block legacy authentication
  • Require multi-factor authentication for all users
  • Require multi-factor authentication for guest access
  • Require multi-factor authentication for Azure management
  • Require multi-factor authentication for risky sign-ins
  • Require password change for high-risk users

Under devices:

  • Require compliant or hybrid Azure AD joined device for admins
  • Block access for unknown or unsupported device platform
  • No persistent browser session
  • Require approved client apps and app protection
  • Require compliant or hybrid Azure AD joined device or multi-factor authentication for all users
  • Use application enforced restrictions for unmanaged devices

Each policy can also be configured with a state (Off, On or Report Only) and a default naming is provided which you can modify as well. See the following article for more information about what the templates do: Conditional Access templates (Preview)

Conditional Access for Workload Identities

We now have the option to assign certain policies to service principals only, for this a new selection item was created which allows you to switch between “Users and Groups” or “Workload identities (Preview)”. Once Workload Identities is selected you can either select All owned service principals, or select service principals from a list.

Conditional Access policy with Workload identities selected

Once a service principal is selected, a lot of the other configurable options in the Conditional Access policy are not available anymore, you cannot select individual cloud apps, you cannot select any conditions and the only option you have is to block access as a grant control.

Conclusion

Some welcome additions to the Azure AD Conditional Access functionality has been added, especially giving insight on which sign-ins are not covered by your CA policies is very helpful. I do also have some remarks though:

  • Adding extra options to Conditional Access makes it more complex
  • The templates cover some good scenario’s but lack the option to exclude your break glass accounts

Reference

If you want to know more about conditional access, I want to suggest that you read my Whitepaper on the subject, for which the latest version can be found below:

October 2021 update of the conditional access demystified whitepaper and workflow cheat sheet

https://docs.microsoft.com/en-gb/azure/active-directory/conditional-access/concept-conditional-access-policy-common

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.