Office 365, Technology

11. Planning, Implementing and Administering Conditional Access

Understanding Security Defaults

When you first setup your M365 tenant there are number of security defaults put in place automatically. This is a set of basic identity security mechanisms recommended by Microsoft.

EG: turn on MFA for Global Administrators

 

These security defaults are in:

  1. Azure AD -> Properties
  2. At the bottom of the page there is a link that says “Manage Security Defaults”
  3. From here you can disable the Security Defaults if you wish (only if you are setting up your own security settings for the tenant)
  4. Click on the “Learn More” link to get more details on the Security Defaults. It brings you to the following website:
    https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults

Using Conditional Access Policies

The Dilemma of Modern Administration

Administrators today must allow users to be productive anywhere, at any time and from a massive selection of devices and applications.

Administrators are also expected to protect data and assets at all times.

Conditional Access Policies

Conditional Access is a tool in Azure that brings signals (how they are logging, from where, which apps etc…) together for access decision making.

Signals help in decision making on whether to allow access or enforce certain policies (block access, send an alert ,force MFA etc…).

The Conditional Access policies make sure a number of requirements are met and makes decisions on this.

Signals:

  • User or group membership
  • IP location
  • Device type(OS version etc…)
  • Microsoft Cloud App Security
  • Application (EG: using official Outlook app to check email, not an unsupported or legacy app)
  • Real time and calculated risk detection (EG: are they blocking their IP address?)

 

Decisions:

  • Block Access
  • Grant
    – require MFA
    – Compliant device
    – Require Hybrid Azure AD Joined
    – Require approved app

Implementing Conditional Access Policies

There are a few different places you can administer this:

  • Endpoint manager
  • Azure AD

The master is Azure AD and the Endpoint Manager changes are stored there.

Administering Conditional Access Policies

  1. Go to Azure AD _> Security -> Conditional Access
  2. Click New Policy
  3. Set a name for the policy
  4. Assign policy to specific users and groups or roles.
  5. Conditions that this policy will apply to:
    – User Risk: has the account been compromised (low med or high)
    -Sign in risk: entering bad passwords, logging in from different country (low, med, high)
    – Device platforms
    – Locations: you need to create locations to use this
    – Client apps: see later section on Cloud Apps
    – Filters for devices: this is based on a query like manufacturer, model number etc… This is a pretty new feature.
  6. Access Controls: this is where you choose what happens if user meets these conditions
    – block access
    – grant access
    – require MFA/Azure AD joined device/Approved Apps
    – Force Password Change
  7. Enable Policy:
    – Report only: just logs the attempted access, but doesn’t do anything

 

It can take some time before policy takes effect.

Implementing Application Controls within Conditional Access Policies

To create a policy related to Apps:

  1. Go to Azure AD _> Security -> Conditional Access
  2. Click New Policy
  3. Set a name for the policy
  4. Assign policy to specific users and groups or roles.
  5. Go to “Cloud apps or actions”:
    – User Actions: you can force users to register security information or register devices
    – Authentication Context: This is the method a user has authenticated. EG: you can only access a certain SharePoint site if you are on a certain type of device
    – Cloud Apps: Control user access based on all or specific apps. In this example we will select “Office 365”
  6. Conditions:
    – Client apps: Control user access to target specific client apps that are not using modern authentication. EG: Legacy Apps (Outlook 2010 etc…). You can select the category of apps you want to apply this policy to
  7. Access Controls: choose to grant or block access (require MFA etc…)

Implementing Session Management within Conditional Access policies

You need to be dealing with Cloud apps for these options to be available to you

  1. Go to Azure AD _> Security -> Conditional Access
  2. Click New Policy or edit a policy
  3. At the bottom of the options screen you see “Session”
  4. Options:
    – Use App enforced restrictions: this looks at restrictions that may be in place in the app itself. EG: restrictions that may be in SharePoint
    – Use Conditional Access App Control: This is probably the most powerful. If you select the check box you have 3 actions-
    — Monitor Only: log what the user is doing involving this app within the session
    — Block downloads: prevents any kind of downloads within the app
    — Use Custom Policy: this brings you to the “Cloud App Security” console. Here you can set policies to things like stopping users deleting items in the app, or copying data in the app. You need to have a licence to use Cloud App Security
  5. Sign in frequency: you can set the number of days/hours before a user is asked to sign in again and reauthenticate
  6. Persistent browser session: NOTE this options only available if you select all apps.
    – always persistent: the session token they have will always be available
    – never persistent: they have to get a new session token every time they access the app

Testing and Troubleshooting Conditional Access Policies

Microsoft has a useful What If tool that allows you to test what will happen with a Conditional Access policy as a specific user

  1. Go to Azure AD -> Security -> Conditional Access
  2. Click on the “What IF” button
  3. Select the user you want to test with.
  4. There a number of options you can select here that will simulate the users scenario and what will happen with the policy:
    – IP address
    – Country
    – Device platform
    – Client apps
    – Device state (Hybrid Ad joined, compliant device etc…)
    – Sign in risk level
  5. Click on What If
  6. It will show you the policies that will apply to the user and may affect their access. It will also show the policies that are not applied

Leave a Reply

Your email address will not be published. Required fields are marked *