Entra ID Conditional Access: How to get started?

Introducing Microsoft Entra ID

Microsoft Entra ID (formerly known as Azure Active Directory) is Microsoft's cloud-based identity and access management service. It helps manage and protect user identities, allows legacy or local identities to be synchronized with the cloud, and offers Single Sign-On (SSO) access to Infrastructure as a Service (IaaS) and Software as a Service (SaaS) applications.

Entra ID plays a crucial role in Microsoft's cloud architecture. It is the only identity provider that provides direct access to the most popular Microsoft applications, such as Microsoft 365 and Azure Cloud Services, which is why it is essential to correctly configure your Entra ID tenant.

Otherwise, the consequences can be serious. Over the past year, malicious actors have exploited misconfigurations of Entra ID in high-profile attacks, including the latest breach against Microsoft, in which the hacker group Midnight Blizzard gained access to one of Microsoft's Entra ID tenants through a password spraying attack aimed at users without MFA.

After the initial violation, the group abused the permissions of OAuth applications to access executive mailboxes and steal sensitive information. Violations of this type are preventable with adequate security checks on Entra ID.

Implementing a secure authentication system is a necessity for any organization. However, too many restrictions can make logging in not only secure, but also frustrating for users. To balance security and efficiency, Microsoft Entra ID uses Conditional Access policies to apply different levels of authentication, adapted to various conditions.

But what is conditional access, what is it for and how can it be implemented? Let's find out in the next sections.

Entra ID Conditional Access and the issue of secure authentication

Let's take a hypothetical scenario as an example: we are responsible for managing identities and accesses in a company based in a European country. The company has a hundred employees distributed across various departments and has a hybrid infrastructure that includes:

• Local Active Directory
• Legacy on-premises applications
• Tenant Entra ID synchronized with local AD
• Workloads on a major IaaS provider
• Cloud services and SaaS applications:
  • Microsoft 365 (Email, SharePoint, and Office)
  • Salesforce
  • GitHub
  • SaaS accounting and finance application
    ‍

Based on this information, our task will be to implement a secure authentication strategy that takes into account the following aspects:

• The approach must be as permissive as possible, adopting strict security measures only when strictly necessary.
  ‍
• Every department must be able to operate remotely, if necessary.
  ‍
• On-premises users must be able to access any service in the hybrid environment through Single Sign-On.
  ‍
• Separation of roles: employees must have access only to services that are relevant to their work.
  ‍
• The principle of least privilege must be applied when assigning permissions to applications.
  ‍

Basically, a lot of requirements that require the perfect balance between severity and simplicity. Not a particularly simple task.

Although it may seem complex, this is the reality of many companies today. Employees are working remotely around the world, with different roles and levels of access, which requires stricter strategies and methods to ensure authentication security than ever.

If, for example, an administrator logs in while on vacation on the other side of the world, their authentication process must necessarily be stricter than when working in the office.

To guarantee this flexibility to employees and address different security needs, it is essential to adopt a conditional access strategy (conditional access).

This allows you to customize security measures based on roles, geographical locations and applications, creating a robust and adaptable security framework.

But what exactly is it? Let's see it down here.

What is Conditional Access in Entra ID

Conditional access is a security feature offered by Entra ID. This is provided to premium tenants P1 and P2, but is also available with Microsoft 365 Business Premium, M365 E3 + Security, and M365 E5 plans.

The feature allows organizations to control access to specific applications and resources based on defined criteria for login attempts. IT administrators can create multiple policies to manage the complexities and unique needs of their infrastructure.

The mechanism works by evaluating certain conditions at the time of access (known as access conditions), such as the location, time, or device used to make the request, and then applying security policies to ensure that access is granted only if it meets the predefined conditions.

It can be imagined as a security policy analysis engine that processes signals and attributes of incoming authentication and authorization requests, applying company policies to grant or deny access to resources based on these parameters.

The range of settings, conditions, and policies available allows you to create policies tailored to meet your organization's security and compliance needs.

