Conditional Access

For Microsoft 365

Conditional Access in Microsoft 365 is a critical security feature that enables organizations to control access to resources based on specific conditions. It evaluates various factors such as user identity, location, device compliance, application being accessed, and risk level before granting access. By applying Conditional Access policies, organizations can enforce multi-factor authentication (MFA), block access from untrusted locations, restrict access to compliant devices, and tailor access requirements to different user roles. This helps protect against unauthorized access, reduces the risk of data breaches, and ensures that only the right users have the right level of access to corporate resources. Conditional Access for Microsoft 365.

Recommended Policy’s

Cyber Security Questions?

Problem

Microsoft 365 offers some fantastic benefits over traditional on-premise infrastructure.  No costly infrastructure required, no advanced IT knowledge required, 100 GB mailbox, online meetings, document collaboration, 99.9 % uptime, flexibility allowing businesses to provide users with only the services they need and anytime and anywhere access to emails, documents, contacts, and calendars on any device.

This blog will explore the last benefit – anytime and anywhere access to Office 365.

As the image suggests, Office 365 means that we can all do our jobs from anywhere (coffee shop, pub, home) on any device we want to use.  In reality, most companies do not work this way and do not want to work this way.  For a lot of companies, Office 365 solves the problem of not requiring infrastructure, complicated exchange deployments and HA/DR as data is now in the cloud so is not the IT department’s problem.

The ‘Anytime and Anywhere Access to Office 365’ does, however, highlight the following security concerns for Office 365 deployed with ‘out of the box’ settings.

  • Office 365 can be accessed from anywhere – not just in the office, anywhere there is internet access.
  • Office 365 can be accessed from any device – not just corporate owned devices, any device (Personal Windows/Mac laptop, tablet, phone, any device with a browser or Outlook client installed).
  • Office 365 can be accessed by just a username and password.

From a data loss prevention point of view, this causes the following issues:

  • Emails can be cached offline and copied elsewhere on a home PC with Outlook.
  • Mail can be downloaded to mobile devices and copied to other locations.
  • OneDrive for Business can be synced offline to a home PC and all data copied elsewhere/shared.
  • SharePoint Online can be synced offline to a home PC and all data copied elsewhere/shared.
  • Multi-factor is not turned on by default for Office 365 – To login only a username and password is required.

The old solution to these issues with on-premise environments used to be VPNs.  VPNs control who can and cannot connect to on-premise data. However, once we start moving data/resources into the cloud, we need to implement different solutions to control access to our data.

Solution

Microsoft introduced Conditional Access to resolve this problem. Conditional Access allows administrators to control what Office 365 apps users can gain access to based on if they pass/fail certain conditions.

Microsoft 365 Conditional Access

Policy Conditions

The following conditions can be controlled by the policy:

  • Users/Groups – What users do you want to control – Users can be included/excluded from the policy if required. You will always get the person who is too important for this policy and wants to access everything from their personal iPad. It also allows you to test policies before rolling out to the wider business avoiding locking everyone out!
  • Cloud Apps– What apps do you want to control? Conditional Access does not need to apply to all of Office 365, you can be more granular and just control access to specific apps – E.g. Exchange Online.
  • Client App – Control what app/software the user is connecting from to the data – E.g. allow browsers but disable mobile and desktop Outlook apps.
  • Device Platform – Control what devices users can connect from – E.g. allow Windows and iOS but block Android phones.
  • Location – Control what IPs can connect to Office 365 – E.g. could limit this to the office external IP.
  • Sign In Risk – Control signs in if Office 365/Azure thinks the sign in is not coming from the genuine user – E.g. if someone signs in from London then New York 30 mins later.

Based on the conditions above, access can be allowed to Office 365 with the following conditions:

  • Require multi-factor authentication– User is allowed in but will need to complete additional security to log in, e.g.:
    • Phone call
    • Text message
    • Mobile app
  • Require device to be marked as compliant – Device must be Intune compliant, E.g. the device must match the Intune compliance policies to be able to connect.
  • Require domain joined (Hybrid Azure AD) – Devices must be Hybrid Azure AD joined – E.g. Mobile Devices Azure AD registered and domain joined machines are set to automatically register in their Azure AD.
  • Require approved app – You can select the requirement to grant access only if a connection attempt was made by an approved client app. These apps support Mobile Application Management (MAM) policies, so administrators can wrap security around these apps (e.g. stop copying and pasting information out of these apps).

