Consider how the authentication process has traditionally worked: Organizations require users to supply a user ID and password. Then, the user can go on to access all the data, applications and other resources they’ve been granted permissions for. But what about if an attacker has stolen a user’s credentials? How can we reduce these risks? It is where Conditional access takes place 🙂
But the question is, do I really need it? It depends your case or scenario 😛 but let’s dig in depending in what you’re using:
- Security Defaults: To help organizations establish a basic level of security, Microsoft makes security defaults available to everyone at no extra cost. This feature automatically enforces the following policies:
- All Users must register for AzureAD MFA
- Users must complete MFA challenge when they authenticate using a new device or application
- Administrators must complete an MFA step every time they sign in. This policy applies to nine key Azure AD roles, including Global Administrator, SharePoint Administrator, Exchange Administrator, Conditional Access Administrator and Security Administrator.
- Any user trying to access the Azure portal, Azure PowerShell or the Azure CLI must complete additional authentication
- All authentication requests made using older protocols are blocked
- Azure AD COnditional Access: But as you can imagine, in some organizations these security defaults are not enough, they want to have more fine-grained controls, so to do this we need Conditional Access, which allows us to:
- create a policy to require administrators — but not regular business users — to complete an MFA step
- Use the user location and the type of protocol being used to restrict the access
- Deny all requests that comes from a particular country, and require MFA for the rest
- As you can see, you can create multiple policies that work together to put guardrails in place exactly where you need them
Azure AD Conditional Access is an extremely valuable tool for helping you implement a Zero Trust model, protecting the three cores of the strategy:
- Least privilege — Helps to grant the right access at the right time to only those who need it by enabling trusted locations and IP ranges, implement stronger controls for privileged users, and control access to sensitive applications and content.
- Verify explicitly — Continually verify identities as users move around the network by requiring MFA when users appear on new devices and from new locations.
- Assume breach — Weak passwords, password spraying and phishing all but guarantee malicious actors are inside your network. It allows to block legacy authentication and putting stronger access controls in front of your most valuable resources.
As you can see, Azure AD Conditional Access is a powerful tool for strengthening security and ensuring regulatory compliance