This article is primarily targeted at Czech state institutions and is based on recommendations of the Czech authority. However,...
Conditional Access for Microsoft cloud servicesLukas Beran
Conditional access is a very powerful tool for increasing security of your cloud services. However, full conditional access is only available with Azure AD Premium licenses. With Office 365 licenses, you get only the basic preconfigured settings that you can’t change.
What is Azure AD Conditional Access
Azure AD Conditional Access is a definition of conditions for accessing various cloud services or applications. For example, you can define that a user must be authenticated via Multi-Factor Authentication (MFA) to access Exchange Online, or use a company computer to access it. Or, for example, to access privileged accounts, you will always require a company device and access will be allowed only from the Czech Republic.
You can have any number of defined conditions. Conditions can be very detailed and granular, so you can have conditions for different cloud services or applications and define different conditions and conditions for different users or groups. Conditional access policies may also overlap, so there may be several conditional access policies for one condition to be evaluated. For example, the above privileged user condition, which we would probably define through two policies, one requiring a company computer and the other requiring access from the Czech Republic.
Conditional access policies can also target different protocols. For example, you can use them to disable Exchange ActiveSync. Or they can target different applications, for example, allowing access to Exchange Online via a web browser from anywhere (with MFA), but allowing access to Exchange Online from Outlook only from company computers.
Evaluation of Conditional Access policies in Azure AD
In general, if multiple conditional access policies are applied for a given situation, then all requirements must be met to allow access. So if one policy says that the user must use MFA and the other policy says that the user must use a company device, then the user must use a company device and simultaneously authenticate via MFA. In other words, there is a logical AND between all conditional access policies.
Second basic rule is that if any policy is evaluated to block access, then other policies are no longer evaluated and access is blocked regardless of other policies.
It is also important to know that conditional access policies are evaluated only after the initial user authentication (first-factor authentication), typically by entering a user name and password. Conditional access policies therefore do not serve as protection against DDoS attacks for example. In case of unsuccessful initial user authentication, policies are not evaluated at all.
How to test and evaluate Azure AD Conditional Access policies
Conditional access policy behavior can be tested by simulating a particular state. This is done by the What If button on the Conditional Access Policies main page.
As part of this testing, you can simulate different situations and see how policies actually behave.