Conditional Access Policies

Step-by-Step Guide: How to configure user risk-based Azure conditional access policies?

In my previous blog post, I explained how to set up sign-in risk-based Azure conditional access policy. This article can be accessed using this link. As I explained in the article, sign-in risk is calculating based on user access behavior. If the user access behavior is flagged as risky, most probably the user account is also compromised. Most of the time, these compromised accounts are sold or shared on the dark web. Now with help of Microsoft, we can check if the corporate accounts are appearing in risky places. Microsoft uses various sources to identify risky user accounts. Such as,

Public paste sites
Dark web research groups
Law enforcement agencies

We can use Azure conditional access policies to verify if the sign-in request is coming from a known compromised account. User account risks are calculated offline, which means it can take 2- 24 hours to appear in reports.
Let’s go ahead and see how we can create a user risk-based Azure conditional access policy.

Configure Azure conditional access policy

1. Log in to Azure Portal (https://portal.azure.com/) as Global / Security / Conditional Access Administrator
2. Then go to Azure Active Directory

3. On the Azure Active Directory page click on Security

4. On the Security Home page, click on Conditional Access

5. Then click on + New Policy

Step-by-Step Guide: How to configure Sign-in risk-based Azure conditional access policies ?

Some time ago I wrote an article about sign-in risk-based conditional access policies. But things have been changed over time and I thought it is time to update it with new content.

Let’s assume we have a web application that is published via the internet. To access the services, the user has to provide a user name and password. If one of the users’ accounts compromised, how the system can differentiate legitimate access and illegal access? From the system’s point of view, as long as someone provides a valid user name and password system will allow access. But if we can analyze user access behaviour and detect anomalies, potentially we will be able to detect illegal access attempts. As an example, let’s assume the user is always log in from Canada. The user logged in to the system at 10 am successful. By 11 am the system detects another authentication attempt from UK for the same user. As we can see this behaviour is suspicious and if the system can detect this automatically, we can prevent a possible illegal access attempt.

Sign-in risk-based Azure conditional access policies help organizations to review user sign-in behaviours and detect risks. Then, based on risk levels, organizations can either block the user or enforce actions such as multi-factor authentication to prove their identity.
Azure categorizes sign-in risks into four levels.

High
Medium
Low
No risk

We can use one or more sign-in risk levels with a conditional access policy.

Due to security reasons, Microsoft does not provide exact details about how the risk levels are calculated. However, Microsoft says the following events contribute on risk level calculation.

Risk Detection Type	Description	Detection Type
Anonymous IP address	This risk detection type indicates sign-ins from an anonymous IP address (for example, Tor browser or anonymous VPN)	Realtime
Atypical travel	This risk detection type identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behaviour.	Offline
Malware linked IP address	This risk detection type indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server.	Offline
Unfamiliar sign-in properties	This risk detection type considers past sign-in history (IP, Latitude / Longitude and ASN) to look for anomalous sign-ins.	Realtime
Password spray	A password spray attack is where multiple usernames are attacked using common passwords in a unified brute force manner to gain unauthorized access. This risk detection is triggered when a password spray attack has been performed.	Offline
Admin confirmed user compromised	This detection indicates an admin has selected ‘Confirm user compromised’ in the Risky users UI or using risky Users API.	Offline
Malicious IP address	This detection indicates sign-in from a malicious IP address.	Offline
Suspicious inbox manipulation rules	This detection is discovered by Microsoft Cloud App Security (MCAS). This detection profiles your environment and triggers alerts when suspicious rules that delete or move messages or folders are set on a user’s inbox.	Offline
Impossible travel	This detection is discovered by Microsoft Cloud App Security (MCAS). This detection identifies two user activities (is a single or multiple sessions) originating from geographically distant locations within a time period shorter than the time it would have taken the user to travel from the first location to the second, indicating that a different user is using the same credentials.	Offline

Source : https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#user-risk

As we can see above, there are two detection types. Realtime detection will take 5-10 minutes to show the results. Offline detection can take up to 24 hours to show the results.
Let’s go ahead and see how we can create a conditional access policy.

