Azure AD Conditional Access Policy Design Baseline

Updated – 7th of November 2019 – I just uploaded version 4 of the baseline. It contains tweaks and changes that I’ve learned when implementing this in customer tenants over the last year. I’ve updated this blog post accordingly.

I’ve been sitting here at my local coffeehouse for a while now, drinking hot chocolate, looking out on the dusky city street, finishing up my latest project. I’ve been working on this for a while now and I’m excited to share the result with you. I’ve created something that I’ve been missing and I hope that this will speed up Conditional Access deployment for you as well.

I think it’s fair to say that Conditional Access in Azure AD is one of the most important security features in the Microsoft Cloud. The basic idea seems simple enough but anyone who’ve tried to build a complete CA design, which covers all possible scenarios, know that it quickly becomes very complex. Every organization is different with its own requirements but I think that we many times overthink CA.

The Purpose of Conditional Access

The purpose of CA is to take different conditions into consideration when granting or blocking a users authentication to Azure AD.

The following conditions can be used:

  • Which user is authenticating or which group is the user a member of?
  • Which cloud app is the user trying to reach?
  • Is the device managed or unmanaged (Intune/Hybrid Azure AD joined)?
  • Where is the user authenticating from (IP-address)?
  • What client application is the user using (mobile/desktop app, browser)?
  • Sign-in risk based on Azure AD Identity Protection.

These can be combined in an endless of ways and if you don’t know what you’re doing, you can leave big security holes open and even lock yourself and everyone else in the organization out of the tenant. Note: Always exclude a group containing at least one Global Admin break account from every CA policy so you can save yourself from disaster!!

The Design Baseline

So, what is it that I have created?

First of all, I think I’ve created a pretty neath format for CA policy documentation and even if you might not agree with all of my CA design you can always use the format I’ve documented it in in your own implementation documentation. Often it can be very difficult to look at all of the different policys you (or someone else) might have created and then try to figure our what part goes where.

I have created a Conditional Access Policy Baseline which contains 13 CA policys that I believe will meet the needs for most organisations. It can also act as a starting point for any CA implementation.

This is a screenshot of the baseline but I’ve included a PDF as well with high resolution.

ConditionalAccessBaseline4

PDF Format: Azure AD Conditional Access Policy Design Baseline version 4

Some notes regarding the baseline:

  • Rows represents possible CA policy settings and columns represents actual policies you create in the Azure Portal.
  • It has a couple of global policys that will force Terms of Use and block legacy authentication clients for all authentications.
  • All high-risk authentication will be blocked (you need Azure AD Premium P2 for this feature).
  • It has two guest policys where one lists the allowed apps for guests and one blocks the remaining ones. Guests will be required to use MFA att all times.
  • There is a browser policy which will allow browser access from any device but will force MFA.
  • There is an additional browser policy blocking file and attachment downloads in SharePoint Online and Exchange Online if you login from an unmanaged device (App Enforced Restrictions).
  • There is an Intune Enrollment policy which always grants devices to authenticate with the Intune Company Portal app for enrollment.
  • There is a Windows policy allowing authentication from supported desktop apps on Intune compliant and Azure AD joined computers. MFA is required.
  • There is a Mac policy equal to the Windows one but Mac only uses Intune compliance. MFA is required.
  • There is a description of every policy in the PDF.

When all the policys are in place your Azure Portal will look like this:

ConditionalAccessPortal

This baseline will work for many organizations out of the box but it can also serve as a starting point for a modified version. Some organizations might require different policys for differens departments and if that’s the case it is easy to just create multiple copies of the required policies and filter on group membership.

I really hope that this will speed up CA deployment for you guys. I know that this will be helpful for me when I meet customers.

Please follow me on my blog, on Twitter and on LinkedIn!

@DanielChronlund

7 thoughts on “Azure AD Conditional Access Policy Design Baseline

  1. Hello Daniel, that’s a nice overview and baseline you created! I just wanted to add that the platform selection is based on best effort (sent by the user agent string from the app / browser) and if you do not have at least one policy which includes all platforms there‘s the chance that a device (with a malformed user agent string or a linux machine) does not catch a policy at all. I have documented this behavior on my blog: https://tech.nicolonsky.ch/bypassing-conditional-access-device-platform-policies/.

  2. Thank you for your input Nicola.

    In your example you demonstrate how access to a web site like Azure Portal can be accessed even though it has been blocked with CA.

    In my baseline I handle all browser access with a separate policy, ignoring platform. Also, rich clients not supporting modern authentication will always be blocked.

    Do you think it’s possible to bypass all policies anyway? I’ll have to try this.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s