Tutorial / Cram Notes

Conditional Access in Microsoft Security

Conditional Access is a capability used within the Microsoft security framework, particularly in relation to Azure Active Directory (Azure AD), to enforce access controls on cloud applications and services. It is a tool used to implement automated access-control decisions for accessing cloud apps, based on conditions.

With Conditional Access, organizations can automate access-control decisions and enforce them on their network. The system does this by assessing certain conditions and deciding whether to grant access to a user or require additional actions such as multi-factor authentication (MFA), terms of use acceptance, or even block access entirely.

Components of Conditional Access

  • Users or groups: These determine who the policy applies to. For example, you might target specific users, groups, or roles within your organization.
  • Cloud apps or actions: Specifies which applications or user actions the Conditional Access policy applies to.
  • Conditions: These are the signals that are evaluated. Examples include the user’s location, the device they are using, the network they are on, or the risk level associated with the user or sign-in.
  • Controls: If the user and their context satisfy the conditions of the policy, controls are what are enforced. These can be things like requiring MFA, requiring a compliant (or domain-joined) device, or limited access with session controls.

Structure of a Conditional Access Policy

Component Example
Users/Groups Finance Department, Global Administrators
Cloud Apps/Actions Office 365, Dynamics 365
Conditions Sign-in risk level: Medium or above
Controls Require MFA, Require compliant device

Examples of Conditional Access Policies:

  1. Secure Access for Administrators: To ensure that only trusted administrators can make significant changes to your environment, a Conditional Access policy could require MFA and a compliant device before allowing access to administrative consoles or tasks.
  2. Location-Based Policies: A common Conditional Access policy is to restrict access to your services from certain geographical locations. For example, you might allow access from within your corporate network but require MFA for sign-ins from other locations.
  3. Risk-Based Conditional Access: These policies use the risk levels associated with a user or their sign-in behavior to determine access. For example, if a sign-in is deemed high risk, access could be automatically blocked, or a password reset might be required.
  4. Device-Based Policies: If you only want company-owned devices to access certain resources, you might require that the devices be domain-joined or compliant with your organization’s device compliance policy before access is granted.

Tabular Comparison of Policies

Policy Name Users Affected Cloud Apps Affected Conditions Controls Implemented
MFA for External Access All Users All Cloud Apps Sign-in from outside corporate network Require MFA
Block High-Risk Sign-Ins All Users All Cloud Apps Sign-in risk level: High Block access
Device Compliance Check All Users Selected Company Apps Device marked ‘non-compliant’ Require device to be compliant
Geo-Blocking Specified Groups Specified Sensitive Apps Sign-in from restricted countries Block access

Conditional Access is a crucial part of modern security strategies, providing a dynamic and automated way to ensure that security requirements are met before granting users access to organizational resources. This increases security while maintaining user productivity, as only the necessary security controls are applied based on the context of the access attempt. For the SC-900 exam, understanding the principles, components, and examples of Conditional Access is vital, as it demonstrates knowledge of how to protect access to applications and data across a cloud environment.

Practice Test with Explanation

True or False: Conditional Access policies apply only after a user has been authenticated.

  • True

Conditional Access policies are enforced after the initial authentication has been completed, and they evaluate the context of user access before allowing access to resources.

True or False: Location-based policies are not an option in Conditional Access.

  • False

Location-based policies are an integral part of Conditional Access, allowing admins to configure access rules based on where the access attempt is coming from.

Which of the following can be used as a condition in Conditional Access policies? (Choose all that apply)

  • A) User risk
  • B) Device type
  • C) Weather conditions
  • D) Sign-in risk
  • E) Time of day

Answer: A, B, D

Conditional Access policies can be based on user risk, device type, and sign-in risk. Weather conditions and time of day are not used as conditions in Azure Conditional Access.

True or False: Conditional Access requires Azure AD Premium.

  • True

Azure Active Directory Premium is required to implement Conditional Access policies as it offers advanced capabilities not available in the free edition.

What purpose does Conditional Access serve in cloud security? (Single select)

  • A) Data encryption
  • B) Password policies management
  • C) Adaptive access control
  • D) Antivirus scanning

Answer: C

Conditional Access provides adaptive access control by evaluating the context of user access requests and enforcing policies that control access.

