Azure AD Conditional Access Policy Design Baseline with Automatic Deployment Support

My Azure AD Conditional Access Policy Design Baseline is updated at least twice every year, always containing lessons learned from the field. It is based on my recommendations of how Conditional Access should be deployed to create a strong zero trust security posture.

Note that all organisations are different and you might need to adjust the baseline to fit your specific needs. My goal is to provide inspiration and a great starting point for your own Conditional Access design.

Current baseline version:8
Release date:2020-11-30

There are two methods of deployment:

Option 1: Manual Deployment

Download the Excel version of the baseline and manually create each Conditional Access policy in the Azure portal.

Option 2: Automatic Deployment

Version 7 of this baseline was the first version with DCToolbox automation support. This means that you can now automatically deploy this baseline from the JSON template at the end of this blog post (or export or create your own JSON templates).

Please see this article for details of Conditional Access automation with DCToolbox: How to Manage Conditional Access as Code – The Ultimate Guide

To automatically install the baseline, follow the instructions in the article above, copy the JSON template at the bottom of this blog post, search and replace IDs of Azure AD groups, named locations, etc, save the file, and point Import-DCConditionalAccessPolicyDesign to your new JSON file.

Search and replace the following text in your JSON file:

REPLACE WITH EXCLUDE GROUP ID
REPLACE WITH SERVICE ACCOUNT GROUP ID
REPLACE WITH SERVICE ACCOUNT TRUSTED NAMED LOCATION
REPLACE WITH ALLOWED COUNTRIES NAMED LOCATION ID
REPLACE WITH TERMS OF USE ID

Baseline Policies Explained

This is a short explanation of each policy in the baseline.

BLOCK – Legacy Authentication

This global policy blocks all connections from insecure legacy protocols like ActiveSync, IMAP, PO3, etc. Blocking legacy authentication, together with MFA, is one of the most important security improvements your can do in the cloud.

BLOCK – Unsupported Device Platforms

Block unsupported platforms like Windows Phone, Linux, and other OS variants. Note: Device platform detection is a best effort security signal based on the user agent string and can be spoofed. Always combine this with additional signals like MFA and/or device authentication.

BLOCK – High-Risk Sign-Ins

This global policy blocks all high-risk authentications detected by Azure AD Identity Protection. This is called risk-based Conditional Access. Note that this policy requires Azure AD Premium P2 for all targeted users.

BLOCK – Countries not Allowed

This global policy blocks all connections from countries not in the Allowed countries whitelist. You should only allow countries where you expect your users to sign in from. This is not a real security solution since attackers will easily bypass this with a proxy service, however, this effectively blocks a lot of the automated noise in the cloud.

BLOCK – Service Accounts (Trusted Locations Excluded)

Block service accounts from untrusted IP addresses. Service accounts can only connect from allowed IP addresses, but without MFA requirement. Only use service accounts as a last resort!

BLOCK – Explicitly Blocked Cloud Apps

This policy can be used to explicitly block certain cloud apps across the organisation. This is handy if you want to permanently block certain apps, or temporary block unwanted apps, for example, if there is a known critical security flaw.

BLOCK – Guest Access (Allowed Apps Excluded)

Block guests from using all apps, except excluded ones (default policy allows Office 365 only).

GRANT – Terms of Use

This global policy forces Terms of Use, like an acceptable use policy or NDA, on all users. Users must read and agree to this policy the first time they sign in before they’re granted access.

GRANT – MFA for All Users

Protects all user authentications with MFA. This policy applies to both internal users and guest users on managed devices and unmanaged devices. Intune enrolment is excluded since MFA is not supported during enrolment of fully managed devices. You can change this if you have a another solution for MFA registration.

GRANT – Mobile Apps and Desktop Clients

Requires mobile apps and desktop clients to be Intune compliant or Hybrid Azure AD Joined. BYOD is blocked and must use a browser instead.

GRANT – Mobile Device Access Requirements

Requires An approved Microsoft app on iOS and Android. This blocks third-party app store apps.

