Conditional Access – the firewall for Microsoft 365?

Screenshot from Proactive Security Monitoring

🎯I think the firewall analogy as spoken by my CloudWay colleague and security expert Simon Skotheimsvik is on the spot.

🆘In this article, I’ll try to clarify some of the basics of Conditional Access (CA), making it easier for you to handle the complexity.

Why CA? At its best, you get a flexible approach to improve security without affecting (common scenario) end-user experiences.

💵Can I use CA? Entra ID P1 or Microsoft 365 Business Premium licenses give access to CA.

🧑🏻‍🏫What are the basics creating a new policy?

  • Name: Create a naming convention an stick to it. You should see the purpose of the policy and how it operates just by glancing at the name. This is especially important since the CA policies don’t have a description field.
  • Users: Which users or groups does the policy apply to – included or excluded.
  • Target resources: What resources are affected by the policy. Already here it’s starting to get complex. Target resources can be “Cloud apps” (applications like Office 365, the Windows Azure Service Management API, or admin portals like M365 admin center), User actions (e.g. register security information or register or join devices), Global Secure Access (preview), or authentication contexts.
  • Network: Which networks and locations does the policy apply for. Network will replace the Location condition option.
  • Conditions: When the policy comes into effect. Options are User risk (P2 license), Sign-in risk (P2 license), Insider risk, Device platforms, Location, Client apps, Devices, and Authentication flows.
  • Access control:
    • Grant. Block access or Grant access – for the latter you can also add conditions like “Require MFA”. Be extra careful if selecting “Require ONE of the selected controls”.
    • Session. You can block downloads, enable persistent browser sessions and more.
  • Report-only, On, or Off. Start with Report-only. Consider temporarily excluding yourself or a colleague before activating, especially if the policy has User Actions in scope, for which Report-only mode does not work. If you require devices to be compliant as part of the policy, then Mac, iOS, and Android devices should be excluded from the policy while in Report-only mode as policy might actually be enforced for that specific condition.

🪛Pro tip: Use the WhatIf tool in Entra to reduce the need for manual testing.

❕If you have Entra ID P2-licenses, use “User risk” and “Sign-in risk” to benefit from Microsoft’s automatic risk assessments, rather than just location and device platforms (which can be spoofed).

📝Note: CA policies are applied after successful login, so CA is not your tool to prevent for example DDOS attacks.

🙂Want a better overview over Conditional Access? Contact me for more information on our Proactive Monitoring Service! As the image shows, you get some useful insights already in the overview of CA in Proactive Monitoring Service.

Recent Services Blogs
Recent News
Recent Blogs
Scroll to Top