Section 2 – Secure access by using Azure AD – Implement Conditional Access policies, including multifactor authentication

First we will cover the solutions in hand.

What is Conditional access?

Conditional Access is based on conditions for a location, devices used, risks discovered.

Here is an excellent picture from Microsoft which explain the flow.

Conceptual Conditional Access process flow

Licensing

You need at least Azure AD Premium P1 to enable Conditional Access.

What could be enabled?

Microsoft currently has a Preview feature for CA templates. These will show many examples on what You can enable.

Identity templates

Device templates

Remember that the Preview features aren’t coming to certification Exams. Once this feature is Generally Available it will be a beautiful addition.

What is Multi-factor Authentication?

Azure AD Multi-Factor Authentication (MFA) supplies added security for your identities by requiring two or more elements for full authentication.

These elements fall into three categories:

  • Something you know – which might be a password or the answer to a security question.
  • Something you possess – which might be a mobile app that receives a notification or a token-generating device.
  • Something you are – which typically is a biometric property, such as a fingerprint or face scan used on many mobile devices.
Conceptual art showing the pieces of MFA.

Licensing

  • Azure Active Directory Premium or Microsoft 365 Business – Both of these offerings support Azure AD Multi-Factor Authentication using security defaults to require multi-factor authentication.
  • Azure AD Free or standalone Microsoft 365 licenses – Use security defaults that require multi-factor authentication for your users and administrators.
  • Azure Active Directory Global Administrators – A subset of Azure AD Multi-Factor Authentication capabilities are available as a means to protect global administrator accounts.
FeatureAzure AD Free – Security defaults (enabled for all users)Azure AD Free – Global Administrators onlyOffice 365Azure AD Premium P1Azure AD Premium P2
Protect Azure AD tenant admin accounts with MFA● (Azure AD Global Administrator accounts only)
Mobile app as a second factor
Phone call as a second factor
SMS as a second factor
Admin control over verification methods
Fraud alert
MFA Reports
Custom greetings for phone calls
Custom caller ID for phone calls
Trusted IPs
Remember MFA for trusted devices
MFA for on-premises applications
Conditional access
Risk-based conditional access
Identity Protection (Risky sign-ins, risky users)
Access Reviews
Entitlements Management
Privileged Identity Management (PIM), just-in-time access
PolicySecurity defaultsConditional AccessPer-user MFA
Management
Standard set of security rules to keep your company safe
One-click on/off
Included in Office 365 licensing (See license considerations)
Pre-configured templates in Microsoft 365 Admin Center wizard
Configuration flexibility
Functionality
Exempt users from the policy
Authenticate by phone call or SMS
Authenticate by Microsoft Authenticator and Software tokens
Authenticate by FIDO2, Windows Hello for Business, and Hardware tokens
Blocks legacy authentication protocols
New employees are automatically protected
Dynamic MFA triggers based on risk events
Authentication and authorization policies
Configurable based on location and device state
Support for “report only” mode
Ability to completely block users/services

MFA – How to enable MFA per user?

MFA can be enabled per user. Just search MFA from Azure portal.

And then configure.

In here You can enable MFA based settings like allow App passwords (mostly You shouldn’t), trusted ips and verification options the MFA user can select. Also allow the MFA approval to be remembered for a period of time.

When You browse to Users section You will find the users.

You can see that all the users are currently in a Disabled state.

If You choose a user You can select Enable or Manage user settings.

If You choose Enable, You will be welcomed with the following.

And when You enable the MFA for a user.

And if You choose Manage user settings, you will be welcomed with the following.

When You Enable a user, You will see Enforce in the menu.

You will be shown the following warning.

So the users have to have an App password if they want to use a non-browser application. This isn’t really accurate as Outlook and Teams support MFA now but before it’s was a problem.

Microsoft has a nice article on App passwords.

You can also do a bulk update of users but You cannot select Enforced in here, only Enabled or Disabled.

How to Enable MFA with Conditional Access?

Conditional Access and MFA is much more convenient than MFA by itself. There is policies the user will get if they fall to the scope.

CA policies

Search for Conditional Access inside Azure portal.

Once there, create a new policy

You will se the policy editor, give a name and choose Users or workloads.

In here You can choose to include on exclude users, roles or groups. A nice option is also to Enable something with Conditional Access only to Guest and External users that reside or will be invited to Your tenant.

I will keep it simple in my example and choose only one user. But You really could fiddle around with these an make Your own kind of policy.

Next You can choose Cloud Apps or actions. In my example I will choose Office 365 which includes all Office 365 Services.

For the user actions You could choose the following.

Microsoft has an excellent article on User actions.

Then choose Conditions, in here You will define the conditions that will trigger the policy.

In example if the user has risk of Medium they would be Enforced for the policy.

In the Grant section You will define to block the user matching the policy or Grant with controls.

To keep it simple I will choose only require MFA

In Sessions You will have the following. In here You can control App restrictions, disable persistent sessions and Continuous Access Evaluation (CAE) but You really shouldn’t. These are excellent and relatively new features inside Conditional Access policies.

If you want to learn more about both, here’s my previous posts.

And finally there is option to Enable or Report. With reporting You will get information about how it would be affecting users.

But remember this, depending on Your setup Your user could get prompts even in Report-Only mode.

If You want to access the logs for reporting, they can be found under sign-in logs.

You also have a What If so see what will happen if You enable the policy.

But now when we have the MFA policy enabled, let’s see the user experience.

End-user experience

End-user goes to https://portal.office.com and they will be greeted with MFA request.

If You chose available authentication methods in the beginning for MFA, example Notification through mobile app

They will be displayed this page instead of SMS verification.

Thing to remember

Licensing

MFA is available in the following licensing options:

  • Azure AD Free – Security defaults (enabled for all users)
  • Azure AD Free – Global Administrators only
  • Any Office 365 license
  • Azure AD Premium P1
  • Azure AD Premium P2

Conditional Access is available in the following licensing options:

  • Azure AD Premium P1
  • Azure AD Premium P2

Options

Security Defaults are enabled by default and has to be disable before enabling Conditional Access.

Conditional Access has User and Sign-in risk policies.

And done. Then to the next one.

Link to the main post.

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *