Unit 4: Plan Conditional Access Policies
Why Planning Matters
In modern environments:
- Users work remotely.
- Devices are diverse.
- Applications are cloud-based.
Access decisions must consider context, not just identity.
What Conditional Access Does
Conditional Access:
- Analyzes signals like user, device, location, and risk.
- Makes automated decisions.
- Enforces controls like MFA, blocking, or device compliance.
Benefits of Conditional Access
- Increase productivity by prompting MFA only when needed.
- Reduce risk through automated policy enforcement.
- Support compliance and governance requirements.
- Reduce cost by replacing custom access solutions.
- Support Zero Trust principles.
Conditional Access Policy Logic
Conditional Access policies are IF–THEN statements.
IF assignments are met,
THEN access controls are applied.
Policy Components
Assignments
- Users and groups.
- Cloud apps or actions.
- Conditions such as location or device platform.
Access Controls
- Grant access with requirements like MFA or compliant device.
- Block access.
Session Controls
- Control how long sessions last.
- Apply app-enforced restrictions.
Access Token Issuance Concept
If no Conditional Access policy applies, access tokens are issued by default.
Example:
- IF user is in Group A → Require MFA.
- Users not in Group A are not affected unless another policy blocks them.
Blocking everyone else requires a separate block policy.
Best Practices
- Always create emergency access accounts.
- Use report-only mode before enforcing policies.
- Exclude administrators carefully.
- Use named locations to block high-risk countries.
Common Conditional Access Policies
- Require MFA for admins or risky sign-ins.
- Block legacy authentication.
- Require managed or compliant devices.
- Require approved client applications.
- Block access during migrations.
Testing and Deployment
Best practice deployment approach:
- Communicate changes to users.
- Start with small pilot groups.
- Exclude administrators initially.
- Expand gradually after validation.