Important! This blog post has been deprecated and replaced by this blog post.
Updated – 16th of October 2020 – I just uploaded version 6 of the baseline. It better represents how the Conditional Access GUI looks in the Azure portal after the latest changes and new CA features are included in the template. I have also made som changes from what I’ve learned from the field. MFA isn’t required for Intune Enrolment anymore (doesn’t work anyway with fully managed devices), there is a new policy handling legacy service accounts, and guests can now access the new Office 365 bundle of apps in Conditional Access.
Updated – 6th of April 2020 – I just uploaded version 5 of the baseline. It contains tweaks and changes that I’ve learned when implementing this in customer tenants over the last year. I’ve updated this blog post accordingly.
I’ve been sitting here at my local coffeehouse for a while now, drinking hot chocolate, looking out on the dusky city street, finishing up my latest project. I’ve been working on this for a while now and I’m excited to share the result with you. I’ve created something that I’ve been missing and I hope that this will speed up Conditional Access deployment for you as well.
I think it’s fair to say that Conditional Access in Azure AD is one of the most important security features in the Microsoft Cloud. The basic idea seems simple enough but anyone who’ve tried to build a complete CA design, which covers all possible scenarios, know that it quickly becomes very complex. Every organisation is different with its own requirements but I think that we many times overthink CA.
The Purpose of Conditional Access
The purpose of CA is to take different conditions into consideration when granting or blocking a users authentication to Azure AD.
The following conditions can be used:
- Which user is authenticating or which group is the user a member of?
- Which cloud app is the user trying to reach?
- Is the device managed or unmanaged (Intune/Hybrid Azure AD joined)?
- Where is the user authenticating from (IP-address)?
- What client application is the user using (mobile/desktop app, browser)?
- Sign-in risk based on Azure AD Identity Protection.
These can be combined in an endless of ways and if you don’t know what you’re doing, you can leave big security holes open and even lock yourself and everyone else in the organisation out of the tenant. Note: Always exclude a group containing at least one Global Admin break account from every CA policy so you can save yourself from disaster!!
The Design Baseline
So, what is it that I have created?
First of all, I think I’ve created a pretty neath format for CA policy documentation and even if you might not agree with all of my CA design you can always use the format I’ve documented it in in your own implementation documentation. Often it can be very difficult to look at all of the different policys you (or someone else) might have created and then try to figure our what part goes where.
I have created a Conditional Access Policy Baseline which contains 13 CA policys that I believe will meet the needs for most organisations. It can also act as a starting point for any CA implementation.
This is a screenshot of the baseline but I’ve included a PDF as well with high resolution.
PDF Format: Azure AD Conditional Access Policy Design Baseline version 6
Excel Version: Azure AD Conditional Access Policy Design Baseline version 6
Some notes regarding the baseline:
- Rows represents possible CA policy settings and columns represents actual policies you create in the Azure Portal.
- All high-risk authentication will be blocked (you need Azure AD Premium P2 for this feature).
- It has two guest policys where one lists the allowed apps for guests and one blocks the remaining ones. Guests will be required to use MFA att all times.
- There is a browser policy which will allow browser access from any device but will force MFA.
- There is an additional browser policy blocking file and attachment downloads in SharePoint Online and Exchange Online if you login from an unmanaged device (App Enforced Restrictions).
- There is a Windows policy allowing authentication from supported desktop apps on Intune compliant and Azure AD joined computers. MFA is required.
- There is a Mac policy equal to the Windows one but Mac only uses Intune compliance. MFA is required.
- There is a description of every policy in the PDF.
When all the policys are in place your Azure Portal will look like this:
This baseline will work for many organisations out of the box but it can also serve as a starting point for a modified version. Some organisations might require different policys for differens departments and if that’s the case it is easy to just create multiple copies of the required policies and filter on group membership.
I really hope that this will speed up CA deployment for you guys. I know that this will be helpful for me when I meet customers.
Please follow me on my blog, on Twitter and on LinkedIn!
44 thoughts on “Azure AD Conditional Access Policy Design Baseline”
Hi Daniel, thank you for sharing. This is great!
Hello Daniel, that’s a nice overview and baseline you created! I just wanted to add that the platform selection is based on best effort (sent by the user agent string from the app / browser) and if you do not have at least one policy which includes all platforms there‘s the chance that a device (with a malformed user agent string or a linux machine) does not catch a policy at all. I have documented this behavior on my blog: https://tech.nicolonsky.ch/bypassing-conditional-access-device-platform-policies/.
