Implement conditional access policy controls

Conditional Access Policies are essentially if-then statements. For instance, if a user wants to access a resource, then they must complete an action. They constitute of two primary elements:

• 1- Assignments: Specifies who and what the policy applies to.
• 2- Access Controls: Defines the necessary actions that need to be carried out for access.

Assignments comprise of User and Groups, Cloud apps or actions, and Conditions such as sign-in risk, device platform, locations, and client apps. You may not apply multiple assignments to the same policy at once; you have to be explicit about the users or groups and the cloud apps the policy applies to.

Access Controls involve two types of actions – Grant and Session. Grant actions could include block access, require multi-factor authentication, require device to be marked as compliant, etc. Session actions control access within the user’s session after access has been granted.

Implementing Conditional Access Policies

Implementing Conditional Access policies in your organization involves the following steps:

1. Sign in to the Azure Portal

Sign in to the Azure portal as a global administrator, security administrator, or conditional access administrator.

2. Navigate to Conditional Access Page

On the left navigation pane, select Azure Active Directory, then select Security, and finally, click on Conditional Access.

3. Create a New Policy

On the top menu, select the “New Policy” button.

4. Specify Policy Assignments

Once the policy page attempts to create a new policy, you would need to name your policy and specify your policy assignments:

• “Users and Groups”: Here, you can specify which users or groups this policy will apply to.
• “Cloud Apps or Actions”: This allows you to specify which cloud applications or user actions would trigger this policy.
• “Conditions”: You can specify certain conditions under which this policy would be applicable, such as sign-in risk, device state, etc.

5. Specify Access Controls

Under the access controls, you would need to specify the type of access (Grant or Block), and the conditions under which this might happen. For instance, you could set up a policy where a user is granted access only when they use multi-factor authentication.

6. Enable and Create Policy

Once you have specified all the assignments and access controls, you can toggle the “Enable Policy” switch to “On”, and then select “Create” to implement the policy.

Overall, the implementation and management of conditional access policy controls are pivotal for an Identity and Access Administrator. It ensures that only the right users have the right access to the right resources. Therefore, mastering this topic is essential in your preparation for the SC-300 Microsoft Identity and Access Administrator exam. Study carefully and invest time in understanding the complexities involved to ensure a positive outcome on your exam and your future career as an Identity and Access Administrator. Remember, practice makes perfect!

Practice Test

True or False: Conditional Access Policy in Microsoft Azure determines if access control permissions need to be granted or denied based on the conditions specified.

• True
• False

Answer: True

Explanation: Microsoft Azure’s Conditional Access Policies work in a way that governs access control permissions based on the conditions specified. It is not a security tool, but provides enforcement on access control.

Which of the following can be specified as conditions in the Conditional Access Policies in Azure? (Multiple Select)

• A) Users
• B) Locations
• C) Devices
• D) Data types

Answer: A, B and C

Explanation: Conditions in Conditional Access Policies can include users, locations and devices, but not data types.

True or False: You can assign multiple Conditional Access Policies to a single user or group.

• True
• False

Answer: True

Explanation: You can assign more than one Conditional Access Policy to a single user or group in Microsoft Azure. The final decision is based on the aggregate of these policies.

Conditional Access Policies are always effective immediately after creation in Azure. Is this statement correct?

• True
• False

Answer: False

Explanation: After creating a Conditional Access Policy, you can choose whether to enable it immediately or to schedule it for a later time or date.

Which of the following statements regarding Conditional Access Policies is NOT true?

• A) You can configure exceptions in your policy
• B) You cannot manage guest user access with a policy
• C) You can use a policy to require multi-factor authentication
• D) You can use a policy to block access from certain locations

Answer: B

Explanation: You can manage guest user access with Conditional Access Policies in Azure. This allows you to control access to resources based on the status of the user.

True or False: With Conditional Access Policies, you can apply only Grant Controls?

• True
• False

Answer: False

Explanation: Conditional Access Policies in Microsoft Azure allow you to apply both grant controls (e.g., require password change, require multi-factor authentication) and session controls (e.g., restrict access to certain data, restrict ability to download data).

A Conditional Access Policy allows you to apply controls based on user risk, sign-in risk, device platform, and client app. True or False?

• True
• False

Answer: True

Explanation: Microsoft Azure’s Conditional Access Policies let you apply controls based on various aspects including user risk, sign-in risk, device platform and client application.

Which of these is NOT a valid condition in a Conditional Access Policy in Azure?

• A) IP address location
• B) Browser type
• C) Time of day
• D) Service bus queue depth

Answer: D

Explanation: Service bus queue depth is not a valid condition for a Conditional Access Policy. Conditions typically involve user profiles, locations, device platforms, client apps and risk levels.

