Updated – 16th of October 2020 – I just uploaded version 6 of the baseline. It better represents how the Conditional Access GUI looks in the Azure portal after the latest changes and new CA features are included in the template. I have also made som changes from what I’ve learned from the field. MFA isn’t required for Intune Enrolment anymore (doesn’t work anyway with fully managed devices), there is a new policy handling legacy service accounts, and guests can now access the new Office 365 bundle of apps in Conditional Access.
Updated – 6th of April 2020 – I just uploaded version 5 of the baseline. It contains tweaks and changes that I’ve learned when implementing this in customer tenants over the last year. I’ve updated this blog post accordingly.
I’ve been sitting here at my local coffeehouse for a while now, drinking hot chocolate, looking out on the dusky city street, finishing up my latest project. I’ve been working on this for a while now and I’m excited to share the result with you. I’ve created something that I’ve been missing and I hope that this will speed up Conditional Access deployment for you as well.
I think it’s fair to say that Conditional Access in Azure AD is one of the most important security features in the Microsoft Cloud. The basic idea seems simple enough but anyone who’ve tried to build a complete CA design, which covers all possible scenarios, know that it quickly becomes very complex. Every organisation is different with its own requirements but I think that we many times overthink CA.
The Purpose of Conditional Access
The purpose of CA is to take different conditions into consideration when granting or blocking a users authentication to Azure AD.
The following conditions can be used:
- Which user is authenticating or which group is the user a member of?
- Which cloud app is the user trying to reach?
- Is the device managed or unmanaged (Intune/Hybrid Azure AD joined)?
- Where is the user authenticating from (IP-address)?
- What client application is the user using (mobile/desktop app, browser)?
- Sign-in risk based on Azure AD Identity Protection.
These can be combined in an endless of ways and if you don’t know what you’re doing, you can leave big security holes open and even lock yourself and everyone else in the organisation out of the tenant. Note: Always exclude a group containing at least one Global Admin break account from every CA policy so you can save yourself from disaster!!
The Design Baseline
So, what is it that I have created?
First of all, I think I’ve created a pretty neath format for CA policy documentation and even if you might not agree with all of my CA design you can always use the format I’ve documented it in in your own implementation documentation. Often it can be very difficult to look at all of the different policys you (or someone else) might have created and then try to figure our what part goes where.
I have created a Conditional Access Policy Baseline which contains 13 CA policys that I believe will meet the needs for most organisations. It can also act as a starting point for any CA implementation.
This is a screenshot of the baseline but I’ve included a PDF as well with high resolution.
Excel Version: Azure AD Conditional Access Policy Design Baseline version 6
Some notes regarding the baseline:
- Rows represents possible CA policy settings and columns represents actual policies you create in the Azure Portal.
- All high-risk authentication will be blocked (you need Azure AD Premium P2 for this feature).
- It has two guest policys where one lists the allowed apps for guests and one blocks the remaining ones. Guests will be required to use MFA att all times.
- There is a browser policy which will allow browser access from any device but will force MFA.
- There is an additional browser policy blocking file and attachment downloads in SharePoint Online and Exchange Online if you login from an unmanaged device (App Enforced Restrictions).
- There is a Windows policy allowing authentication from supported desktop apps on Intune compliant and Azure AD joined computers. MFA is required.
- There is a Mac policy equal to the Windows one but Mac only uses Intune compliance. MFA is required.
- There is a description of every policy in the PDF.
When all the policys are in place your Azure Portal will look like this:
This baseline will work for many organisations out of the box but it can also serve as a starting point for a modified version. Some organisations might require different policys for differens departments and if that’s the case it is easy to just create multiple copies of the required policies and filter on group membership.
I really hope that this will speed up CA deployment for you guys. I know that this will be helpful for me when I meet customers.
Please follow me on my blog, on Twitter and on LinkedIn!