7 do's when deploying Conditional Access:
Security: Meet the 7 do's for Conditional Access
19 Nov, 2023
A framework for IT security provides the necessary guidance for organizations seeking to take a proactive stance in security. Securing identities is one of the six layers that make up Microsoft's Zero Trust Framework. To protect identities and data in the cloud, Azure applies 'Conditional Access'. Vincent Villerius, Managing Consultant and Azure Cloud Solution Architect explains how to use Conditional Access most effectively.
Conditional Access is an Azure AD service that decides whether and how someone can gain access based on various sensors. Conditional access policies can be used to enforce, for example, that administrators must always log in with Multi-Factor Authentication (MFA), or that HR employees can only access personnel files on a managed laptop. Conditional Access is part of the Azure AD Premium P1 subscription. So chances are you can already use it within your current work environment.
- 1
Deploy Conditional Access
It seems like an open door, but we still see organizations using Microsoft 365 and/or Azure, but not yet using Conditional Access. Configuring MFA with Conditional Access can repel as many as 99.9% of attacks on Azure AD accounts, according to Microsoft.
- 2
Configure Break-the-Glass accounts
Break-the-Glass accounts can be deployed the moment you are locked out due to a failure or configuration error with MFA. It is important to provide Break-the-Glass accounts with strong passwords - keeping these in a safe place - and to monitor the use of these accounts.
- 3
Require MFA for all administrators.
Administrators have more rights to the IT environment than other employees. That makes administrators an attractive target for hackers. To take this into account, it is important to start with administrator accounts as soon as Conditional Access is set up.
- 4
Put MFA to work for all users
We still often see user groups being excluded from MFA, for example, because people are expected to find it difficult to log in with MFA. We also see groups being unwittingly excluded as organizations lose track of groups and policies. Therefore, deploy MFA for all users so that these accounts are also less likely to be a target for hackers.
- 5
Enforce the rule that only compliant devices gain access
If data ends up on an unsecured computer, that device forms a new risk for a data breach. Therefore, set up Conditional Access to allow access only from managed, secure devices.
- 6
Require MFA for all applications
It often happens that Conditional Access is set up on a per-application basis. This makes it possible to configure separate policies for each application. Usually this is not necessary and you run the risk of forgetting about new applications. Therefore, configure Conditional Access for all applications and create exceptions as needed.
- 7
Use 'Locations' in Conditional Access Policies
Conditional Access allows measures to be implemented based on location. In practice, we see that this is still not being used much, while it can prevent logging in from unlikely places (do you have colleagues in Azerbaijan?). On the other hand, it can be configured that in familiar locations, MFA is not requested or is requested less frequently.
Learn more
On Security and Microsoft's Zero Trust Framework
Get in touch!
Want to learn more about how your organization is taking an active stance on IT security? Our experts are ready to help!