The majority of requests for lock down of Office 365 are as follows:

  • Can we lock down access to Office 365 to our company offices?
  • Can we lock down access to Office 365 to our corporate devices?
  • Can we provide additional security during login process – i.e., MFA?

The answer to these security questions is yes: Azure offers Conditional Access to lock down Office 365. However, as with most things in life, it will cost you a bit extra. For this additional service, each user will need an Azure AD Premium license which also comes bundled in Enterprise Mobility and Security Suite – nothing comes for free.

Conditional Access

Policy 1 : Can we enforce Multifactor Authentication for users?

In this example, we have setup a policy to ensure users are only able to access the Microsoft 365 system if they have multifactor authentication setup for there account .

1. Sign In to Entra ID Portal:
– Go to the Azure portal: https://entra.microsoft.com/
– Sign in with an account that has administrative privileges.

2.Navigate to Protection:
– In the left-hand menu, click on “Protection”.

3. Conditional Access:
– In the Under the protection menu, select “Conditional Access”.

4. New Policy:
– Select “New policy from Template”

Microsoft 365 Conditional Access

5. Secure Foundation:
– Select “Secure Foundation” from top menu

6. Require multifactor authentication for all users:
– Select “Require multifactor authentication for all users” from the items below

Conditional Access

7. Adjust Policy state and save:
– Set policy name as per your requirements eg “CA01 – Require multifactor Authentication for all users”

– Set policy state based on your requirements

  • off
  • on
  • report only

– Save the policy once you are happy with the settings.

Microsoft 365 Conditional Access

Conditional Access

Policy 2 : Can we restrict access to specific countries?

In this example, we have setup additional security to ensure users are only able to access the Microsoft 365 system from there country, and block access to all other countries.

1. Sign In to Entra ID Portal:
– Go to the Azure portal: https://entra.microsoft.com/
– Sign in with an account that has administrative privileges.

2.Navigate to Protection:
– In the left-hand menu, click on “Protection”.

3. Conditional Access:
– In the Under the protection menu, select “Conditional Access”.

4. Named Locations:
– Once in the conditional access main menu, select “named locations”

5.Navigate to Countries location:

– In the top menu, click on “Countries location”.

6. Country Selection:

– Enter the name ” Approved Countries”
– In the right hand menu, select the countries where your offices are located.

6. Save Selection:
– Save your selection by selecting “create”.

conditional access

7. Create policy:
– Select “New Policy” from the top menu.

conditional access

8. Name Policy :
– Set name of policy eg”CA02 – Block Access from Other Countries”.

9. Users to affect :
– In the “Users” menu, set the include sub menu to “all users”.

10. Exclude admin account :
– To ensure you are never locked out of your Microsoft 365 tenant, select the sub menu “exclude” then select your administrator account .

conditional access

11. Client Apps
– Select Client apps.

– Set configure to yes

– De-select “Exchange ActiveSync Clients” & “Other Clients”

12. Set Filter for devices :
– Select the “Filter for devices” menu

– Select yes on the “Configure” Menu on the right hand side.

– Select “exclude filtered devices from policy” under configure

– Set property to “IsCompliant”

– Set Operator to “equals”

– Set Value to “True”

– Then select Done

13. Block Access
– Select “Grant” Menu item on left hand side

– Select “block access on right hand side”

– Set “Enable policy” to “on”

1. Sign in to the Azure Portal

  • Navigate to the Azure Portal and sign in with your admin credentials.

2. Go to Azure Active Directory

  • In the left-hand navigation pane, click Azure Active Directory.

3. Access Security Settings

  • Under the Manage section, click on Security, and then select Conditional Access from the options listed.

4. Create a New Conditional Access Policy

  • Click the + New Policy button at the top of the page.

