Using Azure Active Directory Conditional Access to enforce access control

Conditional Access is the tool used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies. Conditional Access is at the heart of the new identity driven control plane.

Conditional Access allows organization to enforce policies demanding their needs, including but not limited to allowing access to the resources from their own network only.

It works by collecting different signals and based onto the policy set permit/deny the access.

Conditional Access
Taken from docs

Different part in Conditional Access

When creating a new Conditional there are 5 sections as below.

New Policy
  1. Users and groups: In this section you choose to include and also exclude all users/groups or limit them based on roles, types or group names.
  2. Cloud app or actions: You can also choose to check the applications used for making the connection, they could be any Microsoft provided application or any AD integrated application. Over here too you have the option to Include/Exclude based on the application.
  3. Conditions: This is the heart of a conditional policy as here we decide the different checks based onto which the policy will be applicable to the Users and Groups selected in the first part.
    • User Risk: Based upon the usage of the user connecting it is estimated that the account is compromised or not. Requires Identity Protection.
    • Sign-in risk: It is also based upon probability is estimated whether the current sign-in is authorized or not by the identity owner.
    • Device Platforms: Based upon the device being used to connect you can have the condition so that affected users are able to connect using the allowed devices only. Options available are Android, iOS, Windows Phone, Windows and macOS.
    • Locations: Based upon the trusted location set under the Named locations sections of Security blade of Azure AD. You can restrict the access to include or exclude a specific trusted location.
    • Client apps: To control access from a specific client app type. Refer this link for more details.
    • Device state: The device state condition can be used to exclude devices that are hybrid Azure AD joined and/or devices marked as compliant with a Microsoft Intune compliance policy from an organization’s Conditional Access policies.
  4. Grant: Based upon the condition met for the selected users and groups you can either block them or grant access them. And when granting access can even mandate for MFA.
  5. Session: To make use of session controls to enable limited experience within specific cloud applications.

Bringing everything together

How a Conditional Access policy is created is better explained using an example.

Let us say that you want to mandate for every user, except the Global Administrators, to have MFA when connecting outside the trusted network and using an Android phone.

Step 1

The Conditional Access is inside your AD tenant’s Security section. Once in select “New Policy” and select a name for your policy.

New Policy
Step 2

Now in the section of “Users and groups” select “All users” in Include and Exclude the Global Administrator Directory role.

Including users
Include All users
Excluding Users
Exclude Global administrators
Step 3

We dont need to restrict any Cloud apps so need to Include None in the “Cloud apps or actions”.

Cloud Apps
Step 4

When choosing conditions we don’t need to check the risk so leave top two as not configured.

For Device Platform select “Android”

Condition for Devices

And then for Locations Include “Any Location” and exclude the Office trusted location.

Condition for Location
Condition for allowing office location

The next two sections are also not required.

Step 5

Now based upon the above conditions we need to mandate the multi-factor authentication.

Granting the acces based on MFA

We also don’t need to have any session control.

Now click on Enable Policy “On” and click create and it is done.


Conditional Access is a very strong access control system built into the Azure AD but requires Premium P1 license.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s