☁️
CTHFM: Azure
  • Welcome
  • Getting Started
    • Account Setup
      • Account Creation Instructions
  • Azure Fundamentals
    • Azure Fundamentals Overview
      • Azure Documentation
      • Azure Entra
      • Azure Hierarchy
      • Identities
      • Azure Entra Roles
      • Azure RBAC
      • Azure Licensing Overview
        • Azure Entra ID Premium Licenses Comparison
      • Azure Shared Responsibility Model
      • Azure Frameworks
      • Azure Security Services
      • Conditional Access Policies
        • How Conditional Access Policies Work
        • Benefits of Conditional Access
        • Best Practices for Conditional Access
        • Conditions for Conditional Access
        • Conditional Access Controls
        • Sign-In Risk and Identity Protection
        • Conditional Access Session Control
        • Name Locations IP Location
      • Azure Quotas
      • Azure Tokens
        • Access Tokens
        • ID Tokens
        • Refresh Tokens
          • Invalidate Refresh Tokens
        • Primary Refresh Tokens
        • Continuous Access Evaluation (CAE)
        • Token Protection: Conditional Access (Public Preview)
  • Azure CLI
    • Introduction to Azure CLI
    • Installing Azure CLI
    • CLI Commands
    • Resource Group Management
    • Creating and Managing Resources with Azure CLI
    • Managing IAM
    • Azure CLI Automation
    • Monitoring and Troubleshooting in Azure CLI
    • Azure CLI Overview
      • Azure CLI: Linux
      • Azure CLI: Windows
      • Azure CLI: MacOS
  • KQL
    • KQL Overview
      • KQL Introduction
      • Data Types
      • Quick Reference
      • Render
      • Basic Queries
  • Powershell
    • PowerShell for Azure
      • Powershell Documentation
      • Powershell Basics
      • Understanding Powershell Variables
      • Understanding Cmdlets
      • Powershell Console & ISE
      • Powershell: Entra Module
        • Module Reference & Getting Started
      • Powershell: Azure Module
        • Installation Instructions
        • Powershell Azure CLI: Windows
        • Powershell Azure CLI: Linux
        • Powershell Azure CLI: MacOS
        • Example Azure Cmdlets
  • Bicep
    • Bicep File Structure
    • Variable Types
  • Azure Logging References
    • Logging
      • Log Retention Strategies
      • Azure Log Types
      • Azure Activity Logs
        • Administrative Event Schema
        • Service Health Notification Schema
        • Resource Health
        • Alert Category
        • Autoscale
        • Security
        • Recommendation
        • Policy
      • Entra ID Logging
        • Identity Based Logs
          • Audit Logs
          • Sign-In Logs
            • AADNonInteractiveUserSignInLogs
            • AADManagedIdentitySignInLogs
            • AADServicePrincipalSignInLogs
            • First Party Sign-In Activity
          • Provisioning Logs (AADProvisioningLogs)
          • Microsoft Graph Activity
          • Identity Protection
            • Risk Detections
            • AADRiskyServicePrincipals
            • AADRiskyUsers
            • AADUserRiskEvents
            • AADServicePrincipalRiskEvents
        • Additional Entra ID Logs
      • Azure Key Vault
        • Azure Key Vault Logging Overview
      • Network Watcher
        • RBAC Permissions
        • Flow Log Types
          • NSG Flow Log Schema
          • VNET Flow Log Schema
        • Enabling Logs
          • NSG Flow Logs
          • VNET Flow Logs
        • Packet Capture
          • Packet Capture: VM
          • Packet Capture: Scale Sets
      • Compute Resources
        • Azure Monitor Agent
        • VM Insights
          • VM Insights Tables
      • Storage Accounts
        • Storage Account Logging
          • File
            • Enable StorageFileLogs
            • StorageFileLogs
          • Blob
            • Enable Blob Logging
            • StorageBlobLogs
          • Queue
            • Enable Queue Logging
            • StorageQueueLogs Table
          • Table
            • Enable Table Logging
            • StorageTableLogs Table
      • Azure App Service
        • Log Types
        • Enabling Logging
      • Azure Monitor
        • Resource Logs
          • Resource Log Top Level Documentation
        • Log Analytics Workspace
          • Setup
        • Workbooks
        • Dashboards