Thank you for your input Nicola.
In your example you demonstrate how access to a web site like Azure Portal can be accessed even though it has been blocked with CA.
In my baseline I handle all browser access with a separate policy, ignoring platform. Also, rich clients not supporting modern authentication will always be blocked.
Do you think it’s possible to bypass all policies anyway? I’ll have to try this.
Thanks Daniel, thanks for sharing the PDF, IS it possible to get the Excel version as well of your document?
Hi Anita! If you PM me on LinkedIn I can send an Excel version to you.
Great article Daniel! Can you also share the Excel version of this doc? Thanks
Thank you Rupen! PM me and I can send an Excel version to you.
Hi Daniel, nice write-up! I do have a single question though, regarding the requirement for MFA during Intune enrollment – I see you have macOS on there too, but as I understand it, macOS does not support MFA when enrolling with user affinity?
Thank you! The company portal app supports modern authentication (including MFA), but there might still be no support during installation of macOS.
Anyway, I’ve actually started to exclude Intune enrollment from MFA requirement since many users can’t take both Intune and MFA registration at one time. I think it’s a risk worth taking since everything else is MFA-protected and in most cases only company devices are allowed to enroll.
It might be worth considering?
I see above you have an excel version, a copy of that will be greatly appreciated 🙂
Daniel, really great effort from your side. I was trying to PM you on Linkedin to get Excel copy but we are too far apart for the message ;( Can you ping the file via the email? Thank you in advance.
So, for Guest users I would like to grant access to e.g. Sharepoint using MFA, and block access to all other except Sharepoint. But then users are unable to accept invite (Microsoft App Access Panel) and setup MFA. And as we cannot combine Cloud Apps include/excludes AND user actions – I dont see how I solve this. Any ideas ?
This is brilliant. Is there any possibility that you would be able to send me the PDF in an excel format? I have sent a connection request on LinkedIn..
This is fantastic. Would you be able to send the PDF in an Excel format? I have sent a connection request in LinkedIn.
Thanks is advance
Thank you Lee! I will add an Excel version to this blog post when I’m back from my summer vacation. Stay tuned 😊
Hi Henrik! There are some dependencies to Exchange Online and other apps unfortunately for guest access. I’ve noticed that things are working well with the set of apps in my Conditional Access baseline (version 5).
Thank you Sergej! Please see my latest blog post for the Excel version of the Conditional Access baseline.
Hey Daniel, very useful! Just noticed you’re missing a Yes in either Block Access or Grant Access for the ‘SESSION – Block Unmanaged Browser File Downloads’ policy.
Thank you! Well, I left it out with purpose since no Grant controls are used in this kind of session policy. Only Session > Use app enforced restrictions are checked.
Hi Daniel, really appreciate your work! i have one question regarding your Browser policy. For which reason do you exclude Intune and Intune enrollment app there as well ? is it cause the Enrollment process can use a Browser in the backend ?
Thank you! Yes, enrollment uses built-in browser features of the OS. For example, MFA registration doesn’t work at all on a fully managed Android Enterprise device during enrollment.
Can you explain what row 93 and 94 “Enabling limited access” for Exchange and SharePoint mean… does that mean for it to work i have to take additional access? and how does this compare with a custom conditional access app control policy. Is this just another way to block file download?
Hi Alan! This is a feature in Conditional Access, SharePoint Online and Exchange Online called App Enforced Restrictions. You do need to configure this on the service side as well. See the following articles.
Enabling limited access with SharePoint Online
Enabling limited access with Exchange Online
It is a way to block file downloads on unmanaged devices. I’m not sure what you mean by “custom conditional access app control policy”.
Hope this info helps!
Hi what a great guide. One question, how would you allow BYOD from mobile devices?
Thank you! I would require Intune App Protection Policies for BYOD scenarios. You can enforce this with Conditional Access. This will encrypt company apps and data on BYOD devices before granting access.
In your Excluded from CA group is the only members just that one global admin so that you don’t get locked out?
Yes! But it’s recommended to have two emergency break glass accounts. See my break glass routine template for details.
Are you requiring MFA for Intune enrollment anywhere?
I was, but MFA registration is not supported on fully managed devices during Intune enrollment. You can enable it if you can handle the registration some other way.
Would you recommend a catch all rule that either enforces mfa or outright blocks? kind of like an implicit deny in a firewall?
Thank you Daniel! What a useful post!
Nice blog ppost