True or False: Conditional Access can enforce MFA (Multi-Factor Authentication) requirements.

  • True

Conditional Access can be configured to require MFA under certain conditions, enhancing security by requiring additional proof of identity.

Which of the following signals can Conditional Access use to determine access? (Multiple select)

  • A) User group membership
  • B) Time since last password change
  • C) Device compliance
  • D) IP address range
  • E) Favorite color of user

Answer: A, C, D

Conditional Access policies can consider signals such as user group membership, device compliance, and IP address range while favorite color of user is not a signal that these policies use.

True or False: Conditional Access policies can automatically block access based on specified conditions.

  • True

Conditional Access policies have the capability to block access automatically when specified conditions are met, such as a login attempt from a risky IP address.

What is the result of a Conditional Access policy that requires approved client apps?

  • A) Access is granted only via web browsers
  • B) Access is granted only to legacy authentication protocols
  • C) Access is granted only through apps that are deemed secure
  • D) Access is granted only when a device is joined to a domain

Answer: C

If a Conditional Access policy requires approved client apps, access is only granted through applications that are considered secure by the organization.

True or False: Azure Conditional Access policies can enforce session controls within cloud apps.

  • True

Azure Conditional Access includes session controls that govern what a user can do within a cloud app during a session, such as prevent data download, print restrictions, or require the use of web versions of apps.

Which Azure service is primarily used to manage Conditional Access policies?

  • A) Azure Information Protection
  • B) Azure Active Directory
  • C) Microsoft Defender for Endpoint
  • D) Azure Firewall

Answer: B

Conditional Access policies are managed through Azure Active Directory, which is where the security and identity management services are located.

True or False: Conditional Access can be applied to both users and groups in Azure Active Directory.

  • True

Conditional Access can target specific users as well as groups in Azure AD, allowing for granular control over who is subjected to these access policies.

Interview Questions

What is conditional access?

Conditional Access is a policy-based access control feature in Azure Active Directory that provides an additional layer of security for your applications and data.

What is the purpose of conditional access?

The purpose of conditional access is to ensure that only the right people have access to your applications and data.

What can conditional access policies do?

Conditional access policies can enforce multi-factor authentication, block legacy authentication protocols, require device compliance, and more.

How can you create a conditional access policy for Exchange Online?

You can create a conditional access policy for Exchange Online by using the Azure portal or PowerShell.

What are some common use cases for conditional access with Intune?

Some common use cases for conditional access with Intune include requiring device compliance, blocking access from non-compliant devices, and requiring a managed app.

What is a device compliance policy?

A device compliance policy is a policy that checks whether a device is compliant with a set of security requirements, such as whether the device is encrypted or has a password.

What is a managed app?

A managed app is an app that has been enrolled in Intune and can be managed with policies and settings.

How can you use conditional access with Intune to block access from non-compliant devices?

You can use conditional access with Intune to block access from non-compliant devices by requiring device compliance.

What is the purpose of the Azure AD conditional access baseline policies?

The purpose of the Azure AD conditional access baseline policies is to provide a set of preconfigured policies that implement best practices for securing access to your applications and data.

What is an example of a preconfigured Azure AD conditional access baseline policy?

An example of a preconfigured Azure AD conditional access baseline policy is the “Require MFA for admins” policy, which requires multi-factor authentication for all users in the Azure AD administrator role.

0 0 votes
Article Rating
Subscribe
Notify of
guest
47 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Lina Poortman
1 year ago

Conditional Access is critical for defining security policies that provide access control for apps based on various conditions.

José Quintanilla
1 year ago

In SC-900, understanding Conditional Access policies is fundamental, especially for setting up MFA.

Gökhan Balaban
1 year ago

Can Conditional Access policies target specific cloud apps?

Orhip Otkovich
1 year ago

What is conditional access in the context of Azure AD?

Vilho Lauri
1 year ago

Can someone explain the concept of risk-based conditional access?

Onni Lepisto
1 year ago

Thanks for the information!

Theo Denys
11 months ago

How does conditional access enhance security for remote workers?

Artemiza Gromnickiy
1 year ago

Is it possible to configure conditional access policies based on the risk level of a sign-in attempt?

47
0
Would love your thoughts, please comment.x
()
x