SESSION – Block Unmanaged File Downloads

Browsers on unmanaged devices can’t download files and attachments from SharePoint Online, OneDrive for Business, and Exchange Online. They can work with files in the Office web apps.

Summary

This baseline will work for many organisations out of the box but it can also serve as a starting point for a modified version. Some organisations might require different policys for differens departments and if that’s the case it is easy to just create multiple copies of the required policies and filter on group membership.

Please follow me here, on LinkedIn and on Twitter!

@DanielChronlund

The JSON baseline template:

[
    {
        "displayName": "BLOCK - Legacy Authentication",
        "state": "enabled",
        "sessionControls": null,
        "conditions": {
            "userRiskLevels": [],
            "signInRiskLevels": [],
            "clientAppTypes": [
                "exchangeActiveSync",
                "other"
            ],
            "platforms": null,
            "locations": null,
            "deviceStates": null,
            "devices": null,
            "clientApplications": null,
            "applications": {
                "includeApplications": [
                    "All"
                ],
                "excludeApplications": [],
                "includeUserActions": []
            },
            "users": {
                "includeUsers": [
                    "All"
                ],
                "excludeUsers": [],
                "includeGroups": [],
                "excludeGroups": [
                    "REPLACE WITH EXCLUDE GROUP ID"
                ],
                "includeRoles": [],
                "excludeRoles": []
            }
        },
        "grantControls": {
            "operator": "OR",
            "builtInControls": [
                "block"
            ],
            "customAuthenticationFactors": [],
            "termsOfUse": []
        }
    },
    {
        "displayName": "BLOCK - Unsupported Device Platforms",
        "state": "enabled",
        "sessionControls": null,
        "conditions": {
            "userRiskLevels": [],
            "signInRiskLevels": [],
            "clientAppTypes": [
                "all"
            ],
            "locations": null,
            "deviceStates": null,
            "devices": null,
            "clientApplications": null,
            "applications": {
                "includeApplications": [
                    "All"
                ],
                "excludeApplications": [],
                "includeUserActions": []
            },
            "users": {
                "includeUsers": [
                    "All"
                ],
                "excludeUsers": [],
                "includeGroups": [],
                "excludeGroups": [
                    "REPLACE WITH EXCLUDE GROUP ID"
                ],
                "includeRoles": [],
                "excludeRoles": []
            },
            "platforms": {
                "includePlatforms": [
                    "all"
                ],
                "excludePlatforms": [
                    "android",
                    "iOS",
                    "windows",
                    "macOS"
                ]
            }
        },
        "grantControls": {
            "operator": "OR",
            "builtInControls": [
                "block"
            ],
            "customAuthenticationFactors": [],
            "termsOfUse": []
        }
    },
    {
        "displayName": "BLOCK - High-Risk Sign-Ins",
        "state": "enabled",
        "sessionControls": null,
        "conditions": {
            "userRiskLevels": [],
            "signInRiskLevels": [
                "high"
            ],
            "clientAppTypes": [
                "all"
            ],
            "platforms": null,
            "locations": null,
            "deviceStates": null,
            "devices": null,
            "clientApplications": null,
            "applications": {
                "includeApplications": [
                    "All"
                ],
                "excludeApplications": [],
                "includeUserActions": []
            },
            "users": {
                "includeUsers": [
                    "All"
                ],
                "excludeUsers": [],
                "includeGroups": [],
                "excludeGroups": [
                    "REPLACE WITH EXCLUDE GROUP ID"
                ],
                "includeRoles": [],
                "excludeRoles": []
            }
        },
        "grantControls": {
            "operator": "OR",
            "builtInControls": [
                "block"
            ],
            "customAuthenticationFactors": [],
            "termsOfUse": []
        }
    },
    {
        "displayName": "BLOCK - Countries not Allowed",
        "state": "enabled",
        "sessionControls": null,
        "conditions": {
            "userRiskLevels": [],
            "signInRiskLevels": [],
            "clientAppTypes": [
                "all"
            ],
            "platforms": null,
            "deviceStates": null,
            "devices": null,
            "clientApplications": null,
            "applications": {
                "includeApplications": [
                    "All"
                ],
                "excludeApplications": [],
                "includeUserActions": []
            },
            "users": {
                "includeUsers": [
                    "All"
                ],
                "excludeUsers": [],
                "includeGroups": [],
                "excludeGroups": [
                    "REPLACE WITH EXCLUDE GROUP ID"
                ],
                "includeRoles": [],
                "excludeRoles": []
            },
            "locations": {
                "includeLocations": [
                    "All"
                ],
                "excludeLocations": [
                    "REPLACE WITH ALLOWED COUNTRIES NAMED LOCATION ID"