Configure conditional access policy

1. Log in to Azure Portal (https://portal.azure.com/) as Global / Security / Conditional Access Administrator
2. Then go to Azure Active Directory

3. On the Azure Active Directory page click on Security

Step-by-Step Guide: How to enable MFA for Azure admins (Preview)?

Multi-factor authentication is no longer a privilege. MFA is providing an additional layer of security for identities. MFA solutions are getting cheaper and cheaper. You even can enable MFA for free on certain online services. Microsoft outlook email is a good example of that. When it comes to cloud services this is more and more important.

Azure MFA is cloud-based multi-factor service which can use to provide two-step verification for Azure AD users. Azure MFA for Azure AD users comes as part of Office 365 or Azure AD P1, P2 subscriptions. When subscriptions are in place, we can enable MFA for users using different methods.

• Enable MFA for all users – This is the most secure method. We can enable this simply by using Office 365 or Azure Portal.

• Enable MFA for selected users – If the licenses are an issue, we also can enable MFA for selected users. This can be done using the same portals as above.

• Enable MFA based on conditional access policies – Let's assume sales users are accessing certain apps from various external networks. Using conditional access policies, I can force MFA authentication for any user who is accessing application A from an untrusted network. This way MFA will only be enabled for certain users. [Read more…] about Step-by-Step Guide: How to enable MFA for Azure admins (Preview)?

Conditional Access with Azure AD B2B

In my previous post I explain how we can use Azure AD B2B to share services/resources between organization. Once these B2B users are register with Azure AD, we can apply “Conditional Access” polcies to control their access further. In this demo I am going to show how to do that.

Prerequisites

Before we start please go ahead and read my previous article about Azure AD B2B, because in this post I am going assume that you already finish the sign-up process for Azure AD B2B users.

You can access the post using https://www.rebeladmin.com/2018/11/cross-organization-collaboration-azure-ad-b2b/

In my demo environment, I have sg-Finance security group. All the users from Finance department are part of it. I do have several applications assigned to them. Company Contoso recently made partnership with another company. Some privileged users from this new company required access to the applications used by sg-Finance users. Therefore, I went ahead and made them member of this group using Azure B2B. However, I need to put extra layer of security for these external user access requests to make sure my sensitive data been protected.

1. To start the configuration, I am logging in to https://portal.azure.com as Global Administrator

2. Then Azure Active Directory | Groups | sg-Finance | Members. In here I can see B2B user dmfrancis

3. Now go back to Azure Active Directory home page and click on Conditional Access

4. Then click on New policy

Step-by-Step guide to control data access using Azure cloud app security (based on content type)

In my recent blog posts, I explained few features of azure cloud app security. In this post also, I am going to explain another feature of it. if you not read my previous posts you still can access it using,

Step-by-Step guide to manage Impossible travel activity alert using Azure cloud app security – https://www.rebeladmin.com/2018/09/step-step-guide-manage-impossible-travel-activity-alert-using-azure-cloud-app-security/

Step-by-Step guide to block data download using Azure Cloud App security – https://www.rebeladmin.com/2018/09/step-step-guide-block-data-download-using-azure-cloud-app-security/

In applications, we are using different type of data. Some of these types of data are very sensitive. Credit card numbers, social security numbers, phone numbers are some examples for that. using cloud app security, we can control access to files contains sensitive data. In my demo environment I have salesforce app. it contains some files with credit card information. I do not want anyone to download these files. Let’s see how we can do it using cloud app security.

Before we start, we need to integrate salesforce with cloud app security. I have explain it in details in my previous post https://www.rebeladmin.com/2018/09/step-step-guide-block-data-download-using-azure-cloud-app-security/ so I am not going to repeat it in here ?.

1. Once integration is done, go to https://portal.cloudappsecurity.com and login as global administrator

2. Go to Settings | Conditional Access App Control

3. Now we should be able to see salesforce under conditional access app control apps tab.

4. Click on session control to create new session control policy.

5. Then under create policy click on Session policy

Conditional Access Policies

Step-by-Step Guide: How to enable MFA for Azure admins (Preview)?

Conditional Access with Azure AD B2B

Recent Posts

About Rebeladmin.com

Conditional Access Policies

Configure Azure conditional access policy

Configure conditional access policy

Footer

Recent Posts

About Rebeladmin.com

Social Media

Tags