Azure AD Conditional Access Policy Design Baseline with Automatic Deployment Support

My Azure AD Conditional Access Policy Design Baseline is updated at least twice every year, always containing lessons learned from the field. It is based on my recommendations of how Conditional Access should be deployed to create a strong zero trust security posture.

Note that all organisations are different and you might need to adjust the baseline to fit your specific needs. My goal is to provide inspiration and a great starting point for your own Conditional Access design.

There are two methods of deployment:

Option 1: Manual Deployment

Download the Excel version of the baseline and manually create each Conditional Access policy in the Azure portal.

Option 2: Automatic Deployment

Version 7 of this baseline was the first version with DCToolbox automation support. This means that you can now automatically deploy this baseline from the JSON template at the end of this blog post (or export or create your own JSON templates).

Please see this article for details of Conditional Access automation with DCToolbox: How to Manage Conditional Access as Code – The Ultimate Guide

To automatically install the baseline, follow the instructions in the article above, copy the JSON template at the bottom of this blog post, search and replace IDs of Azure AD groups, named locations, etc, save the file, and point Import-DCConditionalAccessPolicyDesign to your new JSON file.

Search and replace the following text in your JSON file:

REPLACE WITH EXCLUDE GROUP ID
REPLACE WITH SERVICE ACCOUNT GROUP ID
REPLACE WITH SERVICE ACCOUNT TRUSTED NAMED LOCATION
REPLACE WITH ALLOWED COUNTRIES NAMED LOCATION ID
REPLACE WITH TERMS OF USE ID

Baseline Policies Explained

This is a short explanation of each policy in the baseline.

BLOCK – Legacy Authentication

This global policy blocks all connections from insecure legacy protocols like ActiveSync, IMAP, PO3, etc. Blocking legacy authentication, together with MFA, is one of the most important security improvements your can do in the cloud.

BLOCK – High-Risk Sign-Ins

This global policy blocks all high-risk authentications detected by Azure AD Identity Protection. This is called risk-based Conditional Access. Note that this policy requires Azure AD Premium P2 for all targeted users.

BLOCK – Countries not Allowed

This global policy blocks all connections from countries not in the Allowed countries whitelist. You should only allow countries where you expect your users to sign in from. This is not a real security solution since attackers will easily bypass this with a proxy service, however, this effectively blocks a lot of the automated noise in the cloud.

BLOCK – Explicitly Blocked Cloud Apps

This policy can be used to explicitly block certain cloud apps across the organisation. This is handy if you want to permanently block certain apps, or temporary block unwanted apps, for example, if there is a known critical security flaw.

GRANT – Terms of Use

This global policy forces Terms of Use, like an acceptable use policy or NDA, on all users. Users must read and agree to this policy the first time they sign in before they’re granted access.

GRANT – Browser Access

General browser access policy that grants authentication from a browser on any device, with MFA requirement. This includes BYOD scenarios. Intune enrolment is excluded since MFA is not supported during enrolment of fully managed devices. You can change this if you have a another solution for MFA registration.

SESSION – Block Unmanaged Browser File Downloads

Browsers on unmanaged devices can’t download files and attachments from SharePoint Online, OneDrive for Business, and Exchange Online. They can work with files in the Office web apps.

GRANT – Mobile Device Access

Grants access to mobile apps on managed mobile devices that are enrolled and compliant in Intune. An approved Microsoft app is required. Intune enrolment is excluded since MFA is not supported during enrolment of fully managed devices. You can change this if you have a another solution for MFA registration.

GRANT – Windows Device Access

Grants access to managed Windows devices that are Hybrid Azure AD Joined (joined to on-prem AD and Azure AD) and Intune compliant. Intune enrolment is excluded since MFA is not supported during enrolment of fully managed devices. You can change this if you have a another solution for MFA registration.

GRANT – Mac Device Access

Grants access to managed Mac devices that are Intune Compliant. Intune enrolment is excluded since MFA is not supported during enrolment of fully managed devices. You can change this if you have a another solution for MFA registration.

