Scribd
Upload
8 views

Implementing ConditionalAccess MFA

Uploaded by

frndzdrive
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
8 views

Implementing ConditionalAccess MFA

Uploaded by

frndzdrive
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 9

Plan to implement Conditional Access_MFA

Options to enable MFA are by using:


• Security defaults
• Conditional Access policies (Regular policies or integration with Azure AD Identity Protection)

Key things we need to think about when making the correct choice for our organization:
• Do you want to enable it for all user accounts, per individual account, or based on group
membership?
• Which kind of additional verification method do you need? A mobile app, text message, or
phone call?
• Should MFA always be required or only when accessing certain apps or some other criteria?
For instance, when a user attempts to sign in from outside the company network?
• Do you need advanced risk detection like a typical travel, anonymous IP address, malware linked
IP address, etc.?
• Which Microsoft 365 license plan do you have? Some methods require Azure AD Premium P1
or Azure AD Premium P2 licenses.

Below table helps us to decide which option is best for us based on our requirement –
Conditional Access Policies:

Prerequisites
 A working Azure AD tenant with Azure AD Premium license.
 An account with Conditional Access administrator privileges.
 A test user and group (non-administrator) that allows you to verify policies work as expected
before you impact real users.

Prepare the checklist for below questions as per requirement

Users or workload identities


 Which users, groups, directory roles and workload identities will be included in or excluded from
the policy?
 What emergency access accounts or groups should be excluded from policy?
Cloud apps or actions
Will this policy apply to any application, user action, or authentication context? If yes-
 What application(s) will the policy apply to?
 What user actions will be subject to this policy?
 What authentication contexts does this policy will be applied to?
Conditions
 Which device platforms will be included in or excluded from the policy?
 What are the organization’s trusted locations?
 What locations will be included in or excluded from the policy?
 What client app types will be included in or excluded from the policy?
 Do you have policies that would drive excluding Azure AD joined devices or Hybrid Azure AD
joined devices from policies?
 If using Identity Protection, do you want to incorporate sign-in risk protection?
Grant or Block
Do you want to grant access to resources by requiring one or more of the following?
 Require MFA
 Require device to be marked as compliant
 Require hybrid Azure AD joined device
 Require approved client app
 Require app protection policy
 Require password change
 Use Terms of Use
Session control
Do you want to enforce any of the following access controls on cloud apps?
 Use app enforced restrictions
 Use Conditional Access App control
 Enforce sign-in frequency
 Use persistent browser sessions
 Customize continuous access evaluation
Policy 1: MFA for all users

1. Sign in to the Azure portal as a global administrator, security administrator, or Conditional


Access administrator.
2. Browse to Azure Active Directory > Security > Conditional Access.
3. Select New policy.
4. Give your policy a name. We recommend that organizations create a meaningful standard
for the names of their policies.
5. Under Assignments, select Users and groups:
a) Under Include, select All users
b) Under Exclude, select Users and Groups and choose your organization’s emergency
access or break-glass accounts.
It’s a recommended practice to have one emergency access or break-glass account without MFA
to avoid admins being locked out of the tenant or MFA service being unavailable due to outages.
c) Select Done.
6. Under Cloud apps or actions > Include, select All cloud apps.
a) Under Exclude, select any applications that do not require multi-factor
authentication.
7. Under Conditions > Client apps > Leave all default selections to apply this policy to all
client apps and select Done.
Or
If you have an Azure AD Premium P2 license, you are eligible to use even more advanced
versions of Conditional Access policies.
Here are a few examples so you can get an idea of how a sign-in can get classified as high
risk: Impossible travel, Malicious IP address, Password spray etc.,
To enable sign-in risk based conditional access -
Under Conditions > Sign-in risk, set Configure to Yes. Under Select the sign-in risk level,
this policy will apply to
a) Select High and Medium.
b) Select Done.

8. Under Access controls, > Grant, select Grant access, Require multi-factor authentication,
and select Select.
9. Confirm your settings and set Enable policy to Report-only.
10. Select Create to enable your policy.

Initially, we put this policy into Report-only mode so administrators can determine their impact
on existing users. When administrators are comfortable that the policy applies as they intend,
they can switch to On or stage the deployment by adding specific groups and excluding others.

Policy 2: Block Legacy Authentication


Remember, without blocking legacy authentication, an attacker could use these older protocols
to bypass MFA. You don’t want to leave a backdoor for your attackers.
Follow these steps to create a conditional access policy that will block legacy authentication:
1. Sign in to the Azure portal as a global administrator, security administrator, or Conditional
Access administrator.
2. Browse to Azure Active Directory > Security > Conditional Access.
3. Select New policy.
4. Give your policy a name. We recommend that organizations create a meaningful standard
for the names of their policies.
5. Under Assignments, select Users and groups
a) Under Include, select All users.
6. Under Cloud apps or actions, select All cloud apps.
a) Select Done.

7. Under Conditions > Client apps, set Configure to Yes.


a) Check only the boxes Exchange ActiveSync clients and Other clients.
b) Select Done.
8. Under Access controls > Grant, select Block access.
a) Select Select.
b) Select Done
9. Confirm your settings and set Enable policy to Report-only.
10. Select Create to enable your policy.

Ref. Link: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/plan-conditional-


access#follow-best-practices

You might also like