Conditional access aligns with the fundamental principles of Microsoft's Zero Trust security model, according to which trust is never presumed and every attempt to log in is scrupulously verified.

When configured, conditional access acts as a security guardian, ensuring that authentication and access to resources comply with established authentication conditions and requirements.

A typical conditional access flow follows these steps:

1. The authentication process begins when the user enters their primary credentials, usually a username and password. If correct, we proceed to the next phase.
   ‍
2. The conditional access policy evaluates whether the conditions defined in the policy are met. If they are, the expected actions are applied.
   ‍
3. If the policy requires additional verification, the user must provide a second authentication factor among those available. After a successful verification, the access policy is re-evaluated to determine if an additional MFA is needed.
   ‍
4. If all the requirements of the conditional access policy are met, access to the resource is granted. Otherwise, access is denied.

The criteria behind conditional access help prevent unauthorized access to sensitive resources, improving the organization's security posture.

They are extremely versatile tools and apply to different scenarios, but they can be complex to configure.

Here are a few ways you can use conditional access controls to achieve your security and compliance objectives:

• Blocking unauthorized access: allows access only with passwordless or phishing-resistant authentication methods, reducing the risk of compromising user accounts.
  ‍
• Location-based access: grants or blocks access based on the origin of the authentication request. You can define trusted and untrusted zones, applying different rules. For example, you might require MFA for users who log in from home, but relax the rule for those who log in from headquarters.
  ‍
• Compliance-based access: adjusts access based on the device used for authentication. Different conditions may apply depending on the device's compliance status. For example, if the device is marked as compliant in Entra ID and joined to the domain, it is possible to adopt less restrictive controls than a stricter Zero Trust policy.
  ‍
• Session controls: limits the duration of the session based on the user's role in the directory. By default, Entra ID's re-authentication period is 90 days, but you can create customized policies for different business roles based on their sensitivity, for example, requiring administrators to authenticate more frequently than unprivileged users.
  ‍
• Identity and application granularity: creates specific policies for certain applications or particular users. For example, it would be possible to define a policy that grants access to an emergency administrator (break-glass) only under specific conditions, or to apply stricter authentication controls for sensitive applications (such as Entra's administration portals) than other cloud applications.

Entra ID Conditional Access: the latest news

Recently, a series of big news have been announced and released that have affected Microsoft Entra ID and its Conditional Access features. Let's take a look at the main ones below.

Integration with Security Copilot

We know how much Microsoft is increasingly integrating its Copilot into all its tools, and its security suites are no exception.

The integration of Security Copilot into the Microsoft Entra Admin Center will allow administrators to access the most advanced features of Redmond's AI assistant for managing identity security.

Key features include:

• AI assistance for identity risk analysis: Security Copilot provides natural language summaries of identity-related contexts and information, allowing for a quick response to threats.
  ‍
• Tips for configuring policies: integrated artificial intelligence offers recommendations to optimize security policies, improving the organization's overall posture.
  ‍
• Support in troubleshooting accesses: Administrators can use Security Copilot to quickly diagnose and resolve login issues, reducing downtime and improving operational efficiency.
  ‍
• Protecting access to generative AI services such as Microsoft 365 Copilot: the integration ensures that access to advanced services such as Microsoft 365 Copilot is secure, monitoring and managing the associated risks.
  ‍

Structural changes

Microsoft announced the introduction of mandatory multi-factor authentication (MFA) for accessing the Microsoft Entra Admin Center, the Microsoft Azure Portal and the Microsoft Intune Admin Center.

In addition, other changes are planned, including the unification of 'Cloud apps' and 'Global Secure Access' under a single 'Resources' item, the automatic updating of the existing policy scheme and new options for managing MFA notifications, including integration with WhatsApp for some countries.

However, there is currently no official information available about these changes and we therefore recommend that you monitor Microsoft's announcements to confirm future updates.