True or False: To edit a Conditional Access Policy, you must first disable it.

• True
• False

Answer: True

Explanation: Yes, to modify a Conditional Access Policy, you first have to disable it to ensure that no users are impacted by changes during the editing process.

Does Microsoft recommend implementing a “one-size-fits-all” approach to Conditional Access Policies?

• True
• False

Answer: False

Explanation: Microsoft recommends tailoring Conditional Access Policies to specific needs, as a “one-size-fits-all” approach may not provide the necessary level of security and could unnecessarily restrict access.

Conditional Access Policy does not support multi-factor authentication. True or False?

• True
• False

Answer: False

Explanation: Conditional Access Policy supports multi-factor authentication. This allows for increased security by requiring users to present two or more pieces of identity information.

True or False: Conditional Access Policy controls cannot be bypassed for emergency access.

• True
• False

Answer: False

Explanation: Conditional Access Policies have a feature that allows certain users to bypass them in case of emergency. This ensures that essential tasks can still be done, even if strict policies are in place.

Conditional Access Policies should always be used in isolation for maximum security. True or False?

• True
• False

Answer: False

Explanation: Conditional Access policies aren’t meant to be used in isolation. For the best protection, they should be used alongside other security features such as threat protection and data loss prevention.

Which of these is NOT a type of session control in Conditional Access Policies in Azure?

• A) Use app-enforced restrictions
• B) Use Azure Information Protection for download restrictions
• C) Limit access to specific data types
• D) Sign out inactive sessions

Answer: C

Explanation: Conditional Access Policies allow you to set session controls like app-enforced restrictions, download restrictions and sign out inactive sessions, but it does not support limiting access to specific data types.

True or False: You need Global administrator or Security administrator permissions to create and manage Conditional Access Policies.

• True
• False

Answer: True

Explanation: To create and manage Conditional Access Policies, you need to be a Global administrator or Security administrator. Other roles do not have the necessary permissions to manage these policies.

Interview Questions

What is conditional access in Microsoft Identity and Access Management solutions?

Conditional access is a capability of Azure Active Directory that enables you to implement automated access control decisions for accessing cloud apps based on certain conditions.

What are the main components of a conditional access policy?

A conditional access policy consists of users or groups, cloud apps, conditions, and access controls.

What kind of conditions can Conditional Access Policies assess?

The conditions that Conditional Access Policies can assess include the sign-in risk, device platform, locations (named or IP address locations), client apps, and device state.

How does a session conditional access policy work?

It controls access after the user has logged in and regulates the sessions to enforce restrictions like limiting certain activities or making them read-only.

What happens when multiple conditional access policies apply to a user?

The assignments and conditions are evaluated together, and if any policy requires multi-factor authentication, the user will need to complete it.

Can you exempt certain users from a conditional access policy?

Yes, there are options while setting up the policy where you can exclude certain users or groups.

How to implement Multi-Factor Authentication through Conditional Access?

You can implement Multi-Factor Authentication within a Conditional Access policy by using the “Grant” control. You configure it to require multi-factor authentication from the users/groups that the policy applies to.

What is the significance of ‘device compliance’ in conditional access policies?

Device compliance allows for checking if a device meets the standards set by the organization. If a device is not compliant, the conditional access policy can apply further controls, such as blocking access or requiring remedial actions.

How do you monitor and troubleshoot a conditional access policy?

You can monitor and troubleshoot a conditional access policy using the Sign-ins activity report in the Azure portal. The report shows the activity status, user details, conditional access policy names, and other information which can be helpful for troubleshooting.

Can conditional access policy “OR” and “AND” conditions be used together in one policy?

No, you cannot use both “OR” and “AND” together in the same policy. A policy can have multiple “AND” statements but having an “OR” in the mix is not supported.

What is a common use case for conditional access policies?

A common use case for conditional access policies is to require multi-factor authentication for users when they access a specific application from outside the corporate network.

Which cloud applications can you protect with a conditional access policy?

You protect any cloud application that is integrated with Azure Active Directory, including SaaS apps, custom apps you’ve built, and on-premises apps published via the Azure AD Application Proxy.

Can conditional access policies apply to all users?

Yes, conditional access policies can apply to all users, but an administrator can also specify a subset of users or exclude some users from a certain policy.

What are the report-only policies in Conditional Access?

Report-only policies are a tool in Conditional Access that allows administrators to evaluate the impact of new or updated Conditional Access policies before they are applied to their environment in production.

How does conditional access aid in achieving Zero Trust model?

Conditional Access aids in achieving the Zero Trust model by verifying every request as if it originates from an open network. It proves explicitly the users’ or systems’ identities, assesses devices and applications, and protects data irrespective of location.