Robust Conditional Access

A robust Conditional Access baseline sample

Are you preparing yourself for the implementation of a Conditional Access Baseline? Continue reading. In this article, I describe the baseline I’ve used by many organizations. Above all, I believe that using a Conditional Access Baseline is a critical item at the security action list of C-Level management. My mission is to kick start this project on the action list and encourage them to use my baseline.

Conditional Access baseline for large organizations +100.000

Forget the Microsoft security defaults. The intension of those policies is a starting point for small organizations. The tables below are overviews of my recommendations for block, report-only and enabled polices.

Blocked Conditional Access rules

PolicyDescription
Block-Unsupported-DLG This policy blocks any login attempt in case a none supported Operating System for Conditional Access is used. The exceptions are Windows 10, Windows Mobile, macOS, iOS and Android.
Block-MFA-Enrollment-DLG This policy blocks enrollment of MFA from a none-compliant device or untrusted locations.

Enabled Conditional Access rules

PolicyDescription
MFA-Admins-Portals-All This policy requires MFA during an authentication attempt at the Microsoft Azure Management Cloud application. There is an exception for manged and compliant devices. The sign-in frequency session option is set to 10 hours. Therefore the admin is enforced to type his password every day.
MFA-BreakTheGlass This policy includes only the break-the-glass account. Any cloud application is included. Access is only granted from a trusted network.
MFA-Users-DLG This policy enforces the use of MFA for all users. The exceptions are login attempts from managed and compliant devices.
MFA-Guest-All This policy requires the use of MFA for all Cloud applications and is only applicable to guests and external users. The session expires every 10 hours. The session expiration enforces that the system asks for the password and the MFA challenge every 10 hours.
DevComp-Win10AndMacOS-DLG This policy is only applicable to Windows 10 and Android. It requires that the device is marked as compliant and includes any application. As soon as the device is marked as compliant in acts as an authentication factor so the users are productive.
*ReqApp-iOSAndAndr-Exo-DLG This policy is only applicable for Exchange Online and the mobile operating systems iOS and Android. Access to Exchange online granted in case an approved client app (Microsoft Outlook) is used.
*ReqAppOrDevComp-iOSAndAndr-DLG This policy is applicable for any application except Exchange online and the mobile operating systems iOS and Android. Access is only granted in case an approved client app is used.
MFA-Admins-M365-AllThis policy enforces an MFA challenge for users with a privileged access role of Azure assigned. This is applicable for any Cloud application except if the device is marked as compliant.
SecApp-Win10AndMacOS-DLGThis policy is for applications with sensitive information where the organization enforces the use of MFA and requires that it’s only accessible via a managed and compliant device.

Report Only

PolicyDescription
Report-UnauthorizedAccess This policy is a catch-all rule for user groups who are not assigned to one of the CA rules above. The grant access rule is set to block but cannot have an impact because the policy is configured as the report only.
Report-LegacyAuth-All This policy logs all legacy authentications attempts. Although the grant access rule is set to block it can’t have an impact because this policy is in report-mode.

*Preview (protected app policy)

You can lock out yourself during the process of implementing Conditional Access rules. Because of this, I recommend to use a break-the-glass account and exclude this account from any CA policy except MFA-Admins-Portal. The break-the-glass account is a high privilege without the need for a 2nd factor. Organizations are marking this account often as a risk. You can mitigate this risk by using Microsoft Cloud Application and sent alerts to all global admins as soon as a login attempt occurs.

Break the glass account

You can lock out yourself during the process of implementing Conditional Access rules. Because of this, I recommend to use a break-the-glass account and exclude this account from any CA policy except MFA-Admins-Portal. The break-the-glass account is a high privilege without the need for a 2nd factor. Organizations are marking this account often as a risk. You can mitigate this risk by using Microsoft Cloud Application and sent alerts to all global admins as soon as a login attempt occurs.

Configuration files

My mission, “The Conditional Access configuration are free of charge.

I appreciate it if you support my mission to increase the security majority level of any organization. You can do this by sharing this blog article on your socials (Twitter, LinkedIn). Just click on the sharing button below.” After you implement this baseline you have as a result a robust Conditional Access baseline.

Tristan van Onselen

Related blogs

Leave a Reply