GRANT – Guest Access

Enforce MFA for all guests.

BLOCK – Guest Access

Block guests from using all apps, except excluded ones (default allows Office 365 only).

BLOCK – Service Accounts

Block service accounts from untrusted IP addresses. Service accounts can only connect from allowed IP addresses, but without MFA requirement. Only use service accounts as a last resort!

Summary

This baseline will work for many organisations out of the box but it can also serve as a starting point for a modified version. Some organisations might require different policys for differens departments and if that’s the case it is easy to just create multiple copies of the required policies and filter on group membership.

Please follow me here, on LinkedIn and on Twitter!

@DanielChronlund

The JSON baseline template:

[
    {
        "displayName": "BLOCK - Legacy Authentication",
        "state": "enabled",
        "sessionControls": null,
        "conditions": {
            "userRiskLevels": [],
            "signInRiskLevels": [],
            "clientAppTypes": [
                "exchangeActiveSync",
                "other"
            ],
            "platforms": null,
            "locations": null,
            "deviceStates": null,
            "devices": null,
            "clientApplications": null,
            "applications": {
                "includeApplications": [
                    "All"
                ],
                "excludeApplications": [],
                "includeUserActions": []
            },
            "users": {
                "includeUsers": [
                    "All"
                ],
                "excludeUsers": [],
                "includeGroups": [],
                "excludeGroups": [
                    "REPLACE WITH EXCLUDE GROUP ID"
                ],
                "includeRoles": [],
                "excludeRoles": []
            }
        },
        "grantControls": {
            "operator": "OR",
            "builtInControls": [
                "block"
            ],
            "customAuthenticationFactors": [],
            "termsOfUse": []
        }
    },
    {
        "displayName": "BLOCK - High-Risk Sign-Ins",
        "state": "enabled",
        "sessionControls": null,
        "conditions": {
            "userRiskLevels": [],
            "signInRiskLevels": [
                "high"
            ],
            "clientAppTypes": [
                "browser",
                "mobileAppsAndDesktopClients"
            ],
            "platforms": null,
            "locations": null,
            "deviceStates": null,
            "devices": null,
            "clientApplications": null,
            "applications": {
                "includeApplications": [
                    "All"
                ],
                "excludeApplications": [],
                "includeUserActions": []
            },
            "users": {
                "includeUsers": [
                    "All"
                ],
                "excludeUsers": [],
                "includeGroups": [],
                "excludeGroups": [
                    "REPLACE WITH EXCLUDE GROUP ID"
                ],
                "includeRoles": [],
                "excludeRoles": []
            }
        },
        "grantControls": {
            "operator": "OR",
            "builtInControls": [
                "block"
            ],
            "customAuthenticationFactors": [],
            "termsOfUse": []
        }
    },
    {
        "displayName": "BLOCK - Countries not Allowed",
        "state": "enabled",
        "sessionControls": null,
        "conditions": {
            "userRiskLevels": [],
            "signInRiskLevels": [],
            "clientAppTypes": [
                "browser",
                "mobileAppsAndDesktopClients"
            ],
            "platforms": null,
            "deviceStates": null,
            "devices": null,
            "clientApplications": null,
            "applications": {
                "includeApplications": [
                    "All"
                ],
                "excludeApplications": [],
                "includeUserActions": []
            },
            "users": {
                "includeUsers": [
                    "All"
                ],
                "excludeUsers": [],
                "includeGroups": [],
                "excludeGroups": [
                    "REPLACE WITH EXCLUDE GROUP ID"
                ],
                "includeRoles": [],
                "excludeRoles": []
            },
            "locations": {
                "includeLocations": [
                    "All"
                ],
                "excludeLocations": [
                    "REPLACE WITH ALLOWED COUNTRIES NAMED LOCATION ID"
                ]
            }
        },
        "grantControls": {
            "operator": "OR",
            "builtInControls": [
                "block"
            ],
            "customAuthenticationFactors": [],
            "termsOfUse": []
        }
