Today we are going to talk about Azure Conditional Access. The idea behind Conditional Access is that you can manage and control your IT environment by setting up compliance rules for your users to access company resources, for example Exchange Online, Sharepoint, OneDrive etc.
Basically you will need to create a rule that says, for example, that all users who are outside your physical working environment (Does this still exist?) and who have devices provided by the company and Multi-factor authentication enabled will be able to access Sharepoint. You can choose if you only want to register this information (Report-Only) or if you really want to deny/grant access if the user does not comply with the rules you stipulated above.
In the past, one of the resources used to perform this kind of control was ADFS through claim rules, but many companies thought twice before an implementation due to the complexity of the environment and for adding another point of failure to the environment, after all if ADFS were to fail at all the environment would be unavailable. One of the advantages of ADFS, depending on the need for control is the cost, after all, for Conditional Access to be enabled and it is necessary to have Azure P1 License, ADFS would be the costs of Virtual Machines, public certificate, public IP, NAT and Load Balancing (In an environment with redundancy).
Anyway, let’s leave theory aside and let’s see how to configure Conditional Access.
Go to the Azure Portal and in the search menu type Conditional Access and then click on the Conditional Access blade
As a first step I suggest that you add the trusted locations (Named Locations), that is, known networks. Click on Named Locations and then select one of the options; 1- Countries Locations or 2 – IP Ranges Locations. I opted for option 2 and added the IP/IP Ranges of my trusted locations.
PS. The above IP was used as an example, not a valid IP.
Now that you have trusted locations, let’s create a Conditional Access policy. Still on the Conditional Access blade, click Policies and then New Policy.
Name your policy and choose the user context that will be included or excluded from your policy. In my scenario, I just selected the Test IT user to be included in this policy.
Now in Cloud Apps or Actions you will need to choose which applications will be in the scope of your conditional rule, you can opt for all apps or just select the ones that contain sensitive data. In my example I used SharePoint Online only.
Now that you’ve defined the scope of users, applications and trusted locations, it’s time to configure the conditions that the user will need to “be in” to have access to the resource (Here it’s also possible to configure which conditions the user needs to “be in” to have access denied, works both ways).
In the above scenario; Device Platforms: All, Locations: Applies to all locations and excludes trusted locations, Client Apps: All, Device State: All.
Finally, in the Access control option, you will determine the action that will be taken according to the conditions that the user is trying to access the application (In this scenario SharePoint Online).
Click select and then create.
In my scenario, access to SharePoint will only be possible if the user has MFA enabled, is in an untrusted location and is using a device joined to the domain.
Ok, now I’m going to test access through a personal device to see if conditional Access will or will not allow Sharepoint access (The result should be access denied).
Here we go, access successfully denied \0/. I suggest you play with the tool to suit your needs. If you have any questions, leave in the comments, see you in the next post.