Do you use Conditional Access policies?

Last updated by Brady Stroud [SSW] about 1 month ago.See history

Did you know that you can stop your users from logging into any of your Azure or Office365 resources based on the location they are in? What about the types of devices that they can connect from or only allowing connections that use MFA? These things are all possible to restrict.

This seriously limits the attack surface and also helps to stop compromised devices and accounts from being used.

locationsbadexample
Figure: Bad example - No locations setup

Configure locations

First you need to add any locations that you require for your office.

  1. Go to https://endpoint.microsoft.com | Endpoint security | Conditional Access | Named locations
  2. Click + Countries location and add required countries

    locations1
    Figure: Add a location

  3. Add as many as you require for your users to access

    locationsadded
    Figure: Every location that your users work from

Configure policies

Now configure some policies to implement these rules

  1. Go to https://endpoint.microsoft.com | Endpoint security | Conditional Access | Policies
  2. Select New policy | Create new policy

    conditionalaccess2
    Figure: Add a conditional access policy

  3. Give it a name then select Cloud apps or actions | Select All cloud apps

    conditionalaccess3
    Figure: Add all cloud apps

  4. Select Conditions | Locations Then set configure to yes and Include to "Any location"

    conditionalaccess4
    Figure: Choose any location

  5. On Exclude choose Selected locations and then exclude your workers countries (i.e. Australia)

    Note: This must be done this way as the user must not meet a block access rule ever if they are to login.

conditionalaccess5
Figure: Exclude good locations

  1. Now select block access for this rule

    conditionalaccess6
    Figure: Block access

Create a grant rule

  1. Similarly create a rule that applies to all cloud apps as above
  2. This will be exactly the same as the above rule except that you should not have conditions and should Grant access with MFA

    conditionalaccess7
    Figure: Add a grant with MFA

  3. You will notice that each of these rules have a 'Report only' mode or enforce. You should leave it on report mode and monitor the audit logs.

    Check for any failures and only apply the rules to a small subset of your users before changing them to 'On'. This is very important as you can stop everyone including yourself from logging in.

    conditionalaccess8
    Figure: Choose report only until you are sure that your rules work

International Travel Notice - Exclude travelling users and let them keep their access to work resources while on holidays or overseas

When a user goes overseas and needs access to the company resources, you should temporarily exclude them from the Block Access policy.

Traveling users should inform and request access prior to their departure. A good way to do this is via Microsoft Forms:

internationaltravel
Figure: Good example - Inform of your travel using an easy form

Otherwise they will get this message:

conditionalaccess
Figure: Bad example - You get this error message: "You cannot access this right now"

Warwick Leahy
Kaique Biancatti
We open source. Powered by GitHub