    },
    {
        "displayName": "BLOCK - Explicitly Blocked Cloud Apps",
        "state": "enabled",
        "sessionControls": null,
        "conditions": {
            "userRiskLevels": [],
            "signInRiskLevels": [],
            "clientAppTypes": [
                "browser",
                "mobileAppsAndDesktopClients"
            ],
            "platforms": null,
            "locations": null,
            "deviceStates": null,
            "devices": null,
            "clientApplications": null,
            "applications": {
                "includeApplications": [
                    "None"
                ],
                "excludeApplications": [],
                "includeUserActions": []
            },
            "users": {
                "includeUsers": [
                    "All"
                ],
                "excludeUsers": [],
                "includeGroups": [],
                "excludeGroups": [
                    "REPLACE WITH EXCLUDE GROUP ID"
                ],
                "includeRoles": [],
                "excludeRoles": []
            }
        },
        "grantControls": {
            "operator": "OR",
            "builtInControls": [
                "block"
            ],
            "customAuthenticationFactors": [],
            "termsOfUse": []
        }
    },
    {
        "displayName": "GRANT - Terms of Use",
        "state": "enabled",
        "sessionControls": null,
        "conditions": {
            "userRiskLevels": [],
            "signInRiskLevels": [],
            "clientAppTypes": [
                "browser",
                "mobileAppsAndDesktopClients"
            ],
            "platforms": null,
            "locations": null,
            "deviceStates": null,
            "devices": null,
            "clientApplications": null,
            "applications": {
                "includeApplications": [
                    "All"
                ],
                "excludeApplications": [],
                "includeUserActions": []
            },
            "users": {
                "includeUsers": [
                    "All"
                ],
                "excludeUsers": [],
                "includeGroups": [],
                "excludeGroups": [
                    "REPLACE WITH EXCLUDE GROUP ID"
                ],
                "includeRoles": [],
                "excludeRoles": []
            }
        },
        "grantControls": {
            "operator": "OR",
            "builtInControls": [],
            "customAuthenticationFactors": [],
            "termsOfUse": [
                "REPLACE WITH TERMS OF USE ID"
            ]
        }
    },
    {
        "displayName": "GRANT - Browser Access",
        "state": "enabled",
        "sessionControls": null,
        "conditions": {
            "userRiskLevels": [],
            "signInRiskLevels": [],
            "clientAppTypes": [
                "browser"
            ],
            "platforms": null,
            "locations": null,
            "deviceStates": null,
            "devices": null,
            "clientApplications": null,
            "applications": {
                "includeApplications": [
                    "All"
                ],
                "excludeApplications": [
                    "0000000a-0000-0000-c000-000000000000",
                    "d4ebce55-015a-49b5-a083-c84d1797ae8c"
                ],
                "includeUserActions": []
            },
            "users": {
                "includeUsers": [
                    "All"
                ],
                "excludeUsers": [],
                "includeGroups": [],
                "excludeGroups": [
                    "REPLACE WITH EXCLUDE GROUP ID",
                    "REPLACE WITH SERVICE ACCOUNT GROUP ID"
                ],
                "includeRoles": [],
                "excludeRoles": []
            }
        },
        "grantControls": {
            "operator": "OR",
            "builtInControls": [
                "mfa"
            ],
            "customAuthenticationFactors": [],
            "termsOfUse": []
        }
    },
    {
        "displayName": "SESSION - Block Unmanaged Browser File Downloads",
        "state": "enabled",
        "grantControls": null,
        "conditions": {
            "userRiskLevels": [],
            "signInRiskLevels": [],
            "clientAppTypes": [
                "browser"
            ],
            "platforms": null,
            "locations": null,
            "deviceStates": null,
            "clientApplications": null,
            "applications": {
                "includeApplications": [
                    "00000002-0000-0ff1-ce00-000000000000",
                    "00000003-0000-0ff1-ce00-000000000000"
                ],
                "excludeApplications": [],
                "includeUserActions": []
            },
            "users": {
                "includeUsers": [
                    "All"
                ],
                "excludeUsers": [],