        • Alerts
        • Azure Monitor Documentation
      • Defender for Cloud
      • Intune
      • Sysmon
      • Purview Audit Log Schema
      • Kubernetes Audit Log (AKS)
  • Threat Hunting
    • Threat Hunting in Azure
      • Threat Hunting Introduction
      • Threat Hunting Process
        • Hypothesis Generation
        • Investigation
        • Identification
        • Resolution & Follow Up
      • Pyramid of Pain
      • Azure Threat Hunting Ideas
      • Hands On Threat Hunting Examples
      • OSINT Feeds
  • Sigma
    • Sigma Rule Structure
  • Microsoft Defender TI
    • Microsoft Defender Threat Intelligence
      • Data Sets
      • Reputational Scoring
      • Analyst Insights
      • Microsoft Defender TI: Copilot Integration
  • MITRE Att&ck
    • MITRE Att&ck
      • MITRE Att&ck Concepts
      • MITRE Data Sources
      • MITRE Att&ck Mitigations
      • MITRE Att&ck: Azure
        • MITRE Att&CK: Azure Security Control Mapping
  • Microsoft Resources
    • Microsoft Incident Response Ninja Hub
    • Microsoft Defender XDR Ninja Hub
  • Azure Threat Research Matrix (ATRM)
  • Security Research & Resources
    • Azure Goat
    • Azure Security Research
      • Azure Related CVEs
  • Defender XDR
    • Defender XDR Overview
    • Defender XDR Licensing
    • Defender XDR Default Retention
    • Defender XDR Advanced Hunting Table Schemas
    • Automated Response Requirements
    • Supported Response Actions
  • Azure Sentinel
    • Sentinel Overview
    • Azure Sentinel Deployments
    • Supported Data
    • Workbook, Playbook, Notebook Comparison
    • Sentinel Workbooks
    • Entities
    • User and Entity Behavior Analytics
    • Anomaly Detection
    • Mult-Stage Attack Detection
    • Sentinel: Az CLI
  • Microsoft Defender
    • Microsoft Defender for Cloud References
    • Defender for Cloud: Az CLI
  • Azure Policy
    • Azure Policy
    • Azure Policy Components
    • Azure Policy Rules
    • Scope Azure Policy
    • Policy Assignments
    • Policy Effect
    • Initiative Definition
    • Policy Parameters
    • Remediation Task Structure
    • Use Cases for Azure Policy
    • Azure Policy: Az CLI
  • Intune
    • Intune Overview
    • Intune Licensing
    • Intune API Permission Scopes
    • Intune Sample Script Resources
  • Intune Logging
    • Configure Logging
    • Logging Schema References
    • Intune Queries and Resources
  • Windows Host Security
    • Windows System Architecture and OS Fundamentals
    • SysInternals
    • Basic vs Advanced Security Auditing
    • Sysmon
  • Adversary Emulation
    • AzureHound
    • AADInternals
      • Install
    • RoadTools
      • Install
    • Oh365UserFinder
    • GraphRunner
  • Incident Response
    • Incident Response
      • Azure IR Program Development Cheat Sheet
      • Azure IR Playbooks (MS Guidance)
      • Ransomware (MS Guidance)
  • Automation
    • Automation Overview
    • Logic Apps
      • How Logic Apps Work
      • Logic App Types
      • Triggers
      • Connectors
      • Conditional Logic and Control Flow
      • APIs in Logic Apps
      • Handling Large Workflows with Stateful Logic Apps
      • External Service Integration
      • Securing, Managing, and Scaling Azure Logic Apps
      • Logic Apps: Az CLI
  • Packet Analysis
    • Wireshark Cheatsheet
    • TShark Cheatsheet
    • TCPDUMP Cheatsheet
    • Protocol Analysis Basics
    • HTTP Response Code Cheatsheet
    • RFC Protocol Mappings
    • PCAP Acquisition
  • Detection Lab
    • Detection Lab Introduction
    • Account Creation Instructions
    • Enable MFA Within Azure Tenant
    • Create an Azure Admin With Cloud Shell
    • Setup and Install Instructions
  • VSCode and Code Setup
  • Deploying Code
  • Enabling Logs for Log Analytics Workspace
  • Logging Into Windows VM
  • Verifying Logs in Log Analytics Workspace
  • Creating Detections: Azure Monitor
  • Cost Management: Billing Alarms
Powered by GitBook
On this page
  • What Are Conditional Access Conditions?
  • Types of Conditional Access Conditions
  • User or Group Membership
  • Cloud Applications
  • Sign-in Risk
  • Device Platforms
  • Location
  • Client Applications
  • Device State
  • Combining Conditions for Granular Control
  1. Azure Fundamentals
  2. Azure Fundamentals Overview
  3. Conditional Access Policies

