This guide will provide a brief overview of creating a new conditional access policy that will be applied to an end user's authentication attempt into your Microsoft environment.
What are Conditional Access Policies?
Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action.
Administrators are faced with two primary goals:
- Empower users to be productive wherever and whenever.
- Protect the organization's assets.
Use Conditional Access policies to apply the right access controls when needed to keep your organization secure.
Role Requirements
Procedure Scope: Administrators
Required Group Membership: Admin.Security
Handbook Reference
Package: TBD
Domain: TBD
Modifies: TBD
Creating a Conditional Access Policy
- Navigate to the Conditional Access – Azure Active Directory portal, locate and select New Policy.
- Provide a Name for the policy you wish to create, should hint at what the policy is trying to achieve.
- Make Assignments to the policy, start with the users or groups that it will apply to.
- Make sure to always add the organizational Break Glass account as an exclusion to any conditional access policy creation to prevent locking yourself out of your tenant.
- Next you can add Application, Action, or Authentication-Based parameter that must be met to gain access to the organizational tenant.
- The final piece of Assignments involves Conditions which will only apply to specific defined variables, such as location or a specific OS platform.
- After Assignments have been made you can now use Access Control to either Block Access if policy compliance isn’t achieved on a device or Grant Access which will provide allowance if one or more of the defined requirements is met.
- Sessions can be used to limit user access to cloud application, such as implementing a sign-in frequency to prevent users from being permanently logged into the organizational tenant.
- The last step is to select the deployment option for your newly created policy, if you don’t want the policy to affect the organizational environment right away leave it in Report-Only or Off until the appropriate accommodations can be made for deployment.
- If you implement any Access Control feature you will receive a prompt to prevent locking yourself out, we already included the Break Glass account for a user exclusion so select the Proceed Anyway option.
- Once a policy is created, if will now be generated in the policies list and will include details such as name, status, and creation time.
Need Assistance?
Reach out to your Customer Success Manager to discuss how a Sittadel cybersecurity analyst can assist in managing these tasks for you. New to our services? Inquire about arranging a consultation to explore optimizing your Azure environment for painless management.