Entra ID Conditional Access: the elements that constitute it

Conditional access is determined by policies. Administrators can design and create policies for different usage scenarios, controlling who can access what and when. Based on established controls, policies determine whether or not a user can access a specific application or service.

At the base of their operation, they operate as' if-then 'statements. For example, if a user tries to log in to an application from an unknown or untrusted location, they will need to use multi-factor authentication (MFA) to gain access.

If, on the other hand, the user is logging in from one of the company locations, the MFA prompt may not be necessary.

Conditional access policies are comprised of two main sections:

• Assignments
  • ‍Users — Who is affected by the policy?‍
  • Target resources — Which resources are protected by the policy?‍
  • Conditions — Under what conditions does the policy grant or deny access?
    ‍

• Access controls
  • ‍Grant — Block or allow access. If access is allowed, you can specify additional security measures.‍
  • Session — Manage the duration of sessions in Entra ID.
    ‍

To create a new policy in the Entra ID portal, log in as administrator and go to Security > Conditional Access > Create new policy.

Users

Configure who is affected by the policy.

It is possible to include and exclude entities within the same policy. For example, a policy may include a specific group (such as privileged users) and exclude specific roles (such as Global Administrators) to ensure the highest possible level of granular access.

Target resources

Four types of target resources can be protected by Conditional Access policies:

1. Cloud applications — Any application that Entra ID provides access to. The policy is evaluated when a user accesses one of the applications defined as a target.
   ‍
2. User actions — The policy is evaluated when the user tries to register security information (MFA, password, etc.) or to connect a new device to the tenant.
   ‍
3. Global Secure Access — A network security solution that protects and controls access to corporate resources, applying conditional access policies at the network level. For more information, please consult the Microsoft documentation.
   ‍
4. Authentication context — A tag applicable to Protected Actions (tenant-level actions), Entra ID Groups and SharePoint data. When configuring a policy based on the authentication context, you must select at least one authentication context. The policy is evaluated in the following cases:
   • The user performs a secure action associated with the authentication context.
   • The user is a member of a group associated with the authentication context.
   • The user attempts to access a file associated with the authentication context.

Conditions

Six conditions may apply to a Conditional Access policy:

1. User risk — This security feature of Entra ID marks users as at risk if suspicious activity is detected.
   ‍
2. Access risk — If Entra ID identifies an authentication attempt as risky, the policy is evaluated at the time of login. You can control user access based on the level of risk detected by Entra ID during authentication.
   ‍
3. Device platforms — Approve or deny authentication requests based on the operating system of the device used for logging in.
   ‍
4. location — Positions are configurable objects that group lists of IP addresses, CIDR (Classless Inter-Domain Routing), and geographic locations. You can approve or deny access based on the origin of the authentication request.
   ‍
5. Client applications — There are two main types of client applications: those that use modern authentication and those that rely on legacy authentication protocols. An authentication request can be approved or denied based on the client application used for login, which is especially useful, since legacy applications can expose the tenant to risks such as user discovery and brute-force attacks.
   ‍
6. Device filter — Custom conditions can be applied to devices to decide which devices are allowed to access your tenant.

Grant

This allows or denies access to the tenant based on the configured assignments.

If the policy allows access, you can apply one or more security controls as additional access requirements.

These may include:

• Require multi-factor authentication (MFA) — Any type of MFA is required to log in.
  ‍
• Require a specific level of authentication — Choose which types of MFA (passwordless, phishing-resistant, or any type) are required for access.
  ‍
• Require that the device is compliant — Determined by the Intune compliance policy.
  ‍
• Request that the device be merged with Entra ID in hybrid mode — Allows access only if the device is registered in Entra ID.
  ‍
• Request an approved client app — Allows access only if the user authenticates through applications listed in Microsoft documentation.
  ‍
• Request an app protection policy — The application used for access must be protected by an Intune app protection policy. For more details, see the Microsoft documentation.
  ‍
• Request a change of password — Allows login and forces a password change after successful authentication.

