This article is part 4 of a series, for which the following articles are available:
Conditional Access demystified, part 1: Introduction
Conditional Access demystified, part 2: What is Conditional Access?
Conditional Access demystified, part 3: How does Conditional Access work?
Conditional Access demystified, part 5: Implementing Conditional Access
Conditional Access demystified, part 6: Troubleshooting Conditional Access
Conditional Access demystified, part 7: Modifying Conditional Access to suit your special needs
Conditional Access demystified, part 8: Resources and further references
When designing a Conditional Access strategy for a customer we first need to start with an inventory of the environment, in the most ideal situation you would design and implement conditional access in a green field scenario, but I for sure never had that luxury before so it’s better to assume that the customer is already using cloud apps and wants to implement conditional access as an security measure.
The points to be inventoried are (but not limited to):
- What kind of devices does the customer use to access cloud apps?
- What kind of applications are used to access cloud apps?
- Is this a green field implementation, or are the cloud apps already in use without any conditional access policies in action?
the customer use Intune and which scenario’s are build into Intune
- Mobile Device Management
- Mobile Application Management
- Is every user treated equally when it comes to access to the cloud apps, or can we distinct persona’s with different requirements when it comes to Conditional Access
- Which licensing is the customer using? My personal opinion is that you need E5 functionality for administrators at least nowadays.
- How are licenses being assigned to users (groups, directly)
- Are there any service accounts used that interact with the cloud apps?
- Is Modern Authentication already enabled for Exchange Online and Skype for Business online?
- Is the company storing password hashes in Azure Active Directory?
- Are there cloud apps depending on each other?
Microsoft has a document available helping in planning setting up Conditional Access, called the “Azure Active Directory Conditional Access Deployment Plan”. The document in word format can be downloaded from the following location: https://aka.ms/CADPDownload. Microsoft also provides planning documentation online at: How To: Plan your Conditional Access deployment in Azure Active Directory – https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/plan-conditional-access
When designing a Conditional Access strategy in my experience it’s important to really think on a high level on what you want to accomplish. It’s very easy to start creating Conditional Access all kinds of individual Conditional Access policy and get lost concerning what you wanted to accomplish along the way.
Based on my experience the main goal of implementing Conditional Access is that you want to prevent access to your company data in situations where you don’t have control over the data. That means that ideally cloud apps can only be accessed by:
- Devices which are under company control and are compliant
- Applications which are under company control and are compliant
- Browser sessions on managed devices where data can be stored locally
- Browser sessions on non-managed devices where data can only be opened in the browser session and no data is left behind on the device
All the other scenario’s possible are either to fullfill requirements in order to successfully use Conditional Access or are additional security measures like always enforcing MFA when Azure AD administrators log in. It might also be that you need some “temporary” conditional access policies while migrating to the designed situation.
Below are some example scenario’s which can be the outcome of your design
• Scenario 1: Allow devices managed by Intune access all the cloud apps using Apps and Desktop Clients and Modern Authentication Clients if compliant
Access to “All Cloud Apps” by “Users with EMS License” using “Any” device platform” coming from “any location” using “Mobile Apps and Desktop Clients” or “Modern authentication clients” is allowed, but device must be compliant.
• Scenario 2: Only allow Apps we can manage to access cloud apps when device is not managed.
Allow users with EMS License using devices not managed by intune to access (portion of, t.b.d.) cloud apps, using clients which we can manage using MAM policies (approved clients list)
• Scenario 3: Allow browser access to all the cloud apps from a trusted location
When users access the cloud apps from a trusted location they can login without using any additional form of authentication
• Scenario 4: Allow browser access to all the cloud apps from an untrusted location but use MFA and restrict the browser session (when possible)
When users access the cloud apps from a non trusted location they can login but have to use MFA and when possible the browser session is restricted.
• Scenario 5: Block browser access to all the cloud apps from some geographic areas
Users cannot access cloud apps from regions where the company doesn’t operate. Once you know your scenario’s try to model the conditional access policy in a spreadsheet, by doing this you can determine if policies can be combined, or if more than one policy needs to be created to meet the requirements of the scenario. Keep in mind that the less is more.
Many cloud apps have dependencies to other cloud apps, Microsoft Teams is a good example since it also provides access to SharePoint Online, and Planner for example. When this situation occurs you have to know how the application will behave, since policies may be applied either early-bound or late-bound. See the following article with more information about this: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/service-dependencies
I’ve created a spreadsheet which can hopefully help, the spreadsheet is available for download from the following location: https://gallery.technet.microsoft.com/Conditional-Access-dc903421
In the next article (part 5) I’m going to explain how to implement Conditional Access.