Menu
Modern Workplace Blog
  • Home
  • About: Kenneth van Surksum
  • Cookie Policy
Modern Workplace Blog
November 23, 2022November 25, 2022

Conditional Access public preview functionality reviewed (22H2) – Part 2: Conditional Access filters for Apps and Workload Identities

In the last couple of months, Microsoft released new functionality for Azure AD Conditional Access. All of this functionality is still in public preview, so please read the following article on what to expect from Preview functionality: Preview Terms Of Use | Microsoft Azure

In these series of articles I will go through the following new functionality:

  • Part 1: Authentication Strength
  • Part 2: Conditional Access filters for Apps and Workload Identities (this article)
  • Part 3: Granular control for external user types

On October 26th, Alex Weinert the Director of Identity Security at Microsoft announced the public preview of Conditional Access filters for apps. With filters for apps, we can use custom security attributes to “tag” Enterprise Applications and Service Principals and use that tagging when targeting your workload identities and Apps in Conditional Access.

Filters for Workload identities (1) and filters for cloud apps (2)

Conditional Access filters for Apps and Workload Identities use cases

I think the best feature of the filtering for apps and workload identities is that it allows you to configure your Conditional Access policy once, and adapt it based on the filtering being used. By doing this you prevent mistakes that could happen when modifying the Conditional Access policy. Another advantage is that you can delegate the “tagging” to another group of administrative users, without the need for those users to be able to create of modify Conditional Access policies.

Please note that Microsoft makes the following comment about scoping Conditional Access policies to service principals:  In public preview, you can scope Conditional Access policies to service principals in Azure AD with an Azure Active Directory Premium P2 edition active in your tenant. After general availability, additional licenses might be required.

Using this filter functionality we can implement some new use cases like:

  • Create a specific Conditional Access policy for all Apps which are tagged with a tag UsedByDepartment and value Finance
  • Create a specific Conditional Access policy only allowing “tagged” workload identities to be used from trusted locations
  • Create a specific Conditional Access policy, which blocks medium and high “Service Principal risk” for “tagged” workload identities
Service principal risk usage

Rights needed for the Custom Security Attributes

Before you can define, or assign Security Attributes, you must be authorized via an Azure AD role. For this the following Azure AD roles are available:

  • Attribute Definition Administrator
  • Attribute Definition Reader
  • Attribute Assignment Administrator
  • Attribute Assignment Reader
Attribute Assignment and Definition Azure AD administrative roles

What’s interesting here is that the rights of these roles are not available to the Global Administrator role.

The Attribute Definition Administrator can create definitions of the attributes, which can then be used by an Attribute Assignment Administrator and put them on Apps, Workload Identities, but also to use these definitions in an Conditional Access policy. If you have the rights to create/modify Conditional Access policy but are not a Attribute Assignment Administrator you cannot assign the filtering. I also did some further testing, and could assign security attributes in a Conditional Access policy using the Attribute Definition Reader role, but for example not assign any attributes to an account in Azure AD. If the Attribute Definition role is not available for your account, you won’t be able to assign at all.

Additional rights are needed, even if you are a Global Administrator

Creating custom Security Attributes

You can create custom security attributes, by going to the “Custom security attributes (Preview)” section in the Azure AD Admin portal. Creating custom security attributes consists of the following steps:

  1. Create attribute set
  2. Specify attribute

Create Attribute set

The first thing you must do, is create an Attribute Set. An attribute set is a collection of related attributes. You can create a new attribute set, by clicking on the “+ Add attribute set”, after which you must define an Attribute set name, optionally provide a description and specify the maximum number of attributes.

Create new attribute set

Specify Attribute

Within an Attribute Set you can specify custom security attributes, which is a key-value pair. You are required to specify the name of the Attribute, it’s data type (String, Boolean or Integer), whether multiple values can be assigned, and whether you only allow predefined values to be assigned. Last but not least, you can create predefined values, so that only those values can be used while assigning the attributes.

Define a new attribute within an attribute set

Eventually you can create multiple attributes, with predefined values within an Attribute set

Multiple attributes within an attribute set

Assigning Security Attributes

Assigning the security attributes must be performed on the resource (the App or the workload identity) and you should reference the security attribute in a filter in your Conditional Access policy.

  • Assigning security attributes to an Enterprise Application
  • Specify security attributes in a filter for Apps in your Conditional Access policy
  • Specify security attributes in a filter for workload identities in your Conditional Access policy

Assigning security attributes to an Enterprise Application

An Attribute Assignment Administrator can assign the predefined security attributes as part of an attribute set to Enterprise Applications. In the example below, we tag the “Keeper Password Manager & Digital Vault” Enterprise Application with the following attributes:

UsedBydepartment: IT

UsageOnNonCompliantDevices: Not allowed

Assigning security attributes to the Keeper Password Manager & Digital Vault Enterprise Application

Keep in mind that only a Conditional Access policy can only be applied to single tenant service principals that have been registered in your tenant. Third party SaaS, multi-tenanted apps and Managed Identities are out of scope but can be provisioned with security attributes.

A single-tenant application has only one service principal (in its home tenant), created and consented for use during application registration. A multi-tenant application also has a service principal created in each tenant where a user from that tenant has consented to its use.

