Introduction
This guide will provide you with steps to create a custom conditional access policy for your organization. Conditional access policies can be thought of as IF/THEN statements. IF the assignment is true/false THEN allow/deny access control. Conditional access policies are a great way to enforce
This process is typically used to block or grant access to specific resources based on whether or not a specific condition is met.
Requirements
- Global Administrator or Conditional Access Administrator role
- Microsoft Entra ID P1 licenses
- Risk-based policies require Entra ID P2 licenses
- A test group or user to use for testing before applying a new policy to an entire organization or group
Creating a New Policy
Please follow the steps below and use the reference article in the next section if any issues arise.
- Sign into Microsoft Entra ID admin center: https://entra.microsoft.com/#home
- On the left-hand menu blade, navigate to Protection > Conditional Access
- Select Create New Policy
- There are also policy templates that can be used for quick implementation
- The first section contains Assignments which can be thought of as our IF statement (who, what, where). We have the option to Include or Exclude the following:
- Users & Groups
- Target Resources – cloud apps, user actions, authentication context
- Network – predefined trusted networks or locations
- Conditions – define when the policy will apply
- The next section contains Access Controls which can be thought as our THEN statement. We have the option to decide how a policy is enforced. We have the options to:
- Grant – this allows us to grant or block access
- Session – this allows us to limit access
Multiple conditional access policies may apply to a user at a time in which case all policies that apply must be satisfied. All assignments are logically ANDed
Example – Require Multifactor Authentication for Global Admins
This policy will require all users with administrative roles in the organization to sign-in using MFA.
- Create a new conditional access policy
- Under Assignments > Users select to include the global administrator directory role
- Select more roles as needed to apply this policy to
- It is recommended to exclude at least one account from this type of policy in case of emergencies where all accounts may be locked out. These accounts are typically an emergency account: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access
- Under Assignments > Target Resources we will select to include all cloud apps. This means any M365 cloud application such as Exchange, SharePoint, Azure DevOps, Power BI and much more.
- Under Access Controls > Grant select grant access for “Require MFA”
- This will only grant access if MFA is entered on sign-in
- Select Enable Policy > ON and then click Create
- You may choose to create the policy for Report-only to get an report of the outcome of the new policy without it taking effect
Other Examples
Below are other common conditional access policies that can be created for your organization:
- Require MFA for all users unless they are in the office (using a trusted network location)
- Block access to SharePoint and OneDrive unless the device is marked as compliant in Intune
- Require admins to reauthenticate every hour they are signed in
- Disable persistent browser sessions
Reference
The below website provides additional instructions for utilizing this process.
https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview
Want to Learn More?
Have additional Microsoft-related questions? Contact Us today to schedule a free consultation with our certified engineers!
Discover more from Covene
Subscribe to get the latest posts sent to your email.
