Conditional Access in Action with Azure Active Directory

In this blog post, I will show you how to enable Conditional Access in Azure Active Directory and block access to an Office 365 application based on a condition.

Conditional Access

Azure Active Directory Conditional Access is a key security and identity access tool that allows or blocks access to applications based on smart conditions like location, device platform, user group and many more.

Conditional Access also allows the use of MFA based on conditions that can apply in different scenarios.

Cost

Azure AD Conditional Access comes at a cost and it’s not free or part of the basic Azure AD license.

To use it you will need a minimum Azure AD Premium P1 license, In my Case, I have Enterprise Mobility + Security E3 that bundles it together.

Get Started

In the example below, I will create a conditional Access policy that:

  1. Apply to a user called Tim Hyper
  2. The policy will block access to the Microsoft Planner app from any Windows device.
  3. All other devices are OK and will allow access to Planner
Create Policy

To create a Conditional Access policy, I will click on the Azure Active Directory icon from the Azure portal

From Azure AD I will click on Conditional Access

I will name my Policy Planner.

You will also notice that the policy has two parts:

  • Assignments – configure conditions based on platform, location etc
  • Access Controls – Either block or allow with conditions like MFA or normal

In the user part, I will select my user Tim

In the Cloud apps section, I will select the Microsoft Planner App

In the Device platforms, I will select the Windows platform that will be targeted

In Access controls section I will select Block Access to block access to Microsoft Planner from any Windows platform

And in the last section, I will select On to Enable the policy

Policy in action

To test the policy, I will try to access Microsoft Planner from the Office 365 portal

And below you can see how Azure AD blocks the access to Microsoft Planner only.

 Conclusion

In a world where cloud applications are everything and access is available from anywhere and any device conditional Access is the only tool that can provide a proper identity control.


Posted

in

by