Session

These controls manage session properties, such as duration, persistence, continuous access, and more, after successful authentication, and allow admins to implement properties such as:

• Use the restrictions applied by the app — Defines a limited or full session based on the source device. When you use this control, Entra ID transmits device information to the target application. Each application can be configured to establish sessions with different capacities based on the data received. Microsoft cloud services, such as Microsoft 365, Exchange Online, and SharePoint Online, support this control. For example, you can configure Microsoft 365 to allow unlimited sessions only when logging in from a hybrid device joined to the domain, even for administrator users.
  ‍
• Use app control with conditional access — Tenants with a license Microsoft Defender for Cloud and Entra ID P1 they can redirect traffic to their cloud applications through Defender for Cloud Apps. This acts as a proxy between the user and the target app, monitoring the user's activity to detect any suspicious actions.
  ‍
• Access frequency — Determines the maximum time before a user must re-authenticate.
  ‍
• Persistent browser session — Allows the session to remain active even after the browser is closed. This option is not recommended because it exposes the session to unnecessary risks.
  ‍
• Customize the continuous access assessment — Revoke access tokens based on critical events in real time. For example, you can continuously monitor the session's IP address and revoke it if it changes (indicating a possible session theft), forcing the user to re-authenticate.
  ‍
• Disable default resilience settings — Check what happens if policies can't be evaluated, for example due to a power outage. By default, Entra ID automatically extends the length of active sessions if it can't process policies. If you enable this control, Entra ID will not extend the session.
  ‍
• Request token protection for login sessions (preview) — Connect user sessions to the device from which they were generated. This feature is available for supported devices and is relevant only to Exchange Online and SharePoint. See the Microsoft documentation for more details.
  ‍
• Use the Global Secure Access security profile — Relevant only if the policy's target resource is set to Global Secure Access.
  ‍

Once you have finished configuring the relevant controls, you can apply one of the following operating modes:

• On — The policy is active and allows or denies access based on configured controls.
  ‍
• Off — The policy is not active.
  ‍
• Report-only — The policy is not active, but it records the results of the policy evaluation. This option is ideal for debugging policies.

Entra ID Conditional Access: testing and troubleshooting

As organizations grow, so do the use cases for access and each use case may require a dedicated policy, not to mention that these applicable policies must then be fulfilled at the same time.

At this point, you might find yourself managing dozens of policies and wondering: Are there duplicate policies? Are they evaluated correctly? Is there a logical error in configuring the policy that denies a crucial service? Are there any users blocked by mistake?

These are all valid concerns, so here are two simple methods for resolving any policy issues.

Sign-in logs

The Entra ID access logs provide details on which policies were evaluated during the login process and what their result was. To view the logs, we access Entra ID and go to Monitoring > Sign-in logs. We can click on each log and go to the tab Conditional Access to understand which policies have been evaluated and see the results.

We can use search filters to answer specific questions such as: “What policies have been evaluated for user X?” or “What policy is preventing user Y from logging in?”.

On the access logs page, click Add filters, choose Conditional Access and we apply.

By default, the new filter value will be set to None selected. Let's click on the new filter and select Failure.

Let's click on a specific failed login log and choose the tab Conditional Access. Let's select a specific policy line, then the three dots on the right side and finally Show details. The new page will help you understand why the result is Failure.

What if

We don't necessarily have to wait for a scenario to occur to be able to understand if our policies are working or not. We can provoke it ourselves.

Before someone pulls out a laptop with Kali, however, let's specify that a very interesting feature of Entra ID is to be able to simulate a login event in order to verify the soundness of the policies that have been implemented with the function What if.

To do this, from the Entra ID console, let's go to Security > Conditional Access > Policy. Then we select What If.

In the new window, we can provide the tool with hypothetical login details. After filling in the details, we select What If and a new section will appear with two tabs: Policies that will apply and Policies that will not apply.