5. Name the Policy

  • In the Name field, give the policy a meaningful name, such as “Restrict Access to Australia.”

6. Select Users or Groups to Apply the Policy

  • Under Assignments, click on Users and groups.
  • Choose the users or groups to whom you want to apply this policy (e.g., all users or specific security groups).
    • If you want to apply it to everyone, choose All users. If you only want to apply it to specific users, select them individually or by group.

7. Configure Cloud Apps or Actions

  • Under Assignments, select Cloud apps or actions.
  • Choose the apps or services you want to restrict (e.g., all Microsoft 365 apps like Teams, SharePoint, and Exchange Online), or apply it to All cloud apps.

8. Set Conditions for Location

  • Under Assignments, click on Conditions.
  • In the Conditions section, select Locations.

9. Configure Locations

  • Set Configure to Yes.
  • Click on Include, then choose Any location.
  • Click on Exclude, then select Countries/Regions.

10. Restrict Access to Australia

  • In the Exclude section, choose Countries/Regions and then select Australia from the list.
    • This step ensures that users outside of Australia are blocked, while users inside Australia are allowed access.

11. Apply Controls (Grant Access)

  • Under Access controls, click Grant.
  • Select Grant access, but ensure you also enable Require multi-factor authentication (MFA) if necessary to add an extra layer of security.

12. Enable the Policy

  • Once you’ve configured all the options, scroll to the bottom and set the Enable policy switch to On.

13. Review and Create the Policy

  • Review your settings to make sure everything is correct, then click Create to apply the policy.

Testing and Monitoring the Policy

Once the policy is created, test it by attempting to log in from a location outside Australia (e.g., using a VPN) to ensure the restriction is functioning properly.

You can also monitor the policy’s effectiveness through the Sign-in logs within the Azure AD portal under Monitoring > Sign-ins.

Conditional Access

Policy 3: Can we restrict access to types of devices?

In this example, we have setup additional security to ensure users are only able to access the Microsoft 365 system from specific device types, and block access from un-approved device types.

1 – Select “Policy’s” from the conditional Access Control Panel

2 – Select “New Policy” from top menu

3 – Name policy “CA03 – Block un-approved Device types”

4 – Select “Users” Menu and then select “All users”

5 – Select “Target Resources” then select “All Cloud Apps”

6 – Select “Conditions” and the “Device Platforms”

7 – set Configure to “yes” and then tick “Windows Phone” & “Linux”

8 – Select “done”

9 – Select “Grant” from left hand menu and then set to “Block Access”, click “select” from the bottom.

10 – Set policy to “on”

11 – Select “Create”

Conditional Access

Policy 4: Can we disable persistent browser sessions ?

In this example, we have setup additional security to ensure when users close a browser on a non-managed pc, the session will be logged out from Microsoft 365. Conditional Access

1 – Select “New Policy”

2 – Name the policy “CA04 – Disable Persistent Browser sessions”

3 – Select “users” from right hand menu and then select “all users”

4 – Select “Target Resources” then select “All Cloud Apps”

5 – Select “Conditions” from left hand menu

6 – Select “Client Apps” from middle menu

7 – Set configure to “yes” and then tick “Browser”, then select “done”

8 – Select “Session” from right hand side menu, then tick “Persistent Browser Session”. Then set the drop down menu to “Never Persistent”

9 – Click “Select”

10 – Set Policy to “On” and then click “Create”

Conditional Access

Policy 5: Can we Enforce the use to App Protection Policy’s ?

In this example, we have setup additional policy to ensure that client devices are using an App Prptection Policy when accessing your corpoate data.

1 – Select “New Policy”

2 – Name the policy “CA05 – Require App Proteciton Policy”

3 – Select “users” from right hand menu and then select “all users”

4 – Select “Target Resources” then click “Select Apps”

5 – Click “Select” from the menu items

6 – On the right hand menu tick “Office 365” the “select”

7 – Select “Conditions” from right hand side menu, then select “Device Platform”. Then set the right hand side menu configure option to “yes”

8 – Tick “Android” and “IOS” from the options. The click “Done”

9 – Select “Client Apps from the middle menu

10 – Set Configure on right hand side menu to “yes”, then click “browser” and “Mobile Apps and Desktop Clients”

select “done”

11 – Select “Grant Access” from left hand menu, then select ” Require App protection Policy” from right hand side. Then click “Select”

12 – Set policy to “on” and the click “Create”

Conditional Access

Policy 6: Can we Block Legacy Authentication ?

