The configuration options available in Azure Active Directory Conditional Access Policies have grown rapidly over the last few years, and not implementing them at this point would not only be a waste of available features, but more importantly not provide optimal security configuration for cloud resources.
Over the last few years of implementing these policies for different clients, there are several scenarios which come up often and would generally be recommended to all. The most obvious example of this would be requiring MFA for all users for cloud apps, with perhaps some differences between organisations around supplementary access controls, scope and general applicability, for example not requiring it from within explicitly defined IP ranges (gateway addresses) of corporate network boundaries.
Since the number of configuration options has grown, so too has the policy configuration area in the portal. This can be confusing for users who are new to Conditional Access Policies, those who are just looking to initially pilot policies, or those who know what they want from a logical perspective, but wouldn’t know which settings to choose to achieve that requirement.
Policy Templates are currently in Preview, and offer a set of 8 identity driven templates –
- Require multi-factor authentication for admins
- Securing security info registration
- Block legacy authentication
- Require multi-factor authentication for all users
- Require multi-factor authentication for guest access
- Require multi-factor authentication for Azure management
- Require multi-factor authentication for risky sign-ins
- require password change for high-risk users
and 6 device driven templates –
- Require compliant or hybrid Azure AD joined devices for admins
- Block access for unknown or unsupported device platform
- No persistent browser session
- Require approved client apps and app protection
- Require compliant or hybrid Azure AD joined device or multi-factor authentication for all users
- Use application enforced restrictions for unmanaged devices
The templates themselves include a summary for what the policy would do and helpful tips for each template providing a notification of the possible implications and recommendations for each. For example, the following tip is shown when selecting the ‘Require multi-factor authentication for admins’ template
The template takes some automated precautions by excluding the current administrative user from the scope of the policy, which by default when configuring the same policy manually would not happen automatically (but would be suggested in a warning box). As indicated in the warning, there are instances where configuring policies with too broad a scope could have a negative impact and potentially lock out users, including administrative users, so caution is required.
Configuration
From the Azure Active Directory portal, select ‘Security’ from the left hand pane –
Select ‘Conditional Access’ from the left hand pane, under the ‘Protect’ sub-heading –
Select the ‘New Policy’ drop down and ‘Create new policy from templates (preview)’ –
Select either ‘Identities’ or ‘Devices’ as the template category as required –
Select the required policy template via the radio button –
Accept or modify the specified name of the policy and configure a Policy state of either ‘On’, ‘Off’, or ‘Report-Only’
Select ‘Next’ to proceed to the read-only summary, and ‘Create Policy’ to confirm and create the policy –
Once created, the policy shows in the list of Conditional Access Policies, and can be edited if required if any of the templated settings need adjustment. At this point it can be edited and is shown as if it were a manually created policy.
Whilst Conditional Access Policies are certainly not a one size fits all solution for every organisation, the templates available here provide a collection of recommended settings per policy which can be implemented as appropriate, without having to go through each configuration item and includes a clear description of what each template will achieve.
Once some knowledge and confidence has been gained from seeing the results of implementing the templated policies, policies can be created from scratch, in line with organisational requirements, taking into consideration all of the granular options available within Conditional Access Policies, or simply amending 1 of the templates above to suit.
365Pete.com 