Conditional Access Policy Creation Procedure

This admin procedure will provide a brief overview of creating a new conditional access policy that will be applied to user authentication attempts into your Microsoft environment.

This article is intended for employees of organizations that use Sittadel's security. Additionally, there are some actions that can only be accomplished by those with administrative privileges.

What are Conditional Access Policies

Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action.

Administrators are faced with two primary goals:

  • Empower users to be productive wherever and whenever.
  • Protect the organization's assets.

Use Conditional Access policies to apply the right access controls when needed to keep your organization secure.


Procedure Scope: Administrators

Required Group Membership: Admin.UserSecurity


Creating a Conditional Access Policy

  1. Navigate to Conditional Access – Azure Active Directory, select New Policy.
  2. Provide a Name for the policy you wish to create, should hint at what the policy is trying to achieve.
  3. Make Assignments to the policy, start with the users or groups that it will apply to.
  4. Make sure to always add the Organizational Break Glass account as an exclusion to any conditional access policy creation to prevent locking yourself out of your tenant.
  5. Next you can add application, action, or authentication-based parameter that must be met to gain access to the organizational tenant.
  6. The final piece of Assignments involves Conditions which will only apply to specific defined variables, such as location or a specific OS platform.
  7. After Assignments have been made you can now use Access Control to either Block Access if policy compliance isn’t achieved on a device or Grant Access which will provide allowance if one or more of the defined requirements is met.
  8. Sessions can be used to limit user access to cloud application, such as implementing a sign-in frequency to prevent users from being permanently logged into the organizational tenant.
  9. The last step is to select the deployment option for your newly created policy, if you don’t want the policy to affect the organizational environment right away leave it in Report-Only or Off until the appropriate accommodations can be made for deployment.
  10. If you implement any Access Control feature you will receive a prompt to prevent locking yourself out, we already included the Break Glass account for a user exclusion so select the Proceed Anyway option.
  11. Once a policy is created, if will now be generated in the policies list and will include details such as name, status, and creation time.

You're Finished!

You should have successfully deployed a new conditional access policy that enforces your specified conditions and will be applied to the specified user's authentication attempts. For any other problems or questions, reach out to us!