Conditional Access Policies are an essential aspect of the MS-100 Microsoft 365 Identity and Services exam. These policies allow administrators to control access to cloud apps based on specified conditions. With these policies in place, enterprises can ensure comprehensive protection of their resources.
To get started with conditional access policies, you first need to understand what they are and why they’re important.
Understanding Conditional Access Policies
It’s significant to note that Conditional Access is not a security gate but rather it’s a gatekeeper. Based on the conditions you set, upon sign-in, an automated decision is made to either allow or deny access. While we usually talk about security in terms of a full block or allow, Conditional Access provides a third option – limited access characterized by further requirements or restrictions.
The configuration of a conditional access policy contains three major components:
- Assignments: These include users and cloud apps to apply the policy to.
- Conditions: These outline when the policy is applied. For example, device state, sign-in risk, client apps, etc.
- Access controls: These specify what to do once the policy is applied.
Next, it’s important to understand different kinds of conditions and access controls you’d use.
Key Conditions and Controls
- User or Group: This condition allows policy assignment to specific users or groups. For instance, a high-privilege group might necessitate stricter policies.
- Cloud apps or Actions: The policy can be applied to certain cloud applications or user actions like registration.
- Conditions: Contextual conditions include sign-ins from specific devices, locations, IP addresses, or client apps.
- Session Control: Allows administrators to use app enforced restrictions, customized terms of use, or persistent browser sessions.
Creating a Conditional Access Policy
To create a Conditional Access policy, follow these steps:
- Open the Azure portal and navigate to ‘Azure Active Directory’.
- Choose ‘Security’ and then ‘Conditional Access’.
- Click ‘New Policy’ and specify your ‘Assignments’, ‘Conditions’, and ‘Access controls’.
- After reviewing, click on ‘Enable policy’ and then ‘Create’.
For demonstration, let’s consider creating a policy for members of the ‘Marketing group’ accessing a ‘Salesforce app’ from any location except trusted locations. Here are the necessary configurations:
Assignments
- Users and groups: Marketing
- Cloud apps or actions: Salesforce
Conditions
- Locations: Any location (Include), Trusted locations (Exclude)
Access Controls
- Grant: Grant access, Require multi-factor authentication
This will force users in the ‘Marketing’ group to authenticate using MFA when accessing Salesforce from any location except trusted ones.
Finally, planning a Conditional Access can be a complex endeavor, especially in larger organizations. Here’s a recommended four-step approach:
- Define: Identify the users and apps that require protection.
- Create: Design and develop Conditional Access policies based on these identifications.
- Rollout: Gradually roll out the policies, closely monitoring for any unintended disruptions.
- Review & Improve: Regularly evaluate and refine the policies for continuous enhancement.
In summary, understanding, creating, and managing conditional access policies is an essential skill when preparing for the MS-100 Microsoft 365 Identity and Services exam. With the right approach and diligent practice, you’ll master this important aspect in no time.
Practice Test
True or False: Conditional Access policies at their simplest are if-then statements. If a user wants to access a resource, then they must complete an action.
- True
- False
Answer: True
Explanation: Yes, at a fundamental level, conditional access policies act as if-then statements, where if a user wants to access a resource, they must complete an action (like multi-factor authentication).
Conditional Access is built into the ________.
- a) Microsoft 365 Business Suite
- b) Microsoft 365 Enterprise Suite
- c) Microsoft Office Suite
- d) A and B
Answer: D
Explanation: Conditional Access is built into both the Microsoft 365 Business and Enterprise suite, securing your company’s resources and data.
True or False: Every Microsoft 365 admin can manage the Conditional Access policies.
- True
- False
Answer: False
Explanation: Not every admin can manage Conditional Access policies; only users with an Azure AD Premium P1 or P2 license can manage them.
A Conditional Access policy is in what state when first created?
- a) Set
- b) Enabled
- c) Disabled
- d) Active
Answer: C
Explanation: When you first create a Conditional Access policy, it is in a disabled state. You must enable it for it to begin working.
True or False: You can’t use groups to target Conditional Access policies.
- True
- False
Answer: False
Explanation: You can indeed use groups to target Conditional Access policies, allowing certain users to be subjected to specific conditions.
Ensuring only users with compliant devices can access resources is achieved through ________.
- a) End-user quarantine
- b) Device compliance policy
- c) Resource permission policy
- d) Safety-net policy
Answer: B
Explanation: Device compliance policy is used to ensure only users with compliant devices can access resources, enhancing the security of business data.
True or False: Azure Multi-factor Authentication is the only option for accessing resources under Conditional Access.
- True
- False
Answer: False
Explanation: Azure Multi-factor Authentication is not the only option; other options can be enforced under Conditional Access such as requiring devices to be marked as compliant.
Which of the following could NOT be considered a condition under a Conditional Access policy?
- a) User assignment
- b) IP location information
- c) Sign-in risk
- d) Employee’s favorite color
Answer: D
Explanation: Conditional Access does not consider personal preferences such as an employee’s favorite color. It looks at facts like user assignments, sign-in risks, and location information.
