Tutorial / Cram Notes
Conditional Access in Microsoft Security
Conditional Access is a capability used within the Microsoft security framework, particularly in relation to Azure Active Directory (Azure AD), to enforce access controls on cloud applications and services. It is a tool used to implement automated access-control decisions for accessing cloud apps, based on conditions.
With Conditional Access, organizations can automate access-control decisions and enforce them on their network. The system does this by assessing certain conditions and deciding whether to grant access to a user or require additional actions such as multi-factor authentication (MFA), terms of use acceptance, or even block access entirely.
Components of Conditional Access
- Users or groups: These determine who the policy applies to. For example, you might target specific users, groups, or roles within your organization.
- Cloud apps or actions: Specifies which applications or user actions the Conditional Access policy applies to.
- Conditions: These are the signals that are evaluated. Examples include the user’s location, the device they are using, the network they are on, or the risk level associated with the user or sign-in.
- Controls: If the user and their context satisfy the conditions of the policy, controls are what are enforced. These can be things like requiring MFA, requiring a compliant (or domain-joined) device, or limited access with session controls.
Structure of a Conditional Access Policy
| Component | Example |
|---|---|
| Users/Groups | Finance Department, Global Administrators |
| Cloud Apps/Actions | Office 365, Dynamics 365 |
| Conditions | Sign-in risk level: Medium or above |
| Controls | Require MFA, Require compliant device |
Examples of Conditional Access Policies:
- Secure Access for Administrators: To ensure that only trusted administrators can make significant changes to your environment, a Conditional Access policy could require MFA and a compliant device before allowing access to administrative consoles or tasks.
- Location-Based Policies: A common Conditional Access policy is to restrict access to your services from certain geographical locations. For example, you might allow access from within your corporate network but require MFA for sign-ins from other locations.
- Risk-Based Conditional Access: These policies use the risk levels associated with a user or their sign-in behavior to determine access. For example, if a sign-in is deemed high risk, access could be automatically blocked, or a password reset might be required.
- Device-Based Policies: If you only want company-owned devices to access certain resources, you might require that the devices be domain-joined or compliant with your organization’s device compliance policy before access is granted.
Tabular Comparison of Policies
| Policy Name | Users Affected | Cloud Apps Affected | Conditions | Controls Implemented |
|---|---|---|---|---|
| MFA for External Access | All Users | All Cloud Apps | Sign-in from outside corporate network | Require MFA |
| Block High-Risk Sign-Ins | All Users | All Cloud Apps | Sign-in risk level: High | Block access |
| Device Compliance Check | All Users | Selected Company Apps | Device marked ‘non-compliant’ | Require device to be compliant |
| Geo-Blocking | Specified Groups | Specified Sensitive Apps | Sign-in from restricted countries | Block access |
Conditional Access is a crucial part of modern security strategies, providing a dynamic and automated way to ensure that security requirements are met before granting users access to organizational resources. This increases security while maintaining user productivity, as only the necessary security controls are applied based on the context of the access attempt. For the SC-900 exam, understanding the principles, components, and examples of Conditional Access is vital, as it demonstrates knowledge of how to protect access to applications and data across a cloud environment.
Practice Test with Explanation
True or False: Conditional Access policies apply only after a user has been authenticated.
- True
Conditional Access policies are enforced after the initial authentication has been completed, and they evaluate the context of user access before allowing access to resources.
True or False: Location-based policies are not an option in Conditional Access.
- False
Location-based policies are an integral part of Conditional Access, allowing admins to configure access rules based on where the access attempt is coming from.
Which of the following can be used as a condition in Conditional Access policies? (Choose all that apply)
- A) User risk
- B) Device type
- C) Weather conditions
- D) Sign-in risk
- E) Time of day
Answer: A, B, D
Conditional Access policies can be based on user risk, device type, and sign-in risk. Weather conditions and time of day are not used as conditions in Azure Conditional Access.
True or False: Conditional Access requires Azure AD Premium.
- True
Azure Active Directory Premium is required to implement Conditional Access policies as it offers advanced capabilities not available in the free edition.
