How to Setup Conditional Access Policies in Azure AD (Office 365)

Organizations today prefer cloud-based models over traditional infrastructure-heavy models that are high on maintenance cost. With cloud computing, it has become difficult to keep a check on access to corporate documents and data which are crucial to a business. Formerly, IT teams reserved all corporate data and documents access behind a corporate firewall and granted access only to authorized sources and devices on the network. Currently, with organizations embracing Bring Your Own Device (BYOD) policies, conditional access works the best to decide whether a user device needs to be granted access or not.

What is conditional access?

Conditional access is a set of IT admin policies that control which devices have access to corporate data, business email, and other resources. It is a feature of Microsoft Azure AD that only grants access to devices or users configured to the set policies. It works well with the Office 365 suite of applications, and also with SaaS products like mobile device management (MDM) solutions that integrate with Azure Active Directory (AD).

Conditional access system makes it possible to create conditions to manage security controls. It is best for BYOD deployments. In a BYOD setup, corporate data remains exposed to employees’ personal devices and can be compromised if not enrolled in an MDM. An MDM solution integrated with Azure AD helps IT admins define conditional access policies to safeguard corporate data and prevent unauthorized access using identity protection to business emails. Blocked email access for Exchange Online further blocks access to corporate drives, files, and folders. 

Need and benefits of conditional access

At present, devices used for corporate work are either owned by the company (COPE) or employees (BYOD). It is very cumbersome and manually intensive for IT admins to control devices individually to safeguard corporate data. An MDM integrated with Office 365 for conditional access makes the task of IT admins easy by enforcing users to enroll their devices to the MDM software of the organization. On failing to do so, conditional access does not qualify the unenrolled devices and restricts users to access business emails and data.

Passwords have become insufficient to protect against unauthorized access and the hacking mechanisms that pose the highest risks to digital data. According to research, about 81% of cyberattacks happen because of weak or stolen passwords. Such devices lack an additional layer of security and conditional access is that additional security that enhances the cybersecurity of the entire organization.

Conditional access is the best way for organizations to manage their security controls simply by enforcing policies using an MDM. It simplifies the work of the IT team by automating access and thus strengthening the security mechanisms of the organization. Following are some of its benefits:

A. Conditional access enhances system security by incorporating factors like tracking the login location or checking device identity.

B. It protects data on devices by restricting access to data when certain conditions are not met. For example, user access would be blocked if the device is trying to access information from outside the geographical area predefined and set as a security parameter by the IT admin. 

C. IT admins can set a line of defense to access certain data. For instance, data pertaining to a particular role can be accessed by only role-specific employees. IT admins can also set restrictions on the download of apps and documents to only authorized sources.

D. Protection policies like two-factor authentication (2FA) or multifactor authentication can be set to have a higher level of visibility and control over access.

E. Notifications on conditional access policy can help in observing unusual patterns of activities and contribute to risk reduction.

F. Control over access also improves device compliance with the set security policies of the organization.

G. It adds an extra buffer of safety to corporate information and ensures that only authorized devices can access data and apps.

Key must-haves in conditional access policies

Three critical elements go behind activating conditional access: assignments, access controls, and policy enablement.

Assignments:

This portion defines what needs to be true for the policy settings to kick in. It can be distributed into the three areas below:

• Users and groups- This area specifies who the policy will include or exclude. The policy may apply to all individual users or groups of users.  
• Cloud apps or actions- It allows you to specify which apps within your cloud environment or actions the policy will include or exclude. For example, different policies can apply to the ones accessing Office 365 and ones accessing other apps.
• Conditions- Conditions can be set to grant access, which is also referred to as ‘signals’. These may include specific device locations, networks, device OS, and identity authentication for increasing visibility and control.

Access controls:

You would still need control even when assignments are met. One option would be to simply block access when it includes the case of access to highly sensitive apps and data from suspicious locations. Additionally, at times you would want to identify risky sign-in behavior and grant right access using multi-factor authentication (MFA) to reduce occurrences of devices not being compliant.

Policy Enablement:

It is important to be clear on desired actions before putting the policies in operation. Policies can be complex with fine-grained control. Their outcomes on a single device can be different from what you expect. Testing before deploying the policies is important to understand whether or not it would deliver the results you are expecting. Policy enablement helps you test and get access-related insights and reports to gauge the impact of new policies. Once it passes the test, the administrator takes manual action to enable the policies and make them active or otherwise switches them off.

Deploying conditional access for Azure AD on Scalefusion

Scalefusion offers the following configurations to set up conditional access for Azure AD (Office 365):

Step 1: Default Global Access Policy

IT admins can quarantine all new users by default and restrict access to emails via Office 365 unless the user enrolls the device into Scalefusion. Once the user enrolls the device with Scalefusion, the conditions set by the IT admin need to be met before granting access to the device.

Step 2: Grace Period

Scalefusion provides a grace period of 15 to 30 days to all existing and new users to enroll their devices and qualify for access management and release from the quarantine mode.

Step 3: Target Users

IT admins can import the entire employee list from Azure AD for the conditional access policy target and these users can have access to corporate email and data only once they enroll to Scalefusion. 

Step 4: Reminder Email Templates

IT admins can customize email content and set the frequency of sending reminders for enrollment of devices from the Scalefusion dashboard.

Step 5: Review and Send policies

Policies can be complicated, and one cannot be sure of the policy actions unless tested and a report is available. Scalefusion provides a consolidated summary of the configured policies that IT admins can have a look at before sending it to devices that qualify for conditional access.

Conclusion

Scalefusion conditional access with Azure AD is valuable to organizations as it enforces an extra layer of security via strict limitations. Every organization needs to deploy the right policies to ensure business data is safe all the time on an automated basis without much manual handling of information. When effective security practices are adopted in organizations, it reduces their risk level from cyberattacks and ensures the company’s systems run smoothly.