What's a conditional access policy?
Conditional access policies help organizations improve security and compliance. They are used to fine-tune and customize the authentication of your users in Microsoft 365. Let me explain.
In the simplest terms, it’s a series of if statements. For example, you can create a conditional access policy to require all members of a particular group to use Multi-Factor Authentication to log in to Microsoft 365. “If the user is part of group X then require MFA”.
You can set a lot of different options in conditional access policies. For example, you can create a policy so a certain set of users can only log in from specific IP addresses. “If the user is part of group X and not logging in from IP address 188.8.131.52 then block access”
You’re required to have an Azure AD Premium P1, Azure AD Premium P2 license, or Microsoft 365 Business Premium license. The Conditional access policies are also included in the following licenses:
- Microsoft 365 E3 & E5
- Microsoft 365 F3
- Enterprise Mobility + Security E3 (EMS E3), and E5 (EMS E5)
Creating your first conditional access policy
Let’s create a conditional access policy that requires all our admins to use MFA to sign in to Microsoft 365.
1. log in to Azure Active Directory admin center > All services > Azure AD Conditional Access > New Policy > Create new policy.
2. Set the name to “Require MFA for admins”.
3. Click 0 users or workload identities selected. Click Select users and groups > Directory roles. Then click each role that has administrator in its name.
4. Click No cloud apps, actions, or authentication contexts selected. Click All cloud apps.
5. Click 0 controls selected under Grant. Click Require multi-factor authentication. Click Select. Click On under Enable policy.
6. At this point you may see a warning say “Don’t lock yourself out!”. Read the recommendation carefully and then make your decision whether to exclude yourself from the policy.
7. Click Create.
That’s it. You are now requiring your administrators to configure and use MFA when they log in to Office 365. Now let’s break down the parts of the conditional access policy configuration.
Understanding conditional access policies
The conditional access policy is broken into two sections: assignments and Access controls.
The assignments section is the filters. This is where you can decide which users, device OS’s, and apps the policy affects.
The Access controls section provides your allowed / block controls. It’s also where you can decide things like “require MFA” or block persistent browser sessions.
User or workload identities
In this section, you’re deciding which user accounts will be affected by the policy. You can set up a specific list of users, for example, yourself to test out a policy. You can select a group that would include everyone in the group or you can select admin roles to affect only users that are assigned the specific admin role. Lastly, you can exclude users. So you can create a policy to include All users, then you can exclude guest and external users.
Remember, the exclusion will take precedence. So if you select to include a user then exclude the user, the user will be excluded from the policy.
Cloud apps or actions
The cloud apps or actions section is where you can filter the conditional access policy based on the app. For example, you may need to require MFA for email access but all other access doesn’t require MFA. If you only wanted the policy to affect email then you would click Select apps > Office 365 Exchange Online.
Conditions provide an additional layer of filtering. From here you can select if the policy only affects the users when certain other criteria is met. For example, you may want to require MFA only when there’s a high User / sign-in risk. Or you may want to block access altogether from certain countries. Or maybe there are no Android devices in your organization. You can easily select Android devices from this page.
Access Controls: Grant
From the access controls > grant section you can decide what happens when the criteria above is met. For example, you may want to block access. Or you may want to require multi-factor authentication. Or you may want to require the device to be marked compliant in Intune. It’s all possible in the conditional access policies.
Access Controls: Session
Finally, the session controls. From the session tab, you can set if the user can save their browser session or if they have to sign in again after closing the browser. Or you can set how often users need to re-authenticate when using apps like Outlook or Microsoft Teams.
Review the status of conditional access policies
So, you may be wondering, if I create a policy that blocks sign-ins from non-compliant devices how can I view who’s getting blocked? Fortunately, Microsoft has made it easy.
1. Sign in to Azure Active Directory admin center > Users > Sign in logs > click the sign-in you want to investigate > Conditional access.
From this page you can see all the conditional access policies, whether they were applied to the sign in and whether the attempt passed or failed. To see more information on the conditional access policy click on it.
Force multi-factor authentication while not in the main office
Now, let’s get a little trickier. Let’s say the MFA prompt every time a user logs on is too much for your organization. Maybe you only want to prompt for MFA when users are not in your main office. How do you do it?
1. Sign in to Azure Active Directory admin center > All services > Azure AD Conditional access > Named locations.
2. Click IP ranges location. Set the name to "Main office". Click Mark as trusted location. Click the plus (+) sign and add your IP address + the subnet (for example 184.108.40.206/32). Click Add. Click Create.
3. Go back to Azure AD Conditional access > policies. Click New policy > Create new policy.
4. Enter a name of “Require MFA”
5. Click 0 users or workload identities selected. Click All users.
6. Click No cloud apps, actions, or authentication contexts selected. Click All cloud apps.
7. Click 0 conditions selected. Click Not configured located under Locations.
8. Set Configure to Yes.
9. Click Exclude. Click Selected locations. Click None. Click Main Office. Click Select.
10. Click 0 controls selected (under Grant).
11. Click Require multi-factor authentication. Click Select.
12. Click On (under Enable policy). Click Create.
Now when any user logs in from a location other than your main office they’ll need to apply their MFA. When they login from the main office they won’t need their MFA. Of course, if you set up the earlier policy where all admins had to use MFA then admins will be required to use MFA inside and outside the office.
There’s a ton more you can do with conditional access policies including preventing users from downloading, printing, and syncing files in SharePoint Online and secure on-premises VPNs. Don’t worry, we’ll cover both of these options in a later lesson.