Conditions for Conditional Access

What Are Conditional Access Conditions?

Conditions in Conditional Access policies define when the policy should be enforced. They help ensure that access control decisions are based on contextual factors, such as the user’s location, device state, or sign-in risk. By configuring conditions, you can precisely tailor policies to specific situations, ensuring stronger security while minimizing disruptions for users.

Each condition allows you to control access based on factors like who is signing in, where they are signing in from, and the state of their device.

Types of Conditional Access Conditions

Azure AD Conditional Access supports several types of conditions that help define the context of access. These conditions include:

  • User or Group Membership

  • Cloud Applications

  • Sign-in Risk

  • Device Platforms

  • Location

  • Client Applications

  • Device State

User or Group Membership

This condition allows you to target specific users or groups in your Conditional Access policy.

How It Works:

  • Targeting All Users: You can apply a policy to all users in your organization. For example, you may want to require MFA for all employees accessing sensitive applications like Microsoft 365.

  • Targeting Specific Groups: You can apply policies to specific Azure AD groups, such as admins, HR, or contractors. For example, you might enforce stricter controls on high-privilege roles (e.g., Global Admins).

  • Excluding Users: You can exclude users from policies, such as break-glass or emergency access accounts, which should not be restricted by Conditional Access.

Example Use Case:

A Conditional Access policy could be applied to the Global Administrators group, requiring MFA for any admin actions.

Cloud Applications

This condition allows you to apply Conditional Access policies to specific cloud applications. Instead of applying security controls across all apps, you can target particular apps that handle sensitive data or have higher security requirements.

How It Works:

  • All Cloud Apps: You can apply a Conditional Access policy to all cloud applications within your Azure AD tenant.

  • Select Specific Apps: You can target individual applications, such as Microsoft 365, Salesforce, or a custom enterprise app, for stricter access controls.

Example Use Case:

An organization may want to apply Conditional Access policies to ensure that users must complete MFA before accessing a sensitive app like Azure Management or Microsoft 365.

Sign-in Risk

The Sign-in Risk condition is based on the evaluation of a user’s sign-in behavior. Azure AD Identity Protection analyzes sign-in patterns to detect potentially risky or unusual behavior and categorizes the risk into low, medium, and high.

Risk Categories:

  • Low Risk: Typically a normal sign-in attempt with no detected anomalies.

  • Medium Risk: Behavior that could indicate an attack, such as signing in from a new device or location.

  • High Risk: Clear signs of a compromised account, such as a known data breach associated with the user’s credentials.

How It Works:

You can configure Conditional Access to apply stricter controls based on the risk level:

  • Low Risk: No additional controls might be required.

  • Medium Risk: Require MFA to confirm the user's identity.

  • High Risk: Block access or require a password reset.

Example Use Case:

A Conditional Access policy could block access or require a password reset if the sign-in risk is determined to be high. This is often used to prevent compromised accounts from accessing sensitive resources.

Device Platforms

This condition allows you to specify which types of devices (based on operating system) can trigger the policy.

Supported Device Platforms:

  • Windows

  • macOS

  • iOS

  • Android

  • Linux

How It Works:

  • You can apply Conditional Access policies to specific device platforms. For example, you might allow access to corporate resources only from Windows and macOS devices but block access from Android and iOS devices unless they meet certain compliance requirements.

Example Use Case:

An organization may create a Conditional Access policy that blocks access to corporate resources from Linux devices, as they are not part of the company’s managed device ecosystem.

Location

Location-based conditions allow you to apply different security measures based on the geographical location or network from which users are signing in. This is commonly used to restrict access from risky or untrusted locations.

How It Works:

  • Named Locations: You can define trusted locations (e.g., your corporate office or VPN) using IP address ranges. Policies can then be applied to allow or block access based on these named locations.

  • Country/Region: You can block or allow access based on the country from which users are attempting to sign in. This is useful for blocking access from regions associated with high levels of cyberattacks.

Example Use Case:

An organization might require MFA only for users who are signing in from outside the trusted corporate network, reducing friction for users signing in from the office.

Client Applications

The Client Apps condition allows you to enforce policies based on the type of application a user is using to access resources. Azure AD recognizes several types of client applications, including:

  • Browser (e.g., users accessing apps through a web browser).

  • Mobile apps and desktop clients (e.g., Outlook mobile or the Teams desktop app).

  • Legacy Authentication (e.g., apps that don’t support modern authentication like IMAP or POP).

How It Works:

You can create Conditional Access policies that require additional security measures for specific client applications:

  • For example, you might require MFA for users accessing sensitive data through browser-based apps but block access for legacy authentication protocols to prevent password spraying attacks.

Example Use Case:

A policy could block legacy authentication protocols like IMAP or POP, which are often vulnerable to brute force attacks, while allowing access from modern authentication protocols.

Device State

Device state conditions allow you to require that users access resources only from trusted or compliant devices. This is often done in conjunction with Microsoft Intune or other mobile device management (MDM) solutions.

How It Works:

  • Compliant Devices: Require that devices meet certain security requirements (e.g., encryption, up-to-date security patches).

  • Hybrid Azure AD Joined: Ensure that devices accessing resources are joined to Azure AD or managed by the organization’s Active Directory.

Example Use Case:

An organization might configure a Conditional Access policy that allows access to corporate data only from compliant devices that meet internal security policies (e.g., devices managed by Intune).

Combining Conditions for Granular Control

You can combine multiple conditions to create granular and highly customized Conditional Access policies. For example, you might create a policy that applies to:

  • Users in the Global Administrators group (user condition).

  • Who are accessing Azure Management (cloud app condition).

  • From an untrusted location (location condition).

  • Using a non-compliant device (device state condition).

In this scenario, you might enforce MFA and require device compliance for admins accessing the Azure portal from outside the corporate network.

Last updated 8 months ago