In this example, we have setup additional policy to block older protocals being being able to access your Microsoft 365 tenant.

1 – Select “New Policy from Template”

2 – Select “Block Legacy Authentication”

3 – Name the policy “CA06 – Block Legacy Authentication”

4 – Set Policy state to “on”

5 – Click on Create

Conditional Access

Policy 7: Can we Require MFA for Entra Join ?

In this example, we have setup additional policy to enforce Multifactor authentication when users are joining device .

1 – Select “New Policy”

2 – Name the policy “CA07 – Require MFA to Join to Entra”

3 – Select “users” from right hand menu and then select “all users”

4 – Select “Target Resources” then click the drop down menu, Select the “user actions” option.

then tick “register or Join devices ”

5 – Select “Grant” from the left hand menu, then select “grant access” from hand hand menu

6 – Tick “require multifactor Authentication” then “select”

7 – Set policy to “on” and then click “create”

Conditional Access

Policy 8: Can we Block Personel Computers?

In this example, we have setup additional conditional access policy to block access to the Microsoft 365 system from personal computers.

1 – Select “New Policy”

2 – Name the policy “CA08 – Block Peroneal Devices”

3 – Select “users” from right hand menu and then select “all users”

4 – Select the “Exclude” menu, select “users and groups”, enter your admin account.

5 – Select “Target Resources” and select “all cloud apps”.

6 – Select “Conditions” menu, then select “device platforms”.  Select “Yes” under the configure option on the right hand side. Then tick “Windows” and “macOS”. Select “done”

7 – Select “Client apps”, set configure to “yes”, tick “browser”, “mobile apps and desktop clients”, “exchange Active Sync clients” and “other clients”

8 – Select “Filter for devices”.  Set to “yes” under configure.

set the expressions to

device ownership – equals – personal

or – deviceownership – not equals – company

select “done”

9 – Select “Grant”, select “Block Access” on right hand side. Click “select”

10 – Set Enable policy to “report only”

11 – Review and enable once settings are confirmed

Conditional Access

Policy 9: Can we lock down access to Office 365 to our company offices?

For this example, we have restricted access so that users can only connect to Office 365 if they are coming from the corporate IP range (external).

The following Settings were configured in Azure Conditional Access.

Block access to Exchange Online based on location.

The following screen details the end user experience for a user accessing Office 365 from a device that is not coming from the corporate IP address.

User logs into Office 365 with credentials.

Azure Conditional Access identifies that the user is not coming from a trusted IP address and blocks access.

Gotchas

As with most Microsoft solutions, Conditional Access is not without its flaws.

Conditional Access will not work in the following situations:

  • Client App – Not all client apps support Conditional Access – the Client App needs to support Modern Authentication. e.g. Outlook 2016 or Outlook 2013 (with a reg key change).
    • Outlook 2010 will not work with Conditional Access and the user will be allowed to connect in; to lock down Outlook 2010 based on IP Ranges requires ADFS claims rules.
    • Upgrade to Outlook 2016 if your business is still using this; it is 2018! Any 3rd party apps (e.g. Outlook Plugins) that don’t support above Outlook 2010, put pressure on the vendor to fix this.  Don’t let your Office 365 migration be hindered by a non-future-proof app.

If your organisation is thinking about your IT security, and how it can be improved, why not book a Security Workshop from TSIT? Our experts will assess and review your current security landscape, helping you to address and solve challenges, optimising the security of your IT and helping you comply with industry standards and regulations.

Our comprehensive overview will give you the knowledge and insight you need to create an IT security strategy that fits your business needs and helps you to be completely secure using tools like Microsoft Security and Microsoft 365 to stay agile.