                ]
            }
        },
        "grantControls": {
            "operator": "OR",
            "builtInControls": [
                "block"
            ],
            "customAuthenticationFactors": [],
            "termsOfUse": []
        }
    },
    {
        "displayName": "BLOCK - Service Accounts (Trusted Locations Excluded)",
        "state": "enabled",
        "sessionControls": null,
        "conditions": {
            "userRiskLevels": [],
            "signInRiskLevels": [],
            "clientAppTypes": [
                "all"
            ],
            "platforms": null,
            "deviceStates": null,
            "devices": null,
            "clientApplications": null,
            "applications": {
                "includeApplications": [
                    "All"
                ],
                "excludeApplications": [],
                "includeUserActions": []
            },
            "users": {
                "includeUsers": [],
                "excludeUsers": [],
                "includeGroups": [
                    "REPLACE WITH SERVICE ACCOUNT GROUP ID"
                ],
                "excludeGroups": [
                    "REPLACE WITH EXCLUDE GROUP ID"
                ],
                "includeRoles": [],
                "excludeRoles": []
            },
            "locations": {
                "includeLocations": [
                    "AllTrusted"
                ],
                "excludeLocations": [
                    "REPLACE WITH SERVICE ACCOUNT TRUSTED NAMED LOCATION"
                ]
            }
        },
        "grantControls": {
            "operator": "OR",
            "builtInControls": [
                "block"
            ],
            "customAuthenticationFactors": [],
            "termsOfUse": []
        }
    },
    {
        "displayName": "BLOCK - Explicitly Blocked Cloud Apps",
        "state": "enabled",
        "sessionControls": null,
        "conditions": {
            "userRiskLevels": [],
            "signInRiskLevels": [],
            "clientAppTypes": [
                "all"
            ],
            "platforms": null,
            "locations": null,
            "deviceStates": null,
            "devices": null,
            "clientApplications": null,
            "applications": {
                "includeApplications": [
                    "None"
                ],
                "excludeApplications": [],
                "includeUserActions": []
            },
            "users": {
                "includeUsers": [
                    "All"
                ],
                "excludeUsers": [],
                "includeGroups": [],
                "excludeGroups": [
                    "REPLACE WITH EXCLUDE GROUP ID"
                ],
                "includeRoles": [],
                "excludeRoles": []
            }
        },
        "grantControls": {
            "operator": "OR",
            "builtInControls": [
                "block"
            ],
            "customAuthenticationFactors": [],
            "termsOfUse": []
        }
    },
    {
        "displayName": "BLOCK - Guest Access (Allowed Apps Excluded)",
        "state": "enabled",
        "sessionControls": null,
        "conditions": {
            "userRiskLevels": [],
            "signInRiskLevels": [],
            "clientAppTypes": [
                "all"
            ],
            "platforms": null,
            "locations": null,
            "deviceStates": null,
            "devices": null,
            "clientApplications": null,
            "applications": {
                "includeApplications": [
                    "All"
                ],
                "excludeApplications": [
                    "Office365"
                ],
                "includeUserActions": []
            },
            "users": {
                "includeUsers": [
                    "GuestsOrExternalUsers"
                ],
                "excludeUsers": [],
                "includeGroups": [],
                "excludeGroups": [
                    "REPLACE WITH EXCLUDE GROUP ID"
                ],
                "includeRoles": [],
                "excludeRoles": []
            }
        },
        "grantControls": {
            "operator": "OR",
            "builtInControls": [
                "block"
            ],
            "customAuthenticationFactors": [],
            "termsOfUse": []
        }
    },
    {
        "displayName": "GRANT - Terms of Use",
        "state": "enabled",
        "sessionControls": null,
        "conditions": {
            "userRiskLevels": [],
            "signInRiskLevels": [],
            "clientAppTypes": [
                "all"
            ],
            "platforms": null,
            "locations": null,
            "deviceStates": null,
            "devices": null,
            "clientApplications": null,
            "applications": {
                "includeApplications": [
                    "All"
                ],
                "excludeApplications": [],
                "includeUserActions": []
            },
            "users": {
                "includeUsers": [
                    "All"
                ],
                "excludeUsers": [],
                "includeGroups": [],
                "excludeGroups": [
                    "REPLACE WITH EXCLUDE GROUP ID",
                    "REPLACE WITH SERVICE ACCOUNT GROUP ID"
                ],
                "includeRoles": [],
                "excludeRoles": []
            }
        },
        "grantControls": {
            "operator": "OR",
            "builtInControls": [],
            "customAuthenticationFactors": [],
            "termsOfUse": [
                "REPLACE WITH TERMS OF USE ID"
            ]
        }
    },
    {
        "displayName": "GRANT - MFA for All Users",
        "state": "enabled",
        "sessionControls": null,
        "conditions": {
            "userRiskLevels": [],
