Conditional Access Policies

Step-by-Step Guide: How to enable MFA for Azure admins (Preview)?

Multi-factor authentication is no longer a privilege. MFA is providing an additional layer of security for identities. MFA solutions are getting cheaper and cheaper. You even can enable MFA for free on certain online services. Microsoft outlook email is a good example of that. When it comes to cloud services this is more and more important.

Azure MFA is cloud-based multi-factor service which can use to provide two-step verification for Azure AD users. Azure MFA for Azure AD users comes as part of Office 365 or Azure AD P1, P2 subscriptions. When subscriptions are in place, we can enable MFA for users using different methods.

• Enable MFA for all users – This is the most secure method. We can enable this simply by using Office 365 or Azure Portal.

• Enable MFA for selected users – If the licenses are an issue, we also can enable MFA for selected users. This can be done using the same portals as above.

• Enable MFA based on conditional access policies – Let's assume sales users are accessing certain apps from various external networks. Using conditional access policies, I can force MFA authentication for any user who is accessing application A from an untrusted network. This way MFA will only be enabled for certain users. [Read more…] about Step-by-Step Guide: How to enable MFA for Azure admins (Preview)?

Conditional Access with Azure AD B2B

In my previous post I explain how we can use Azure AD B2B to share services/resources between organization. Once these B2B users are register with Azure AD, we can apply “Conditional Access” polcies to control their access further. In this demo I am going to show how to do that.

Prerequisites

Before we start please go ahead and read my previous article about Azure AD B2B, because in this post I am going assume that you already finish the sign-up process for Azure AD B2B users.

You can access the post using https://www.rebeladmin.com/2018/11/cross-organization-collaboration-azure-ad-b2b/

In my demo environment, I have sg-Finance security group. All the users from Finance department are part of it. I do have several applications assigned to them. Company Contoso recently made partnership with another company. Some privileged users from this new company required access to the applications used by sg-Finance users. Therefore, I went ahead and made them member of this group using Azure B2B. However, I need to put extra layer of security for these external user access requests to make sure my sensitive data been protected.

1. To start the configuration, I am logging in to https://portal.azure.com as Global Administrator

2. Then Azure Active Directory | Groups | sg-Finance | Members. In here I can see B2B user dmfrancis

3. Now go back to Azure Active Directory home page and click on Conditional Access

4. Then click on New policy

Step-by-Step guide to control data access using Azure cloud app security (based on content type)

In my recent blog posts, I explained few features of azure cloud app security. In this post also, I am going to explain another feature of it. if you not read my previous posts you still can access it using,

Step-by-Step guide to manage Impossible travel activity alert using Azure cloud app security – https://www.rebeladmin.com/2018/09/step-step-guide-manage-impossible-travel-activity-alert-using-azure-cloud-app-security/

Step-by-Step guide to block data download using Azure Cloud App security – https://www.rebeladmin.com/2018/09/step-step-guide-block-data-download-using-azure-cloud-app-security/

In applications, we are using different type of data. Some of these types of data are very sensitive. Credit card numbers, social security numbers, phone numbers are some examples for that. using cloud app security, we can control access to files contains sensitive data. In my demo environment I have salesforce app. it contains some files with credit card information. I do not want anyone to download these files. Let’s see how we can do it using cloud app security.

Before we start, we need to integrate salesforce with cloud app security. I have explain it in details in my previous post https://www.rebeladmin.com/2018/09/step-step-guide-block-data-download-using-azure-cloud-app-security/ so I am not going to repeat it in here ?.

1. Once integration is done, go to https://portal.cloudappsecurity.com and login as global administrator

2. Go to Settings | Conditional Access App Control

3. Now we should be able to see salesforce under conditional access app control apps tab.

4. Click on session control to create new session control policy.

5. Then under create policy click on Session policy

Step-by-Step guide to configure risk-based azure conditional access policies

In my previous blog posts about conditional access polices I talked about location based and application based polices. In this new blog post I am going to cover risk-based conditional access policies. You can access previous blog posts about conditional access policy using following links,

Step-by-Step Guide to configure location-based Azure conditional access policies – https://www.rebeladmin.com/2018/08/step-step-guide-configure-location-based-conditional-access-policies/

Step-by-Step guide to enable MFA for applications using Azure conditional access – https://www.rebeladmin.com/2018/09/step-step-guide-enable-mfa-applications-using-azure-conditional-access/

Azure AD Identity protection can detect six types of suspicious sign-in activities.

• Users with leaked credentials

• Sign-ins from anonymous IP addresses

• Impossible travel to atypical locations

• Sign-ins from infected devices

• Sign-ins from IP addresses with suspicious activity

• Sign-ins from unfamiliar locations

These six-types of events are categorized in to 3 levels of risks – High, Medium & Low.

Sign-in Activity

Risk Level

Users with leaked credentials

High

Sign-ins from anonymous IP addresses

Medium

Impossible travel to atypical locations

Medium

Sign-ins from infected devices

Medium

Sign-ins from IP addresses with suspicious activity

Low

Sign-ins from unfamiliar locations

Medium

We can use these risk levels with conditional access policies to protect sensitive application access. In this demo I am going to demonstrate how to create risk-based conditional access policies.

My finance team accessing Microsoft teams’ app remotely. I like to create policy to block access to app if their sign in risk level is detected as High & Medium.

To set up the policies,

1. Log in to https://portal.azure.com

2. Click on Azure Active Directory

3. Click on Conditional access

4. In new window, click on New policy to create policy.

5. In policy window, type name for policy & then click on Users & groups. after I select sg-Finance group.

6. Then click on Cloud apps & select Microsoft teams.

7. As next step, click on Conditions | Sign-in risk, then under Configure click on Yes. That will enable sign-in risk policy. We also need to select High & Medium risk levels.

8. Under access control section select Grant, then click on block access.

9. At last, click On under enable policy. then click on Create to complete the process.

10. Now policy is in place. For testing I am going to use what if feature under conditional access policies. This feature in azure allows to create scenario and see if the policy going to apply as expected. This is the best way to test this type of policies as it is not always practical to create real scenario for testing.

11. To do that, go to Azure Active Directory | Conditional access and then click on what if

12. In new window, I have selected a demo user from finance team, also selected the Microsoft teams as cloud app. Under IP address I just define dummy ip and select the country Afghanistan. For sing-in risk, I choose medium level. once data is in, we need to click on what if button to complete the test.

13. Once job is executed, result section shows that new policy we just created is applying successfully. This confirms the policy in place is going to work as expected in real world.

This marks the end of this blog post. Hope now you have better understanding how to configure risk-based azure conditional access policies. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Step-by-Step guide to enable MFA for applications using Azure conditional access

Azure AD conditional access allows to apply MFA (multi factor authentication) rules per application based on groups, locations, sign-in risks. In this demo I am going to show how we can create conditional access policy to control MFA per application.

1) As first step, I am logging in to https://portal.azure.com as global admin.

2) Then go to Azure Active Directory

3) Then click on Conditional access

4) Click on New Policy to create new MFA policy.

5) Then give it a name first, in my demo, my target group is sales & marketing team. So, I click on users & groups and then select the sales & marketing group.

6) Then click on clouds app and select the application. In my demo I am using Microsoft teams.

7) Then click on Access control. after click on Grant Access and select Require multi-factor authentication. At last click on Select to finish the config.

8) Then click On under enable policy and after click on create to activate the policy.

9) Now it is time to test, I am going to log in to https://myapps.microsoft.com with an account belong to sales & marketing group.

10) Then I click on Microsoft Teams.

11) Then right away it gave me this new window. This is because I do not have MFA setup for this user. In order to use MFA, first it asking to set it up.

12) Now, next time when I launch the Microsoft Team, its bring me straight to MFA verification page. This confirms the policy is working as expected. cool ha?

This marks the end of this blog post. Hope now you have better understanding how to create conditional access policy to control MFA for application. This allows administrators to add additional layer of security to sensitive applications. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Conditional Access Policies

Footer

Recent Posts

Social Media

Tags