During the Microsoft Ignite conference in November 2021 Microsoft made several announcements related to Azure AD conditional access. You can read those announcements in the following article: “Identity at Ignite: Strengthen resilience with identity innovations in Azure AD“. And this morning Thomas Naunheim, tweeted that he saw the announced functionality appear within his tenant. Time for a quick look. It’s strange though to notice that even though the functionality is available and can be seen, no clear documentation can be found yet, and also no mention of the functionality in the What’s new in Azure Active Directory? documentation. (at time of writing)
In this post I will have a look at the following new functionality:
- Conditional Access Dashboard
- Conditional Access pre-build Templates
- Conditional Access for Workload Identities
The also announced Filters for Devices have already been covered on my blog before, see:
Conditional Access Dashboard
The conditional access dashboard has been revamped and now identifies opportunities to strengthen policies based on analysis of your organization’s sign in patterns.
The Overview page provides the following information:
- The amount of policies and their status, which click through to the Conditional Access policies
- The amount of users which have no policies applied, which click trough to the Monitoring tab
- Sign-ins from devices which are either managed or unmanaged, which clicks through the Monitoring tab
- Applications, which clicks through the Coverage tab
- Recommendations, with severity, description and link to Policy template mitigating the issue.
The Monitoring tab gives an overview of the Sign-ins by Conditional Access result
The Coverage tab provides the following information:
- Top accessed applications
- Top accessed applications not protected by Conditional Access
Conditional Access Templates
When creating a new policy, we now have a new option called “Create new policy from templates (Preview)
When selecting the option you’ll end up in a wizard which allows you to choose whether the template is based on Identities or Devices. Once selected you can select the template from a list of templates.
The following templates (at time of writing 14) are available
Under Identities:
- Require multi-factor authentication for admins
- Securing security info registration
- Block legacy authentication
- Require multi-factor authentication for all users
- Require multi-factor authentication for guest access
- Require multi-factor authentication for Azure management
- Require multi-factor authentication for risky sign-ins
- Require password change for high-risk users
Under devices:
- Require compliant or hybrid Azure AD joined device for admins
- Block access for unknown or unsupported device platform
- No persistent browser session
- Require approved client apps and app protection
- Require compliant or hybrid Azure AD joined device or multi-factor authentication for all users
- Use application enforced restrictions for unmanaged devices
Each policy can also be configured with a state (Off, On or Report Only) and a default naming is provided which you can modify as well. See the following article for more information about what the templates do: Conditional Access templates (Preview)
Conditional Access for Workload Identities
We now have the option to assign certain policies to service principals only, for this a new selection item was created which allows you to switch between “Users and Groups” or “Workload identities (Preview)”. Once Workload Identities is selected you can either select All owned service principals, or select service principals from a list.
Once a service principal is selected, a lot of the other configurable options in the Conditional Access policy are not available anymore, you cannot select individual cloud apps, you cannot select any conditions and the only option you have is to block access as a grant control.
Conclusion
Some welcome additions to the Azure AD Conditional Access functionality has been added, especially giving insight on which sign-ins are not covered by your CA policies is very helpful. I do also have some remarks though:
- Adding extra options to Conditional Access makes it more complex
- The templates cover some good scenario’s but lack the option to exclude your break glass accounts
Reference
If you want to know more about conditional access, I want to suggest that you read my Whitepaper on the subject, for which the latest version can be found below: