Azure AD Conditional Access Policy Design Baseline with Automatic Deployment Support

My Azure AD Conditional Access Policy Design Baseline is updated at least twice every year, always containing lessons learned from the field. It is based on my recommendations of how Conditional Access should be deployed to create a strong zero trust security posture.

Note that all organisations are different and you might need to adjust the baseline to fit your specific needs. My goal is to provide inspiration and a great starting point for your own Conditional Access design.

Current baseline version:8
Release date:2020-11-30

There are two methods of deployment:

Option 1: Manual Deployment

Download the Excel version of the baseline and manually create each Conditional Access policy in the Azure portal.

Option 2: Automatic Deployment

Version 7 of this baseline was the first version with DCToolbox automation support. This means that you can now automatically deploy this baseline from the JSON template at the end of this blog post (or export or create your own JSON templates).

Please see this article for details of Conditional Access automation with DCToolbox: How to Manage Conditional Access as Code – The Ultimate Guide

To automatically install the baseline, follow the instructions in the article above, copy the JSON template at the bottom of this blog post, search and replace IDs of Azure AD groups, named locations, etc, save the file, and point Import-DCConditionalAccessPolicyDesign to your new JSON file.

Search and replace the following text in your JSON file:

REPLACE WITH EXCLUDE GROUP ID
REPLACE WITH SERVICE ACCOUNT GROUP ID
REPLACE WITH SERVICE ACCOUNT TRUSTED NAMED LOCATION
REPLACE WITH ALLOWED COUNTRIES NAMED LOCATION ID
REPLACE WITH TERMS OF USE ID

Baseline Policies Explained

This is a short explanation of each policy in the baseline.

BLOCK – Legacy Authentication

This global policy blocks all connections from insecure legacy protocols like ActiveSync, IMAP, PO3, etc. Blocking legacy authentication, together with MFA, is one of the most important security improvements your can do in the cloud.

BLOCK – Unsupported Device Platforms

Block unsupported platforms like Windows Phone, Linux, and other OS variants. Note: Device platform detection is a best effort security signal based on the user agent string and can be spoofed. Always combine this with additional signals like MFA and/or device authentication.

BLOCK – High-Risk Sign-Ins

This global policy blocks all high-risk authentications detected by Azure AD Identity Protection. This is called risk-based Conditional Access. Note that this policy requires Azure AD Premium P2 for all targeted users.

BLOCK – Countries not Allowed

This global policy blocks all connections from countries not in the Allowed countries whitelist. You should only allow countries where you expect your users to sign in from. This is not a real security solution since attackers will easily bypass this with a proxy service, however, this effectively blocks a lot of the automated noise in the cloud.

BLOCK – Service Accounts (Trusted Locations Excluded)

Block service accounts from untrusted IP addresses. Service accounts can only connect from allowed IP addresses, but without MFA requirement. Only use service accounts as a last resort!

BLOCK – Explicitly Blocked Cloud Apps

This policy can be used to explicitly block certain cloud apps across the organisation. This is handy if you want to permanently block certain apps, or temporary block unwanted apps, for example, if there is a known critical security flaw.

BLOCK – Guest Access (Allowed Apps Excluded)

Block guests from using all apps, except excluded ones (default policy allows Office 365 only).

GRANT – Terms of Use

This global policy forces Terms of Use, like an acceptable use policy or NDA, on all users. Users must read and agree to this policy the first time they sign in before they’re granted access.

GRANT – MFA for All Users

Protects all user authentications with MFA. This policy applies to both internal users and guest users on managed devices and unmanaged devices. Intune enrolment is excluded since MFA is not supported during enrolment of fully managed devices. You can change this if you have a another solution for MFA registration.

GRANT – Mobile Apps and Desktop Clients

Requires mobile apps and desktop clients to be Intune compliant or Hybrid Azure AD Joined. BYOD is blocked and must use a browser instead.

GRANT – Mobile Device Access Requirements

Requires An approved Microsoft app on iOS and Android. This blocks third-party app store apps.

SESSION – Block Unmanaged File Downloads

Browsers on unmanaged devices can’t download files and attachments from SharePoint Online, OneDrive for Business, and Exchange Online. They can work with files in the Office web apps.

Summary

This baseline will work for many organisations out of the box but it can also serve as a starting point for a modified version. Some organisations might require different policys for differens departments and if that’s the case it is easy to just create multiple copies of the required policies and filter on group membership.

Please follow me here, on LinkedIn and on Twitter!

@DanielChronlund

The JSON baseline template:

[
    {
        "displayName": "BLOCK - Legacy Authentication",
        "state": "enabled",
        "sessionControls": null,
        "conditions": {
            "userRiskLevels": [],
            "signInRiskLevels": [],
            "clientAppTypes": [
                "exchangeActiveSync",
                "other"
            ],
            "platforms": null,
            "locations": null,
            "deviceStates": null,
            "devices": null,
            "clientApplications": null,
            "applications": {
                "includeApplications": [
                    "All"
                ],
                "excludeApplications": [],
                "includeUserActions": []
            },
            "users": {
                "includeUsers": [
                    "All"
                ],
                "excludeUsers": [],
                "includeGroups": [],
                "excludeGroups": [
                    "REPLACE WITH EXCLUDE GROUP ID"
                ],
                "includeRoles": [],
                "excludeRoles": []
            }
        },
        "grantControls": {
            "operator": "OR",
            "builtInControls": [
                "block"
            ],
            "customAuthenticationFactors": [],
            "termsOfUse": []
        }
    },
    {
        "displayName": "BLOCK - Unsupported Device Platforms",
        "state": "enabled",
        "sessionControls": null,
        "conditions": {
            "userRiskLevels": [],
            "signInRiskLevels": [],
            "clientAppTypes": [
                "all"
            ],
            "locations": null,
            "deviceStates": null,
            "devices": null,
            "clientApplications": null,
            "applications": {
                "includeApplications": [
                    "All"
                ],
                "excludeApplications": [],
                "includeUserActions": []
            },
            "users": {
                "includeUsers": [
                    "All"
                ],
                "excludeUsers": [],
                "includeGroups": [],
                "excludeGroups": [
                    "REPLACE WITH EXCLUDE GROUP ID"
                ],
                "includeRoles": [],
                "excludeRoles": []
            },
            "platforms": {
                "includePlatforms": [
                    "all"
                ],
                "excludePlatforms": [
                    "android",
                    "iOS",
                    "windows",
                    "macOS"
                ]
            }
        },
        "grantControls": {
            "operator": "OR",
            "builtInControls": [
                "block"
            ],
            "customAuthenticationFactors": [],
            "termsOfUse": []
        }
    },
    {
        "displayName": "BLOCK - High-Risk Sign-Ins",
        "state": "enabled",
        "sessionControls": null,
        "conditions": {
            "userRiskLevels": [],
            "signInRiskLevels": [
                "high"
            ],
            "clientAppTypes": [
                "all"
            ],
            "platforms": null,
            "locations": null,
            "deviceStates": null,
            "devices": null,
            "clientApplications": null,
            "applications": {
                "includeApplications": [
                    "All"
                ],
                "excludeApplications": [],
                "includeUserActions": []
            },
            "users": {
                "includeUsers": [
                    "All"
                ],
                "excludeUsers": [],
                "includeGroups": [],
                "excludeGroups": [
                    "REPLACE WITH EXCLUDE GROUP ID"
                ],
                "includeRoles": [],
                "excludeRoles": []
            }
        },
        "grantControls": {
            "operator": "OR",
            "builtInControls": [
                "block"
            ],
            "customAuthenticationFactors": [],
            "termsOfUse": []
        }
    },
    {
        "displayName": "BLOCK - Countries not Allowed",
        "state": "enabled",
        "sessionControls": null,
        "conditions": {
            "userRiskLevels": [],
            "signInRiskLevels": [],
            "clientAppTypes": [
                "all"
            ],
            "platforms": null,
            "deviceStates": null,
            "devices": null,
            "clientApplications": null,
            "applications": {
                "includeApplications": [
                    "All"
                ],
                "excludeApplications": [],
                "includeUserActions": []
            },
            "users": {
                "includeUsers": [
                    "All"
                ],
                "excludeUsers": [],
                "includeGroups": [],
                "excludeGroups": [
                    "REPLACE WITH EXCLUDE GROUP ID"
                ],
                "includeRoles": [],
                "excludeRoles": []
            },
            "locations": {
                "includeLocations": [
                    "All"
                ],
                "excludeLocations": [
                    "REPLACE WITH ALLOWED COUNTRIES NAMED LOCATION ID"
                ]
            }
        },
        "grantControls": {
            "operator": "OR",
            "builtInControls": [
                "block"
            ],
            "customAuthenticationFactors": [],
            "termsOfUse": []
        }
    },
    {
        "displayName": "BLOCK - Service Accounts (Trusted Locations Excluded)",
        "state": "enabled",
        "sessionControls": null,
        "conditions": {
            "userRiskLevels": [],
            "signInRiskLevels": [],
            "clientAppTypes": [
                "all"
            ],
            "platforms": null,
            "deviceStates": null,
            "devices": null,
            "clientApplications": null,
            "applications": {
                "includeApplications": [
                    "All"
                ],
                "excludeApplications": [],
                "includeUserActions": []
            },
            "users": {
                "includeUsers": [],
                "excludeUsers": [],
                "includeGroups": [
                    "REPLACE WITH SERVICE ACCOUNT GROUP ID"
                ],
                "excludeGroups": [
                    "REPLACE WITH EXCLUDE GROUP ID"
                ],
                "includeRoles": [],
                "excludeRoles": []
            },
            "locations": {
                "includeLocations": [
                    "AllTrusted"
                ],
                "excludeLocations": [
                    "REPLACE WITH SERVICE ACCOUNT TRUSTED NAMED LOCATION"
                ]
            }
        },
        "grantControls": {
            "operator": "OR",
            "builtInControls": [
                "block"
            ],
            "customAuthenticationFactors": [],
            "termsOfUse": []
        }
    },
    {
        "displayName": "BLOCK - Explicitly Blocked Cloud Apps",
        "state": "enabled",
        "sessionControls": null,
        "conditions": {
            "userRiskLevels": [],
            "signInRiskLevels": [],
            "clientAppTypes": [
                "all"
            ],
            "platforms": null,
            "locations": null,
            "deviceStates": null,
            "devices": null,
            "clientApplications": null,
            "applications": {
                "includeApplications": [
                    "None"
                ],
                "excludeApplications": [],
                "includeUserActions": []
            },
            "users": {
                "includeUsers": [
                    "All"
                ],
                "excludeUsers": [],
                "includeGroups": [],
                "excludeGroups": [
                    "REPLACE WITH EXCLUDE GROUP ID"
                ],
                "includeRoles": [],
                "excludeRoles": []
            }
        },
        "grantControls": {
            "operator": "OR",
            "builtInControls": [
                "block"
            ],
            "customAuthenticationFactors": [],
            "termsOfUse": []
        }
    },
    {
        "displayName": "BLOCK - Guest Access (Allowed Apps Excluded)",
        "state": "enabled",
        "sessionControls": null,
        "conditions": {
            "userRiskLevels": [],
            "signInRiskLevels": [],
            "clientAppTypes": [
                "all"
            ],
            "platforms": null,
            "locations": null,
            "deviceStates": null,
            "devices": null,
            "clientApplications": null,
            "applications": {
                "includeApplications": [
                    "All"
                ],
                "excludeApplications": [
                    "Office365"
                ],
                "includeUserActions": []
            },
            "users": {
                "includeUsers": [
                    "GuestsOrExternalUsers"
                ],
                "excludeUsers": [],
                "includeGroups": [],
                "excludeGroups": [
                    "REPLACE WITH EXCLUDE GROUP ID"
                ],
                "includeRoles": [],
                "excludeRoles": []
            }
        },
        "grantControls": {
            "operator": "OR",
            "builtInControls": [
                "block"
            ],
            "customAuthenticationFactors": [],
            "termsOfUse": []
        }
    },
    {
        "displayName": "GRANT - Terms of Use",
        "state": "enabled",
        "sessionControls": null,
        "conditions": {
            "userRiskLevels": [],
            "signInRiskLevels": [],
            "clientAppTypes": [
                "all"
            ],
            "platforms": null,
            "locations": null,
            "deviceStates": null,
            "devices": null,
            "clientApplications": null,
            "applications": {
                "includeApplications": [
                    "All"
                ],
                "excludeApplications": [],
                "includeUserActions": []
            },
            "users": {
                "includeUsers": [
                    "All"
                ],
                "excludeUsers": [],
                "includeGroups": [],
                "excludeGroups": [
                    "REPLACE WITH EXCLUDE GROUP ID",
                    "REPLACE WITH SERVICE ACCOUNT GROUP ID"
                ],
                "includeRoles": [],
                "excludeRoles": []
            }
        },
        "grantControls": {
            "operator": "OR",
            "builtInControls": [],
            "customAuthenticationFactors": [],
            "termsOfUse": [
                "REPLACE WITH TERMS OF USE ID"
            ]
        }
    },
    {
        "displayName": "GRANT - MFA for All Users",
        "state": "enabled",
        "sessionControls": null,
        "conditions": {
            "userRiskLevels": [],
            "signInRiskLevels": [],
            "clientAppTypes": [
                "all"
            ],
            "platforms": null,
            "locations": null,
            "deviceStates": null,
            "devices": null,
            "clientApplications": null,
            "applications": {
                "includeApplications": [
                    "All"
                ],
                "excludeApplications": [
                    "d4ebce55-015a-49b5-a083-c84d1797ae8c",
                    "0000000a-0000-0000-c000-000000000000"
                ],
                "includeUserActions": []
            },
            "users": {
                "includeUsers": [
                    "All"
                ],
                "excludeUsers": [],
                "includeGroups": [],
                "excludeGroups": [
                    "REPLACE WITH EXCLUDE GROUP ID",
                    "REPLACE WITH SERVICE ACCOUNT GROUP ID"
                ],
                "includeRoles": [],
                "excludeRoles": []
            }
        },
        "grantControls": {
            "operator": "OR",
            "builtInControls": [
                "mfa"
            ],
            "customAuthenticationFactors": [],
            "termsOfUse": []
        }
    },
    {
        "displayName": "GRANT - Mobile Apps and Desktop Clients",
        "state": "enabled",
        "sessionControls": null,
        "conditions": {
            "userRiskLevels": [],
            "signInRiskLevels": [],
            "clientAppTypes": [
                "mobileAppsAndDesktopClients"
            ],
            "platforms": null,
            "locations": null,
            "deviceStates": null,
            "devices": null,
            "clientApplications": null,
            "applications": {
                "includeApplications": [
                    "All"
                ],
                "excludeApplications": [],
                "includeUserActions": []
            },
            "users": {
                "includeUsers": [
                    "All"
                ],
                "excludeUsers": [],
                "includeGroups": [],
                "excludeGroups": [
                    "REPLACE WITH EXCLUDE GROUP ID",
                    "REPLACE WITH SERVICE ACCOUNT GROUP ID"
                ],
                "includeRoles": [],
                "excludeRoles": []
            }
        },
        "grantControls": {
            "operator": "OR",
            "builtInControls": [
                "compliantDevice",
                "domainJoinedDevice"
            ],
            "customAuthenticationFactors": [],
            "termsOfUse": []
        }
    },
    {
        "displayName": "GRANT - Mobile Device Access Requirements",
        "state": "enabled",
        "sessionControls": null,
        "conditions": {
            "userRiskLevels": [],
            "signInRiskLevels": [],
            "clientAppTypes": [
                "mobileAppsAndDesktopClients"
            ],
            "locations": null,
            "deviceStates": null,
            "devices": null,
            "clientApplications": null,
            "applications": {
                "includeApplications": [
                    "All"
                ],
                "excludeApplications": [
                    "0000000a-0000-0000-c000-000000000000",
                    "d4ebce55-015a-49b5-a083-c84d1797ae8c"
                ],
                "includeUserActions": []
            },
            "users": {
                "includeUsers": [
                    "All"
                ],
                "excludeUsers": [],
                "includeGroups": [],
                "excludeGroups": [
                    "REPLACE WITH EXCLUDE GROUP ID",
                    "REPLACE WITH SERVICE ACCOUNT GROUP ID"
                ],
                "includeRoles": [],
                "excludeRoles": []
            },
            "platforms": {
                "includePlatforms": [
                    "android",
                    "iOS"
                ],
                "excludePlatforms": []
            }
        },
        "grantControls": {
            "operator": "OR",
            "builtInControls": [
                "approvedApplication"
            ],
            "customAuthenticationFactors": [],
            "termsOfUse": []
        }
    },
    {
        "displayName": "SESSION - Block Unmanaged File Downloads",
        "state": "enabled",
        "grantControls": null,
        "conditions": {
            "userRiskLevels": [],
            "signInRiskLevels": [],
            "clientAppTypes": [
                "browser"
            ],
            "platforms": null,
            "locations": null,
            "deviceStates": null,
            "clientApplications": null,
            "applications": {
                "includeApplications": [
                    "00000002-0000-0ff1-ce00-000000000000",
                    "00000003-0000-0ff1-ce00-000000000000"
                ],
                "excludeApplications": [],
                "includeUserActions": []
            },
            "users": {
                "includeUsers": [
                    "All"
                ],
                "excludeUsers": [],
                "includeGroups": [],
                "excludeGroups": [
                    "REPLACE WITH EXCLUDE GROUP ID"
                ],
                "includeRoles": [],
                "excludeRoles": []
            },
            "devices": {
                "includeDeviceStates": [
                    "All"
                ],
                "excludeDeviceStates": [
                    "Compliant",
                    "DomainJoined"
                ]
            }
        },
        "sessionControls": {
            "cloudAppSecurity": null,
            "signInFrequency": null,
            "persistentBrowser": null,
            "applicationEnforcedRestrictions": {
                "isEnabled": true
            }
        }
    }
]