What purpose does Conditional Access serve in cloud security? (Single select)
- A) Data encryption
- B) Password policies management
- C) Adaptive access control
- D) Antivirus scanning
Answer: C
Conditional Access provides adaptive access control by evaluating the context of user access requests and enforcing policies that control access.
True or False: Conditional Access can enforce MFA (Multi-Factor Authentication) requirements.
- True
Conditional Access can be configured to require MFA under certain conditions, enhancing security by requiring additional proof of identity.
Which of the following signals can Conditional Access use to determine access? (Multiple select)
- A) User group membership
- B) Time since last password change
- C) Device compliance
- D) IP address range
- E) Favorite color of user
Answer: A, C, D
Conditional Access policies can consider signals such as user group membership, device compliance, and IP address range while favorite color of user is not a signal that these policies use.
True or False: Conditional Access policies can automatically block access based on specified conditions.
- True
Conditional Access policies have the capability to block access automatically when specified conditions are met, such as a login attempt from a risky IP address.
What is the result of a Conditional Access policy that requires approved client apps?
- A) Access is granted only via web browsers
- B) Access is granted only to legacy authentication protocols
- C) Access is granted only through apps that are deemed secure
- D) Access is granted only when a device is joined to a domain
Answer: C
If a Conditional Access policy requires approved client apps, access is only granted through applications that are considered secure by the organization.
True or False: Azure Conditional Access policies can enforce session controls within cloud apps.
- True
Azure Conditional Access includes session controls that govern what a user can do within a cloud app during a session, such as prevent data download, print restrictions, or require the use of web versions of apps.
Which Azure service is primarily used to manage Conditional Access policies?
- A) Azure Information Protection
- B) Azure Active Directory
- C) Microsoft Defender for Endpoint
- D) Azure Firewall
Answer: B
Conditional Access policies are managed through Azure Active Directory, which is where the security and identity management services are located.
True or False: Conditional Access can be applied to both users and groups in Azure Active Directory.
- True
Conditional Access can target specific users as well as groups in Azure AD, allowing for granular control over who is subjected to these access policies.
Interview Questions
What is conditional access?
Conditional Access is a policy-based access control feature in Azure Active Directory that provides an additional layer of security for your applications and data.
What is the purpose of conditional access?
The purpose of conditional access is to ensure that only the right people have access to your applications and data.
What can conditional access policies do?
Conditional access policies can enforce multi-factor authentication, block legacy authentication protocols, require device compliance, and more.
How can you create a conditional access policy for Exchange Online?
You can create a conditional access policy for Exchange Online by using the Azure portal or PowerShell.
What are some common use cases for conditional access with Intune?
Some common use cases for conditional access with Intune include requiring device compliance, blocking access from non-compliant devices, and requiring a managed app.
What is a device compliance policy?
A device compliance policy is a policy that checks whether a device is compliant with a set of security requirements, such as whether the device is encrypted or has a password.
What is a managed app?
A managed app is an app that has been enrolled in Intune and can be managed with policies and settings.
How can you use conditional access with Intune to block access from non-compliant devices?
You can use conditional access with Intune to block access from non-compliant devices by requiring device compliance.
What is the purpose of the Azure AD conditional access baseline policies?
The purpose of the Azure AD conditional access baseline policies is to provide a set of preconfigured policies that implement best practices for securing access to your applications and data.
What is an example of a preconfigured Azure AD conditional access baseline policy?
An example of a preconfigured Azure AD conditional access baseline policy is the “Require MFA for admins” policy, which requires multi-factor authentication for all users in the Azure AD administrator role.
Conditional Access is critical for defining security policies that provide access control for apps based on various conditions.
In SC-900, understanding Conditional Access policies is fundamental, especially for setting up MFA.
Can Conditional Access policies target specific cloud apps?
What is conditional access in the context of Azure AD?
Can someone explain the concept of risk-based conditional access?
Thanks for the information!
How does conditional access enhance security for remote workers?
Is it possible to configure conditional access policies based on the risk level of a sign-in attempt?