Specify security attributes in a filter for Apps in your Conditional Access policy

Use filter for Cloud Apps in your Conditional Access policy

Using this filter, we can create a Conditional Access policy which only allows Compliant devices to access the app.

Specify security attributes in a filter for workload identities in your Conditional Access policy

Policy can be applied to single tenant service principals that have been registered in your tenant. Third party SaaS and multi-tenanted apps are out of scope. Managed identities are not covered by policy.

Use filter for service principals in your Conditional Access policy

Using this filter will allow us to create a Condition which will block access to the Service Principal, except from a trusted location.

Define locations for usage of your Service Principals

Conditional Access filters for Apps and Workload Identities Conclusion

The filters for Apps and Workload Identities functionality can really help to further mature your Conditional Access implementation. By delegating control to the Cloud Application administrators to use the predefined Security Attributes to tag their Enterprise Applications and Service Principals, we have the option to define generic Conditional Access policies for the different use cases. (For example, only allow Finance applications on Compliant devices)

With options comes more complexity though, be very careful with that. Make sure that you have a solid and stable Conditional Policy framework in place before starting with this kind of scenarios.

Tweet
Follow me
Tweet #WPNinjasNL

2 thoughts on “Conditional Access public preview functionality reviewed (22H2) – Part 2: Conditional Access filters for Apps and Workload Identities”

  1. Pingback: Conditional Access public preview functionality reviewed (22H2) – Part 1: Authentication Strength | Modern Workplace Blog
  2. Pingback: Azure MFA, SSPR, Authn methods – Jacques Dalbera's IT world

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Founding member of:

Recent Posts

  • Azure AD Conditional Access authentication context now also available for Azure AD Privileged Identity Management
  • December 2022 update of the conditional access demystified whitepaper and workflow cheat sheet.
  • Conditional Access public preview functionality reviewed (22H2) – Part 3: Granular control for external user types
  • Conditional Access public preview functionality reviewed (22H2) – Part 2: Conditional Access filters for Apps and Workload Identities
  • Conditional Access public preview functionality reviewed (22H2) – Part 1: Authentication Strength

Books

System Center 2012 Service Manager Unleashed
Amazon
System Center 2012 R2 Configuration Manager Unleashed: Supplement to System Center 2012 Configuration Manager
Amazon
System Center Configuration Manager Current Branch Unleashed
Amazon
Mastering Windows 7 Deployment
Amazon
System Center 2012 Configuration Manager (SCCM) Unleashed
Amazon

Archives

  • February 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • May 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • August 2019
  • July 2019
  • November 2016
  • November 2015
  • June 2015
  • May 2015
  • November 2014
  • July 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • November 2013
  • August 2013
  • April 2013
  • March 2013
  • January 2013
  • December 2012
  • November 2012
  • August 2012
  • July 2012
  • June 2012

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Categories

  • ABM (3)
  • Advanced Threat Protection (4)
  • Announcement (42)
  • Azure (3)
  • AzureAD (65)
  • Certification (2)
  • Cloud App Security (3)
  • Conditional Access (50)
  • Configuration Manager (24)
  • Events (11)
  • Exchange Online (7)
  • Identity Protection (3)
  • Intune (17)
  • Licensing (2)
  • Microsoft Endpoint Manager (35)
  • Mobile Application Management (1)
  • Modern Workplace (65)
  • Office 365 (10)
  • Overview (10)
  • Power Platform (1)
  • PowerShell (2)
  • Presentations (7)
  • Privileged Identity Management (5)
  • Role Based Access Control (2)
  • Security (50)
  • Service Manager (4)
  • Speaking (22)
  • Troubleshooting (4)
  • Uncategorized (11)
  • Windows 10 (14)
  • Windows 11 (4)
  • Windows Update for Business (3)
  • WMUG.nl (16)
  • WPNinjasNL (30)

Tags

#AzureAD #community #conditionalaccess #ConfigMgr #IAM #Intune #m365 #MEM #MEMCM #microsoft365 #modernworkplace #office365 #security #webinar #wmug_nl ATP AzureAD Branding Community Conditional Access ConfigMgr ConfigMgr 2012 Configuration Manager Email EXO Identity Intune Licensing M365 MCAS Modern Workplace Office 365 OSD PIM Policy Sets Presentation RBAC roles Security Service Manager SSP System Center troubleshooting webinar Windows 10

Recent Comments

  • Kenneth on December 2022 update of the conditional access demystified whitepaper and workflow cheat sheet.
  • John Barnes on December 2022 update of the conditional access demystified whitepaper and workflow cheat sheet.
  • Intune Newsletter - 24th February 2023 - Andrew Taylor on Azure AD Conditional Access authentication context now also available for Azure AD Privileged Identity Management
  • Azure AD Conditional Access authentication context now also available for Azure AD Privileged Identity Management | Modern Workplace Blog on A first look at Azure AD Conditional Access authentication context
  • Kenneth on Intune: Choosing whether to assign to User or Device Groups

This information is provided “AS IS” with no warranties, confers no rights and is not supported by the author.

Copyright © 2021 by Kenneth van Surksum. All rights reserved. No part of the information on this web site may be reproduced or posted in any form or by any means without the prior written permission of the publisher.

Shorthand: Don’t pass off my work as yours, it’s not nice.

©2023 Modern Workplace Blog | Powered by WordPress and Superb Themes!
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT