November 2, 2022
|
10
min read
Josh Wittman
Josh Wittman, co-founder of Simeon Cloud, excels in Microsoft 365 through governance, security, and automation. An expert in SaaS, DevOps, and cybersecurity, he innovates in the digital workplace.
A man signing a digital signature on an online contract

Do you remember the last time you accessed something on the internet by answering a CAPTCHA Test? It’s an annoying but necessary measure to keep malicious bots from accessing a website. 

CAPTCHA Tests are a very basic form of if-then conditional access, where if you want to access a resource, you have to complete a test. In a more complicated security setting, you may be required to complete multi-factor authentication or use a compliant device to access a specific resource within an organization. 

Conditional access policies in Azure AD help you use similar if-then arguments to secure resources belonging to your M365 tenant. They enable you to set up specific requirements that a user must meet in order to access a company resource.

Recently, Microsoft announced that it has made a set of pre-built templates available for users to quickly set up conditional access policies in Azure AD. Here, we’ll take a look at what these templates are and how they can help you enforce better security within your organization.

This article covers:

What Is a Conditional Access Policy?

In Microsoft 365, Conditional Access Policies are a series of if-then statements that control access to specific resources and applications using user and device identity signals. 

This can have a variety of applications for organizations, such as blocking risky sign-in behaviors, granting access only to specific locations, and requiring multi-factor authentication for administrative accounts.

Signals can be used to identify risky behaviors and determine the decision of a conditional access policy. Here’s a list of common signals that can be used by Azure AD to decide whether or not to grant access to a specific request:

  • User or group membership
  • IP location information
  • Specific devices and workstations
  • Specific applications
  • Real-time and calculated risk detection
  • Monitoring with Microsoft Defender

The signal will trigger the conditional access policy, either blocking the request outright or requiring the user to meet one of the following conditions to be granted access:

  • Require multi-factor authentication
  • Require device to be marked as compliant
  • Require Hybrid Azure AD joined device
  • Require approved client app
  • Require app protection policy (preview)

It’s also possible to combine multiple conditional access policies to trigger at the same time and grant access only when every single condition is met.

Signal, Decision, Enforcement Access Policies

The New Azure AD Conditional Access Templates

Recently, Microsoft has announced 14 new templates that organizations can use to make the process of setting up a conditional access policy much easier. These templates can be found under Azure portal > Azure Active Directory > Security > Conditional Access > Create new policy from template.

Here’s a complete list of the new templates that have been made available:

Identities:

  • Require multi-factor authentication for admins*
  • Securing security info registration
  • Block legacy authentication*
  • Require multi-factor authentication for all users*
  • Require multi-factor authentication for guest access
  • Require multi-factor authentication for Azure management*
  • Require multi-factor authentication for risky sign-in Requires Azure AD Premium P2
  • Require password change for high-risk users Requires Azure AD Premium P2

Devices:

  • Require compliant or Hybrid Azure AD joined device for admins
  • Block access for unknown or unsupported device platform
  • No persistent browser session
  • Require approved client apps or app protection
  • Require compliant or Hybrid Azure AD joined device or multi-factor authentication for all users
  • Use application enforced restrictions for unmanaged devices

Use CoreView to Implement Conditional Access with Azure AD

CoreView Configuration Manager for Microsoft 365 makes it easier to set up and manage multiple tenants in Microsoft 365. It provides a reliable way to implement conditional access policy templates and roll them out to all your tenants at the same time without fuss.

With CoreView, MSPs and enterprises can roll out conditional access policies across all their tenants as well as roll back new policies should they prove problematic. Everything can be accessed simply by visiting the Reconcile tab in the CoreView dashboard.  

CoreView Configuration Manager for Microsoft 365 helps you create and adhere to baseline configurations with automated drift detection and implement configuration changes at scale across all your tenants. Interested? Sign up for a free demo to see how it all works!

Get a personalized demo today

Created by M365 experts, for M365 experts.