What's a conditional access policy?

Conditional access policies help organizations improve security and compliance. They are used to fine-tune and customize the authentication of your users in Microsoft 365. Let me explain. 

In the simplest terms, it’s a series of if statements. For example, you can create a conditional access policy to require all members of a particular group to use Multi-Factor Authentication to log in to Microsoft 365. “If the user is part of group X then require MFA”.

You can set a lot of different options in conditional access policies. For example, you can create a policy so a certain set of users can only log in from specific IP addresses. “If the user is part of group X and not logging in from IP address 1.1.1.1 then block access”

License Requirements

You’re required to have an Azure AD Premium P1, Azure AD Premium P2 license, or Microsoft 365 Business Premium license. The Conditional access policies are also included in the Microsoft 365 E3, Microsoft 365 E5, Microsoft 365 F3, as well as, the Enterprise Mobility + Security E3 (EMS E3), and Enterprise Mobility + Security E5 (EMS E5) plans.

Creating your first conditional access policy

Let’s create a conditional access policy that requires all our admins to use MFA to sign in to Microsoft 365.

1. log in to Azure Active Directory admin center > All services > Azure AD Conditional Access > New Policy > Create new policy.

Create a conditional access policy

2. Set the name to “Require MFA for admins”.

Name your conditional access policy

3. Click 0 users or workload identities selected. Click Select users and groups > Directory roles. Then click each role that has administrator in its name.

set conditional access policy to apply to admins

4. Click No cloud apps, actions, or authentication contexts selected. Click All cloud apps.

Conditional access policy set all cloud apps

5. Click 0 controls selected under Grant. Click Require multi-factor authentication. Click Select. Click On under Enable policy.

conditional access policy require mfa

6. At this point you may see a warning say “Don’t lock yourself out!”. Read the recommendation carefully and then make your decision whether to exclude yourself from the policy.

Conditional access warning: Don't lock yourself out! We recommend applying a policy to a small set of users first to verify it behaves as expected.

7. Click Create.

That’s it. You are now requiring your administrators to configure and use MFA when they log in to Office 365. Now let’s break down the parts of the conditional access policy configuration.

Understanding conditional access policies

The conditional access policy is broken into two sections: assignments and Access controls.

The assignments section is the filters. This is where you can decide which users, device OS’s, and apps the policy affects.

The Access controls section provides your allowed / block controls. It’s also where you can decide things like “require MFA” or block persistent browser sessions.

User or workload identities

conditional access policy users or workload identities

In this section, you’re deciding which user accounts will be affected by the policy. You can set up a specific list of users, for example, yourself to test out a policy. You can select a group that would include everyone in the group or you can select admin roles to affect only users that are assigned the specific admin role. Lastly, you can exclude users. So you can create a policy to include All users, then you can exclude guest and external users.

Remember, the exclusion will take precedence. So if you select to include a user then exclude the user, the user will be excluded from the policy.

Cloud apps or actions

Conditional access policy cloud apps or actions

The cloud apps or actions section is where you can filter the conditional access policy based on the app. For example, you may need to require MFA for email access but all other access doesn’t require MFA. If you only wanted the policy to affect email then you would click Select apps > Office 365 Exchange Online.

Conditions

conditional access policy conditions

Conditions provide an additional layer of filtering. From here you can select if the policy only affects the users when certain other criteria is met. For example, you may want to require MFA only when there’s a high User / sign-in risk. Or you may want to block access altogether from certain countries. Or maybe there are no Android devices in your organization. You can easily select Android devices from this page.

Access Controls: Grant

Conditional access policy grant

From the access controls > grant section you can decide what happens when the criteria above is met. For example, you may want to block access. Or you may want to require multi-factor authentication. Or you may want to require the device to be marked compliant in Intune. It’s all possible in the conditional access policies.

Access Controls: Session

conditional access policy session

Finally, the session controls. From the session tab, you can set if the user can save their browser session or if they have to sign in again after closing the browser. Or you can set how often users need to re-authenticate when using apps like Outlook or Microsoft Teams.

Review the status of conditional access policies

So, you may be wondering, if I create a policy that blocks sign-ins from non-compliant devices how can I view who’s getting blocked? Fortunately, Microsoft has made it easy.

1. Sign in to Azure Active Directory admin center > Users > Sign in logs > click the sign-in you want to investigate > Conditional access.

conditional access policy logs

From this page you can see all the conditional access policies, whether they were applied to the sign in and whether the attempt passed or failed. To see more information on the conditional access policy click on it.

Force multi-factor authentication while not in the main office

Now, let’s get a little trickier. Let’s say the MFA prompt every time a user logs on is too much for your organization. Maybe you only want to prompt for MFA when users are not in your main office. How do you do it?

1. Sign in to Azure Active Directory admin center > All services > Azure AD Conditional access > Named locations.

conditional access policy new named location

2. Click IP ranges location. Set the name to "Main office". Click Mark as trusted location. Click the plus (+) sign and add your IP address + the subnet (for example 173.49.196.1/32). Click Add. Click Create.

conditional access policy named location by ip address

3. Go back to Azure AD Conditional access > policies. Click New policy > Create new policy.

4. Enter a name of “Require MFA

5. Click 0 users or workload identities selected. Click All users.

6. Click No cloud apps, actions, or authentication contexts selected. Click All cloud apps.

7. Click 0 conditions selected. Click Not configured located under Locations.

8. Set Configure to Yes.

9. Click Exclude. Click Selected locations. Click None. Click Main Office. Click Select.

conditional access policy exclude location

10. Click 0 controls selected (under Grant).

11. Click Require multi-factor authentication. Click Select.

12. Click On (under Enable policy). Click Create.

Now when any user logs in from a location other than your main office they’ll need to apply their MFA. When they login from the main office they won’t need their MFA. Of course, if you set up the earlier policy where all admins had to use MFA then admins will be required to use MFA inside and outside the office.

There’s a ton more you can do with conditional access policies including preventing users from downloading, printing, and syncing files in SharePoint Online and secure on-premises VPNs. Don’t worry, we’ll cover both of these options in a later lesson.