Establishing and managing Conditional Access Policies in MS-100
Establishing and managing Conditional Access Policies is one of the significant topics one needs to master for the MS-100 Microsoft 365 Identity and Services exam. Conditional access policies are essentially rules that are implemented within an organization to control access to its resources.
Now, let’s take a detailed dive into Conditional Access Policies in MS-100: Microsoft 365 Identity and Services.
1. Understanding Conditional Access Policies
Conditional Access Policies can be explained as the “IF-THEN” statements for enforcing access controls. For instance, if a user wishes to access a certain resource, then they will need to fulfill some stipulated conditions. These conditions can range from multi-factor authentication to geographical location conditions.
2. Implementing Conditional Access Policies
It’s fairly straightforward to set up Conditional Access Policies on Azure AD. Here are the steps to do this.
- Sign into the Azure portal and choose Azure Active Directory.
- Go to Security, then Conditional Access.
- Click on New Policy and set your rules.
However, keep in mind that these policies should be planned before you start to implement or change them. A wrong policy could lock out the entire user base from the resources they require.
3. Managing Conditional Access Policies
Part of understanding Conditional Access Policies is knowing how to manage and fine-tune them. During the management of these policies, important factors to consider include assessing the usability versus security needs of your organization and the ability to monitor and report on the effectiveness of the rules in place.
In the Azure AD portal, you can enable or disable, edit, duplicate or delete the policies you’ve set up. It’s also critical to have a working grasp of how policies apply in the case of overlapping or conflicting access policies. Azure AD uses a “strictest wins” approach in such scenarios.
Examples of Conditional Access Policies:
Below are two examples of Conditional Access Policies that you might implement in an organization:
- Requiring multi-factor authentication for privileged account: This policy could specify that IF a user with admin rights attempts to sign in, THEN multi-factor authentication must be used.
- Limiting access to specific locations: In this example, the policy might state that IF a user is signing in from a location other than the corporate office, THEN they are not allowed to access the organization’s resources.
In conclusion, understanding and managing Conditional Access Policies can seem quite overwhelming, but once you get a grasp of the basics, it becomes a powerful tool in your Microsoft 365 arsenal. It offers a good balance between convenience and security — ensuring that the right people have the right access to the right resources, in the most convenient way possible.
As you prepare for the MS-100 Microsoft 365 Identity and Services exam, remember to have a good grasp of implementing and managing Conditional Access Policies, as this is a crucial component of the examination. Happy studying!
Practice Test
Conditional Access is only available with Azure AD Premium P1 and P
- A. True
- B. False
Answer: B. False
Explanation: While some features are only available in Azure AD Premium P2, the basic version of Conditional Access is included in Azure AD Premium P
Which of the following conditions can you specify on Conditional Access Policy in Azure AD?
- A. Sign-in risk
- B. User risk
- C. Device platform
- D. Location
Answer: A. Sign-in risk, B. User risk, C. Device platform, D. Location
Explanation: Conditional Access in Azure AD allows you to specify conditions based on sign-in risk, user risk, device platform, and location.
In Microsoft 365, which of the following are ways to implement Conditional Access Policies?
- A. User and group assignment
- B. Cloud apps or actions
- C. Conditions
- D. Grant
- E. Session
Answer: A. User and group assignment, B. Cloud apps or actions, C. Conditions, D. Grant, E. Session
Explanation: All of these methods can be used to implement Conditional Access Policies, to control who has access to what data.
Conditional Access policies will always block access to apps.
- A. True
- B. False
Answer: B. False
Explanation: Conditional Access policies don’t block access to apps; they enforce security properties that need to be met.
Conditional Access compliant devices can be included as a named location.
- A. True
- B. False
Answer: A. True
Explanation: A location can include IP address ranges, countries/regions, or Conditional Access compliant devices.
The ‘Report-only’ mode in Azure AD Conditional Access feature unlike production work simultaneously on all policies
- A. True
- B. False
Answer: A. True
Explanation: ‘Report-only’ mode gives insight into how Conditional Access policies might impact users without enforcing policies.