True or False: You can create guest users in Azure AD to exempt them from Conditional Access policies.
- True
- False
Answer: True
Explanation: Guest users can be created and groups can be made of these users, who can then be exempted from Conditional Access policies.
The ‘What If’ tool in Conditional Access __________.
- a) Lets you preview the potential impacts of a policy
- b) Is for generating random policy scenarios
- c) Lets you make imaginary policies
- d) Does not exist
Answer: A
Explanation: The ‘What If’ tool is designed to let you preview the potential effects of a policy before applying it, helping admin to avoid unintentionally restrictive policies.
Conditional Access policies are processed in which order?
- a) Ascending
- b) Descending
- c) Random
- d) Alphabetically
Answer: B
Explanation: Conditional Access policies are processed in descending order based on the priority set when they are created.
True or False: You can apply multiple Conditional Access policies to a user simultaneously.
- True
- False
Answer: True
Explanation: Multiple Conditional Access policies can be applied to a user at the same time and they are not exclusive.
Before deleting a Conditional Access policy, it is recommended to ________.
- a) Enable it
- b) Report it
- c) Test it
- d) None of the above
Answer: D
Explanation: Before deleting a Conditional Access policy, it’s recommended to disable it and monitor its impact. Given all these points, option D is the most appropriate answer.
Single-select: Which role is NOT necessary to configure and manage Conditional Access policies?
- a) Security Reader
- b) Conditional Access Administrator
- c) Global Administrator
- d) Security Administrator
Answer: A
Explanation: The Security Reader role doesn’t have sufficient privileges to configure and manage Conditional Access policies.
True or False: Conditional Access policies can only be enforced after the user has logged in.
- True
- False
Answer: True
Explanation: Conditional Access policies are enforced after the first-factor authentication has been completed, i.e., after the user has logged in. The policies can restrict or limit actions after this according to the policy conditions.
Interview Questions
What is the basic purpose of Conditional Access in Microsoft 365?
Conditional Access in Microsoft 365 is used to execute access controls for applications in your environment based on specific conditions.
Can you list some of the common conditions in Conditional Access policies?
Some common conditions include: User risk, Sign-in risk, Device platform, Locations, Client apps.
What are some of the responses that can be set by a conditional access policy when its conditions are met?
When conditions are met, a conditional access policy can either allow or block the request, challenge the request with multi-factor authentication, or enforce terms of use, among others.
What are named locations in Microsoft 365 and how are they used in conditional access policies?
Named locations in Microsoft 365 are either IP address ranges or Countries/Regions that you can use to specify a location condition in your conditional access policies.
Can you set multiple conditional access policies in Microsoft 365?
Yes, you can have many different conditional access policies and the final decision whether to grant access is done after evaluating all of them.
What is the role of user risk and sign-in risk conditions in conditional access policies?
User risk condition helps detect suspicious actions done by users and the sign-in risk condition assesses the risk involved in a sign-in attempt. These conditions help enhance security by allowing for different responses based on the risk factor.
How can you exclude specific users from a conditional access policy in Microsoft 365?
To exclude specific users, you need to add them to the “Exclude” tab in the “Users and Groups” section during the configuration of the conditional access policy.
When would you utilize the ‘Device State’ condition in a Conditional Access policy?
The ‘Device State’ condition is used when you want to include or exclude devices that are marked as compliant or hybrid Azure AD joined in your Conditional Access policy.
How would you restrict access to Microsoft 365 services based on network location?
This can be achieved by creating a conditional access policy with a location condition that specifies the required IP ranges. For the controls, you can set it to block access.
What is the role of the ‘Client Apps’ condition in a Conditional Access policy?
The ‘Client Apps’ condition allows the Conditional Access policy to be applied only when attempts are made to access resources through specified client applications.
Can a user be subjected to more than one Conditional Access policy during a single resource access attempt?
Yes, during a single resource access attempt, multiple Conditional Access policies can be evaluated for a user’s session. The result is the aggregate of all the decisions from the evaluated policies.
How does the ‘Report-only mode’ in Conditional Access work?
‘Report-only mode’ in Conditional Access allows you to see the impact of your policy without it actually being enforced. This helps understand how the policy would affect your users before it goes live.
Can Conditional Access policies apply to all applications in your environment?
No, Conditional Access policies apply only to cloud apps. For on-premises applications, you will need to use Azure AD Application Proxy or a third-party secure web gateway.
How can Conditional Access help enforce Multi-Factor Authentication (MFA)?
You can create a conditional access policy that requires MFA as a control. Whenever the conditions of this policy are met (like access from unknown locations), MFA will be prompted.
What are some common signals that Conditional Access relies on to help protect resources?
Conditional Access uses signals like User/Group memberships, IP Locations, Device platform, Application sensitivity, Real-time and calculated risks, among other things, to help protect resources.