Azure AD Conditional Access Policy Design Baseline

I’ve been sitting here at my local coffeehouse for a while now, drinking hot chocolate, looking out on the dusky city street, finishing up my latest project. I’ve been working on this for a while now and I’m excited to share the result with you. I’ve created something that I’ve been missing and I hope that this will speed up Conditional Access deployment for you as well.

I think it’s fair to say that Conditional Access in Azure AD is one of the most important security features in the Microsoft Cloud. The basic idea seems simple enough but anyone who’ve tried to build a complete CA design, which covers all possible scenarios, know that it quickly becomes very complex. Every organization is different with its own requirements but I think that we many times overthink CA.

The Purpose of Conditional Access

The purpose of CA is to take different conditions into consideration when granting or blocking a users authentication to Azure AD.

The following conditions can be used:

  • Which user is authenticating or which group is the user a member of?
  • Which cloud app is the user trying to reach?
  • Is the device managed or unmanaged (Intune/Azure AD joined)?
  • Where is the user authenticating from (IP-address)?
  • What client application is the user using (mobile/desktop app, browser)?
  • Sign-in-risk based on third party security products.

These can be combined in an endless of ways and if you don’t know what you’re doing, you can leave big security holes open and even lock yourself and everyone else in the organization out of the tenant. Note: Always exclude a group containing one Global Admin account from every CA policy so you can save yourself from disaster!!

The Design Baseline

So, what is it that I have created?

First of all, I think I’ve created a pretty neath format for CA policy documentation and even if you might not agree with all of my CA design you can always use the format I’ve documented it in in your own implementation documentation. Often it can be very difficult to look at all of the different policys you (or someone else) might have created and then try to figure our what part goes where.

I have created a Conditional Access Policy Baseline which contains 13 CA policys that I believe will meet the needs for most organisations. It can also act as a starting point for any CA implementation.

This is a screenshot of the baseline but I’ve included a PDF as well with high resolution.

CA2

PDF Format: Azure AD Conditional Access Policy Design Baseline version 3

Some notes regarding the baseline:

  • Rows represents possible CA policy settings and columns represents actual policies you create in the Azure Portal.
  • It has two global policys that will force Terms of Use and block unsupported clients for all authentications. Clients are the same as protocols in Conditional Access language so we’re actually blocking unwanted protocols. I know that the Skype/Exchange integration on Windows 7 clients have issues when Other clients are blocked by this policy.
  • It has two guest policys where one lists the allowed apps for guests and one blocks the remaining ones. Guests will be required to use MFA att all times.
  • There is a browser policy which will allow browser access from any device but will force MFA outside the corporate network (Trusted Locations).
  • There is an additional browser policy blocking file and attachment downloads in SharePoint Online and Exchange Online if you login from an unmanaged device (App Enforced Restrictions).
  • There is an Intune Enrollment policy which always grants mobile devices and Mac computers to authenticate with the Intune Company Portal app.
  • There are two Windows desktop policys allowing authentication from supported desktop apps on Azure AD joined computers. If the location is an untrusted network MFA is required.
  • There are two Mac desktop policys equal to the Windows ones but Mac uses Intune compliance instead of Azure AD join.
  • The last policy is an empty Explicitly Blocked policy where cloud apps can be blocked company wide.

When all the policys are in place your Azure Portal will look like this:

CA1

This baseline will work for many organizations out of the box but it can also serve as a starting point for a modified version. Some organizations might require different policys for differens departments and if that’s the case it is easy to just create multiple copies of the required policies and filter on group membership.

I really hope that this will speed up CA deployment for you guys. I know that this will be helpful for me when I meet customers.

Please follow me on my blog, on Twitter and on LinkedIn!

@DanielChronlund

Update – 13th of December 2019 – I just uploaded version 2 of the baseline. It contains tweaks and minor changes that I’ve learned when implementing this in customer tenants.

4 thoughts on “Azure AD Conditional Access Policy Design Baseline

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s