Which condition in Conditional Access checks for the presence of devices’ credentials in the on-premises Active Directory of your organization?
- A. Device State
- B. Device Platform
- C. Device Risk
- D. Hybrid Azure AD joined
Answer: D. Hybrid Azure AD joined
Explanation: The ‘Hybrid Azure AD joined’ checks for the presence of device credentials in the on-premises Active Directory (AD).
Conditional Access cannot enforce multi-factor authentication.
- A. True
- B. False
Answer: B. False
Explanation: One of the primary scenarios for Conditional Access is to enforce multi-factor authentication (MFA) when needed.
Who can manage Conditional Access in an organization?
- A. Global Administrator
- B. Conditional Access Administrator
- C. Security Administrator
- D. All of the above
Answer: D. All of the above
Explanation: All these roles including Global Administrator, Conditional Access Administrator, and Security Administrator can manage Conditional Access.
Conditional Access only applies to Microsoft Cloud applications.
- A. True
- B. False
Answer: B. False
Explanation: Conditional Access can be applied not only to Microsoft Cloud applications but also to various third-party applications that you use within your organization.
Interview Questions
What is Conditional Access in Microsoft 365?
Conditional Access is a capability of Microsoft 365 that enables you to implement automated access control decisions for accessing your cloud apps, based on conditions.
Which service do you need to configure Conditional Access policies?
Conditional Access policies are configured through the Azure Active Directory (Azure AD) service.
Can you implement a Conditional Access policy without an Azure AD Premium license?
No, you need to have an Azure AD Premium P1 or P2 license to implement a Conditional Access policy.
What are some of the conditions that can be used in a Conditional Access policy?
Conditions in a Conditional Access policy can include user risk, sign-in risk, device platform, location, client app, and device state.
What types of access controls can be enforced in a Conditional Access policy?
Types of access controls in a Conditional Access policy can include block access, grant access, and session controls.
What is the purpose of named locations in Conditional Access policies?
Named locations in Conditional Access policies helps identify trusted IP address ranges, countries/regions, or make use of the location of your ExpressRoute for defining access controls.
Can you apply multiple Conditional Access policies to a single user or user group?
Yes, multiple Conditional Access policies can apply to a single user or user group. Azure AD evaluates each policy and enforces all the resulting access controls.
Can you exclude certain users or user groups from a Conditional Access policy?
Yes, you can exclude certain users or groups from a Conditional Access policy. This is often done for emergency access or break-glass accounts.
What is the “Report-only mode” in Conditional Access policy?
The “Report-only mode” allows admins to evaluate the impact of Conditional Access policies before they go live. It previews the users and sign-ins that would be impacted by the policy.
Can Conditional Access policies apply to both cloud-based and on-premises applications?
Yes, Conditional Access policies can apply to both Azure AD connected cloud apps and your on-premises applications that are connected to Azure AD through Application Proxy or certain third-party integrated applications.
What is the role of ‘Sign-in risk policy’ in Conditional Access?
The ‘Sign-in risk policy’ is a type of Conditional Access policy that helps to protect against suspicious sign-in activities.
Can you create a Conditional Access policy with Azure AD Free edition?
No, you can’t create a Conditional Access policy with Azure AD Free edition. It requires an Azure AD Premium P1 or P2 license.
Can you simulate the impact of Conditional Access policies without affecting the users?
Yes, Microsoft offers ‘What If’ tool to simulate Conditional Access policies without impacting the users.
Which Microsoft 365 role is required to manage Conditional Access policies?
The Global Administrator or Security Administrator role is required to manage Conditional Access policies.
Is configuring a Conditional Access policy enough to enforce it?
No, after configuring a Conditional Access policy, it must be enabled and its state set to “On” for it to actively enforce the policy. It may also need to be assigned to a user or group for it to be in effect.
extutorials.com