Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Azure Security Cookbook

You're reading from   Azure Security Cookbook Practical recipes for securing Azure resources and operations

Arrow left icon
Product type Paperback
Published in Mar 2023
Publisher Packt
ISBN-13 9781804617960
Length 372 pages
Edition 1st Edition
Languages
Tools
Arrow right icon
Author (1):
Arrow left icon
Steve Miles Steve Miles
Author Profile Icon Steve Miles
Steve Miles
Arrow right icon
View More author details
Toc

Table of Contents (15) Chapters Close

Preface 1. Part 1: Azure Security Features
2. Chapter 1: Securing Azure AD Identities FREE CHAPTER 3. Chapter 2: Securing Azure Networks 4. Chapter 3: Securing Remote Access 5. Chapter 4: Securing Virtual Machines 6. Chapter 5: Securing Azure SQL Databases 7. Chapter 6: Securing Azure Storage 8. Part 2: Azure Security Tools
9. Chapter 7: Using Advisor 10. Chapter 8: Using Microsoft Defender for Cloud 11. Chapter 9: Using Microsoft Sentinel 12. Chapter 10: Using Traffic Analytics 13. Index 14. Other Books You May Enjoy

Implementing Conditional Access policies

There must be a balance of protecting an organization’s resources while ensuring every user, wherever they are, is empowered to be productive whenever.

To further strengthen our Azure AD identities, we can use insights from identity-driven signal data to make informed access control decisions and then use those decisions to enforce access policies.

MFA works alongside Conditional Access to provide further granular control of access.

Conditional Access is based on an IF/THEN approach. This approach means that IF signal information collected from the sign-in process matches certain criteria, THEN decisions are made based on the information as to whether access will be allowed or blocked.

Conditional Access will also determine whether the user will be required to perform additional authentication methods or take other actions, such as resetting their password. This is represented in the following diagram:

Figure 1.29 – Conditional Access concept

Figure 1.29 – Conditional Access concept

The following are some common Conditional Access policies:

  • Require MFA for all users
  • Require MFA for Microsoft portals/services access
  • Require password reset for risky users
  • Block the use of legacy authentication protocols
  • Require hybrid-joined or compliant devices
  • Allow or deny from specific locations

This recipe will teach you how to implement Conditional Access policies in your environment’s AD tenancy. We will take you through enabling conditional access policies and configuring them to restrict user access to apps based on if a set of conditions have been met.

Getting ready

This recipe requires the following:

  • A device with a browser, such as Edge or Chrome, to access the Azure portal: https://portal.azure.com.
  • You should sign into the Azure portal with an account with the Global Administrator role.
  • You will require Azure AD Premium licenses or trial licenses.
  • If you have Security Defaults enabled, you will automatically have MFA enabled for all users and administrators using the free benefits of Azure AD. Using one of the paid Azure AD Premium licenses provides additional capabilities such as the additional authentication methods of verification codes, text messages, or phone calls, as well as the following:
    • Azure AD Premium P1: This license includes Azure Conditional Access for MFA
    • Azure AD Premium P2: This license adds risk-based Conditional access to MFA

How to do it…

This recipe consists of the following task:

  • Configuring Conditional Access

Task – configuring Conditional Access

Perform the following steps:

  1. From the Azure portal, go to Azure Active Directory, click Security in the Manage section from the side menu, and then click Conditional Access in the Protect section.
  2. Click + New Policy from the top toolbar in the Conditional Access Policies blade:
Figure 1.30 – Conditional Access | Policies

Figure 1.30 – Conditional Access | Policies

  1. Select a Name for your policy from the New conditional access policy blade.
  2. From the Assignments section, select which users and groups this policy will apply to:
Figure 1.31 – User settings

Figure 1.31 – User settings

  1. From the Cloud apps or actions section, select whether this policy will apply to Cloud apps or Actions; we will select Cloud apps:
Figure 1.32 – Apps setting

Figure 1.32 – Apps setting

  1. From the Include tab, we will click Select apps, search for Azure Management, tick the check box next to Microsoft Azure Management app in the list, and click Select. Note the warning dialog box about not locking yourself out:
Figure 1.33 – App selection

Figure 1.33 – App selection

  1. Click the Conditions settings, set any required conditions, or leave it unconfigured:
Figure 1.34 – Conditions settings

Figure 1.34 – Conditions settings

  1. From Grant, under the Access controls section, click on 0 controls selected, set it to Grant access, tick Require multifactor authentication, and then click Select:
Figure 1.35 – Access settings

Figure 1.35 – Access settings

  1. In the Enable policy section, leave it set to Report-only, then click Create.
  2. Your policy will now appear in the policies list:
Figure 1.36 – Access policies list

Figure 1.36 – Access policies list

With that, you have configured Conditional Access. This concludes the hands-on tasks for this recipe.

How it works…

In this recipe, we looked at how we can implement Conditional Access policies in addition to MFA to layer on an additional layer of defense while maintaining the users’ productivity needs.

We configured a Conditional Access policy to a set of selected users (or groups) that required MFA when they accessed the Azure portal; this was enabled by selecting the Microsoft Azure Management app.

See also

Should you require further information, you can refer to the following Microsoft Learn articles:

You have been reading a chapter from
Azure Security Cookbook
Published in: Mar 2023
Publisher: Packt
ISBN-13: 9781804617960
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image