            "signInRiskLevels": [],
            "clientAppTypes": [
                "all"
            ],
            "platforms": null,
            "locations": null,
            "deviceStates": null,
            "devices": null,
            "clientApplications": null,
            "applications": {
                "includeApplications": [
                    "All"
                ],
                "excludeApplications": [
                    "d4ebce55-015a-49b5-a083-c84d1797ae8c",
                    "0000000a-0000-0000-c000-000000000000"
                ],
                "includeUserActions": []
            },
            "users": {
                "includeUsers": [
                    "All"
                ],
                "excludeUsers": [],
                "includeGroups": [],
                "excludeGroups": [
                    "REPLACE WITH EXCLUDE GROUP ID",
                    "REPLACE WITH SERVICE ACCOUNT GROUP ID"
                ],
                "includeRoles": [],
                "excludeRoles": []
            }
        },
        "grantControls": {
            "operator": "OR",
            "builtInControls": [
                "mfa"
            ],
            "customAuthenticationFactors": [],
            "termsOfUse": []
        }
    },
    {
        "displayName": "GRANT - Mobile Apps and Desktop Clients",
        "state": "enabled",
        "sessionControls": null,
        "conditions": {
            "userRiskLevels": [],
            "signInRiskLevels": [],
            "clientAppTypes": [
                "mobileAppsAndDesktopClients"
            ],
            "platforms": null,
            "locations": null,
            "deviceStates": null,
            "devices": null,
            "clientApplications": null,
            "applications": {
                "includeApplications": [
                    "All"
                ],
                "excludeApplications": [],
                "includeUserActions": []
            },
            "users": {
                "includeUsers": [
                    "All"
                ],
                "excludeUsers": [],
                "includeGroups": [],
                "excludeGroups": [
                    "REPLACE WITH EXCLUDE GROUP ID",
                    "REPLACE WITH SERVICE ACCOUNT GROUP ID"
                ],
                "includeRoles": [],
                "excludeRoles": []
            }
        },
        "grantControls": {
            "operator": "OR",
            "builtInControls": [
                "compliantDevice",
                "domainJoinedDevice"
            ],
            "customAuthenticationFactors": [],
            "termsOfUse": []
        }
    },
    {
        "displayName": "GRANT - Mobile Device Access Requirements",
        "state": "enabled",
        "sessionControls": null,
        "conditions": {
            "userRiskLevels": [],
            "signInRiskLevels": [],
            "clientAppTypes": [
                "mobileAppsAndDesktopClients"
            ],
            "locations": null,
            "deviceStates": null,
            "devices": null,
            "clientApplications": null,
            "applications": {
                "includeApplications": [
                    "All"
                ],
                "excludeApplications": [
                    "0000000a-0000-0000-c000-000000000000",
                    "d4ebce55-015a-49b5-a083-c84d1797ae8c"
                ],
                "includeUserActions": []
            },
            "users": {
                "includeUsers": [
                    "All"
                ],
                "excludeUsers": [],
                "includeGroups": [],
                "excludeGroups": [
                    "REPLACE WITH EXCLUDE GROUP ID",
                    "REPLACE WITH SERVICE ACCOUNT GROUP ID"
                ],
                "includeRoles": [],
                "excludeRoles": []
            },
            "platforms": {
                "includePlatforms": [
                    "android",
                    "iOS"
                ],
                "excludePlatforms": []
            }
        },
        "grantControls": {
            "operator": "OR",
            "builtInControls": [
                "approvedApplication"
            ],
            "customAuthenticationFactors": [],
            "termsOfUse": []
        }
    },
    {
        "displayName": "SESSION - Block Unmanaged File Downloads",
        "state": "enabled",
        "grantControls": null,
        "conditions": {
            "userRiskLevels": [],
            "signInRiskLevels": [],
            "clientAppTypes": [
                "browser"
            ],
            "platforms": null,
            "locations": null,
            "deviceStates": null,
            "clientApplications": null,
            "applications": {
                "includeApplications": [
                    "00000002-0000-0ff1-ce00-000000000000",
                    "00000003-0000-0ff1-ce00-000000000000"
                ],
                "excludeApplications": [],
                "includeUserActions": []
            },
            "users": {
                "includeUsers": [
                    "All"
                ],
                "excludeUsers": [],
                "includeGroups": [],
                "excludeGroups": [
                    "REPLACE WITH EXCLUDE GROUP ID"
                ],
                "includeRoles": [],
                "excludeRoles": []
            },
            "devices": {
                "includeDeviceStates": [
                    "All"
                ],
                "excludeDeviceStates": [
                    "Compliant",
                    "DomainJoined"
                ]
            }
        },
        "sessionControls": {
            "cloudAppSecurity": null,
            "signInFrequency": null,
            "persistentBrowser": null,
            "applicationEnforcedRestrictions": {
                "isEnabled": true
            }
        }
    }
]