                "includeGroups": [],
                "excludeGroups": [
                    "REPLACE WITH EXCLUDE GROUP ID"
                ],
                "includeRoles": [],
                "excludeRoles": []
            },
            "devices": {
                "includeDeviceStates": [
                    "All"
                ],
                "excludeDeviceStates": [
                    "Compliant",
                    "DomainJoined"
                ]
            }
        },
        "sessionControls": {
            "cloudAppSecurity": null,
            "signInFrequency": null,
            "persistentBrowser": null,
            "applicationEnforcedRestrictions": {
                "isEnabled": true
            }
        }
    },
    {
        "displayName": "GRANT - Mobile Device Access",
        "state": "enabled",
        "sessionControls": null,
        "conditions": {
            "userRiskLevels": [],
            "signInRiskLevels": [],
            "clientAppTypes": [
                "mobileAppsAndDesktopClients"
            ],
            "locations": null,
            "deviceStates": null,
            "devices": null,
            "clientApplications": null,
            "applications": {
                "includeApplications": [
                    "All"
                ],
                "excludeApplications": [
                    "0000000a-0000-0000-c000-000000000000",
                    "d4ebce55-015a-49b5-a083-c84d1797ae8c"
                ],
                "includeUserActions": []
            },
            "users": {
                "includeUsers": [
                    "All"
                ],
                "excludeUsers": [],
                "includeGroups": [],
                "excludeGroups": [
                    "REPLACE WITH EXCLUDE GROUP ID",
                    "REPLACE WITH SERVICE ACCOUNT GROUP ID"
                ],
                "includeRoles": [],
                "excludeRoles": []
            },
            "platforms": {
                "includePlatforms": [
                    "android",
                    "iOS"
                ],
                "excludePlatforms": []
            }
        },
        "grantControls": {
            "operator": "AND",
            "builtInControls": [
                "mfa",
                "compliantDevice",
                "approvedApplication"
            ],
            "customAuthenticationFactors": [],
            "termsOfUse": []
        }
    },
    {
        "displayName": "GRANT - Windows Device Access",
        "state": "enabled",
        "sessionControls": null,
        "conditions": {
            "userRiskLevels": [],
            "signInRiskLevels": [],
            "clientAppTypes": [
                "mobileAppsAndDesktopClients"
            ],
            "locations": null,
            "deviceStates": null,
            "devices": null,
            "clientApplications": null,
            "applications": {
                "includeApplications": [
                    "All"
                ],
                "excludeApplications": [
                    "0000000a-0000-0000-c000-000000000000",
                    "d4ebce55-015a-49b5-a083-c84d1797ae8c"
                ],
                "includeUserActions": []
            },
            "users": {
                "includeUsers": [
                    "All"
                ],
                "excludeUsers": [],
                "includeGroups": [],
                "excludeGroups": [
                    "REPLACE WITH EXCLUDE GROUP ID",
                    "REPLACE WITH SERVICE ACCOUNT GROUP ID"
                ],
                "includeRoles": [],
                "excludeRoles": []
            },
            "platforms": {
                "includePlatforms": [
                    "windows"
                ],
                "excludePlatforms": []
            }
        },
        "grantControls": {
            "operator": "AND",
            "builtInControls": [
                "mfa",
                "compliantDevice",
                "domainJoinedDevice"
            ],
            "customAuthenticationFactors": [],
            "termsOfUse": []
        }
    },
    {
        "displayName": "GRANT - Mac Device Access",
        "state": "enabled",
        "sessionControls": null,
        "conditions": {
            "userRiskLevels": [],
            "signInRiskLevels": [],
            "clientAppTypes": [
                "mobileAppsAndDesktopClients"
            ],
            "locations": null,
            "deviceStates": null,
            "devices": null,
            "clientApplications": null,
            "applications": {
                "includeApplications": [
                    "All"
                ],
                "excludeApplications": [
                    "0000000a-0000-0000-c000-000000000000",
                    "d4ebce55-015a-49b5-a083-c84d1797ae8c"
                ],
                "includeUserActions": []
            },
            "users": {
