Understanding conditional access policies

Nowadays, modern security extends beyond the boundaries of an organization's network to include user and device identity. These identity signals can be used by organizations as part of their access control decisions.

Azure Active Directory provides conditional access to bring all those identity signals together. These signals can then be used to make certain decisions and enforce rules and policies over them. 

In their most basic form, conditional access policies are if-then statements. If a user wants to access a certain resource, they must complete a certain action. For instance, a guest user wants access to data that is stored in an Azure SQL database and is required to perform multi-factor authentication to access it. This achieves administrators' two main goals: protecting the organization's assets and empowering users to be productive wherever and whenever. By implementing conditional access policies, you can apply the right access controls for all those different signals when needed to keep the organization's data and assets secure and enable different types of users and devices to easily get access to it. With conditional access policies, you have the choice to block access or grant access based on different signals. 

The following common signals can be taken into account when policy decisions need to be made:

  • User or group membership: Administrators can get fine-grained control over access by targeting policies for specific users and groups.
  • Device: Policies and rules can be enforced for specific devices or platforms.
  • Application: Different conditional access policies can be triggered when users are trying to access specific applications.
  • IP Location information: Administrators can specify IP ranges and addresses to block or allow traffic from.
  • Microsoft Cloud App Security (MCAS): User applications and sessions can be monitored and controlled in real time. This increases control and visibility over access and activities inside the cloud environment.
  • Real-time and calculated risk detection: The integration of signals with Azure AD Identity Protection allows conditional access policies to identify risky sign-in behavior. These risk levels can then be reduced, or access can be blocked by enforcing conditional access policies that perform multi-factor authentication (MFA) or password changes. 
Implementing a conditional access policy could come up as an exam question. For a complete walkthrough on how to enable MFA for specific apps using a conditional access policy, you can refer to the following website: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-based-mfa.

In the next section, we are going to cover how we can join devices directly to Azure AD. 

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.15.182.159