11 thoughts on “Azure AD Conditional Access Policy Design Baseline with Automatic Deployment Support

  1. For your service account policy why are you including trusted locations and not just all locations? Also for the service accounts that we are including should that be all service accounts or just ones that are accessing things in Azure?

  2. I’m using “Trusted locations” because “All locations” might include “Untrusted locations” that I might use to block certain scenarios. I believe this is a flexible and clear design.

    The service accounts should only be the ones that authenticate with Azure AD. The service might be in the cloud or on-prem but the authentication happens in Azure AD and Conditional Access is used.

  3. On Service Accounts (Trusted Locations Excluded) shouldn’t be Include Any location and Exclude Selected locations (or maybe All trusted locations)?
    GRANT – MFA for All Users force even All guest and external users to install Microsoft Authenticator app, which is not an issue, but you should mention it.

  4. When testing the policy “Block – Service Accounts..” using the What If tool, a user in the service accounts group is:
    – Granted access if the account uses Modern Auth and is in an untrusted location.
    – Blocked access if the account is in the “office” location and uses legacy authentication (via the policy Block – Legacy Auth…)

    Can you confirm the above statements are correct when using this policy?

    Service accounts will typically use basic authentication, so the policy to block legacy auth will invalidate the use of this policy in this scenario – Unless this policy is not designed for this purpose?

    This is an excellent resource that we are starting to implement in our organisation, we just need a little clarification on this policy.
    We are attempting to secure accounts for scanners and other devices located in an office.
    These accounts can only use basic auth and are only allowed to authenticate from specific locations.
    Can this policy achieve the goal of the above scenario?

  5. Thank you! The BLOCK – Service Accounts policy blocks all authentications for the group with included service accounts, that comes from an IP adress not listed in the allowed service accounts trusted locations. The idea is that service accounts are bad and should not be able to sign-in, but we need a couple of them and they are only allowed to sign-in from a predefined set of IP-addresses. They should also be carefully monitored since they are excluded from MFA enforcement.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s