Conclusions

With the greater spread of remote work and the sudden increase in threats to digital security in recent years, having access policies that are flexible and strict at the same time is essential for all your business users.

Entra ID, with its conditional access features, offers exactly this apparently paradoxical combination and allows painstaking access control that takes into account every potential risk factor that could make these accesses potentially suspicious.

Getting to know this functionality thoroughly is essential for all Entra ID users. On the other hand, for those who are still undecided or do not know anything about the subject, we just have to invite these users to learn more about the topic Entra ID and to secure their corporate identities and digital assets as soon as possible.

FAQ about conditional access in Entra ID

What is Conditional Access in Entra ID?

Conditional Access is an Entra ID security feature that allows you to control access to business resources based on predefined conditions. It is based on policies that evaluate factors such as geographical location, the device used and the level of access risk to determine whether to grant or deny authentication.

What are the main benefits of Conditional Access?

Conditional Access offers protection against unauthorized access and allows multi-factor authentication to be applied only when necessary, avoiding unnecessary complications for users. It also allows you to customize access policies based on different parameters, such as the role, position and device used. Following Zero Trust principles, it guarantees strict control over every access attempt, helping to strengthen the organization's security.

What licenses are needed to use Conditional Access?

To use Conditional Access, you must have an Entra ID Premium P1 or P2 license. It's also included in the Microsoft 365 Business Premium, M365 E3 + Security, and M365 E5 plans.

How does Conditional Access work in practice?

When a user attempts to access a business resource, Entra ID evaluates a series of conditions defined by policies. These may include the device used, the geographical location, the time of access and the level of risk associated with the user. If the established conditions are met, access is granted. Otherwise, an additional authentication step may be required or access may be denied.

Can Conditional Access be used to block access from certain positions?

Yes, you can configure policies that restrict access based on geographic location and IP addresses. For example, unrestricted access may be allowed to users who connect from corporate offices, while those accessing from a home network may be required to use multi-factor authentication. Access from countries considered to be at high risk can be completely blocked.

Can Conditional Access protect access to cloud applications?

Yes, Conditional Access supports SaaS applications such as Microsoft 365, Salesforce and GitHub, in addition to workloads hosted on IaaS providers such as Azure. Administrators can create policies to ensure that only compliant users and devices can access these applications, thus improving the overall security of the business infrastructure.

What happens if a user doesn't meet the requirements of a Conditional Access policy?

If a user does not meet the conditions established by the policies, access to the resource may be denied or additional authentication, such as the use of MFA, may be required. In some cases, restrictions may apply to the session, such as the need to re-authenticate after a certain period of time.

How can Conditional Access policies be tested before applying them?

Entra ID offers two tools for verifying the functioning of policies before making them operational. The sign-in logs provide details on which policies were evaluated during the login process and what their impact was. The What If function, on the other hand, allows you to simulate access scenarios to predict how policies would react to specific conditions, allowing you to correct any errors before implementing them.

Is Conditional Access compatible with passwordless authentication?

Yes, you can configure policies that require passwordless authentication methods, such as Windows Hello, FIDO2, and Microsoft Authenticator. This reduces the risk of attacks based on compromised credentials, increasing the level of security for access to corporate resources.

What are the main mistakes to avoid when configuring Conditional Access?

One of the most common mistakes is configuring policies that are too restrictive, which could prevent legitimate users from accessing it. It's critical to ensure that critical roles, such as administrators, are always protected by multi-factor authentication. Another mistake is not regularly monitoring access logs, because they could reveal suspicious login attempts or misconfigurations. It is also important to avoid duplicate or contradictory policies, which could cause problems enforcing access rules.

How can I start configuring Conditional Access in Entra ID?

To create a new Conditional Access policy, you must log in to the Entra ID portal and navigate to the Security > Conditional Access > Create new policy section. After selecting the target users and resources, you must define the access conditions and security controls to apply, such as MFA or session restrictions. Before activating the policy, it is advisable to test it in Report-only mode to verify its operation without affecting user access.