                "includeUsers": [
                    "All"
                ],
                "excludeUsers": [],
                "includeGroups": [],
                "excludeGroups": [
                    "REPLACE WITH EXCLUDE GROUP ID",
                    "REPLACE WITH SERVICE ACCOUNT GROUP ID"
                ],
                "includeRoles": [],
                "excludeRoles": []
            },
            "platforms": {
                "includePlatforms": [
                    "macOS"
                ],
                "excludePlatforms": []
            }
        },
        "grantControls": {
            "operator": "AND",
            "builtInControls": [
                "mfa",
                "compliantDevice"
            ],
            "customAuthenticationFactors": [],
            "termsOfUse": []
        }
    },
    {
        "displayName": "GRANT - Guest Access",
        "state": "enabled",
        "sessionControls": null,
        "conditions": {
            "userRiskLevels": [],
            "signInRiskLevels": [],
            "clientAppTypes": [
                "all"
            ],
            "platforms": null,
            "locations": null,
            "deviceStates": null,
            "devices": null,
            "clientApplications": null,
            "applications": {
                "includeApplications": [
                    "All"
                ],
                "excludeApplications": [],
                "includeUserActions": []
            },
            "users": {
                "includeUsers": [
                    "GuestsOrExternalUsers"
                ],
                "excludeUsers": [],
                "includeGroups": [],
                "excludeGroups": [
                    "REPLACE WITH EXCLUDE GROUP ID"
                ],
                "includeRoles": [],
                "excludeRoles": []
            }
        },
        "grantControls": {
            "operator": "OR",
            "builtInControls": [
                "mfa"
            ],
            "customAuthenticationFactors": [],
            "termsOfUse": []
        }
    },
    {
        "displayName": "BLOCK - Guest Access",
        "state": "enabled",
        "sessionControls": null,
        "conditions": {
            "userRiskLevels": [],
            "signInRiskLevels": [],
            "clientAppTypes": [
                "all"
            ],
            "platforms": null,
            "locations": null,
            "deviceStates": null,
            "devices": null,
            "clientApplications": null,
            "applications": {
                "includeApplications": [
                    "All"
                ],
                "excludeApplications": [
                    "Office365"
                ],
                "includeUserActions": []
            },
            "users": {
                "includeUsers": [
                    "GuestsOrExternalUsers"
                ],
                "excludeUsers": [],
                "includeGroups": [],
                "excludeGroups": [
                    "REPLACE WITH EXCLUDE GROUP ID"
                ],
                "includeRoles": [],
                "excludeRoles": []
            }
        },
        "grantControls": {
            "operator": "OR",
            "builtInControls": [
                "block"
            ],
            "customAuthenticationFactors": [],
            "termsOfUse": []
        }
    },
    {
        "displayName": "BLOCK - Service Accounts",
        "state": "enabled",
        "sessionControls": null,
        "conditions": {
            "userRiskLevels": [],
            "signInRiskLevels": [],
            "clientAppTypes": [
                "browser",
                "mobileAppsAndDesktopClients"
            ],
            "platforms": null,
            "deviceStates": null,
            "devices": null,
            "clientApplications": null,
            "applications": {
                "includeApplications": [
                    "All"
                ],
                "excludeApplications": [],
                "includeUserActions": []
            },
            "users": {
                "includeUsers": [],
                "excludeUsers": [],
                "includeGroups": [
                    "REPLACE WITH SERVICE ACCOUNT GROUP ID"
                ],
                "excludeGroups": [
                    "REPLACE WITH EXCLUDE GROUP ID"
                ],
                "includeRoles": [],
                "excludeRoles": []
            },
            "locations": {
                "includeLocations": [
                    "All"
                ],
                "excludeLocations": [
                    "REPLACE WITH SERVICE ACCOUNT TRUSTED NAMED LOCATION"
                ]
            }
        },
        "grantControls": {
            "operator": "OR",
            "builtInControls": [
                "block"
            ],
            "customAuthenticationFactors": [],
            "termsOfUse": []
        }
    }
]