Azure AD Conditional Access Policies Best Practices

Every organisation is different and has different requirements. I have been working with conditional access for quite some time and have settled on the following policies for every organisation.

Create a security group that contains users that are permitted to access the organisations cloud services when outside of trusted locations.

Blocked Countries Conditional Access Policy

  • All Users
  • Exclude Break Glass Admin account
  • All Cloud Apps
  • Location : Blocked Countries that have been setup in the named locations section of Azure Conditional Access.
  • Access Control : Block Access

Blocked External Access

  • All users , except Break Glass Admin account and security group that contains users that are permitted access.
  • All Cloud Apps
  • Locations : Any location except trusted locations
  • Access Control : Block Access

Permit External Access 

  • Users : security group that contains users that are permitted access.
  • All Cloud Apps
  • Locations : Any location except trusted locations
  • Client Apps
    Browser
    Mobile apps and desktop clients
    Modern authentication clients
  • Grant Access : Require all of these controls
    Require Multi factor Authentication
    Require Hybrid Azure AD joined device
    Require approved client app
    Terms of Use

Mobile Device Access

  • Users : security group that contains users that are permitted access.
  • Exchange Online
  • Locations : Any location except trusted locations
  • Device Platforms : Android & IOS
  • Client Apps
    Browser
    Mobile apps and desktop clients
    Modern authentication clients
  • Grant Access : Require all of these controls
    Require Multi factor Authentication
    Require device to be marked as compliant (Enrolled in Intune)
    Require approved client app

Why still enable MFA for the mobile device access policy. When the Microsoft Authenticator application is installed on an Android or IOS device. It acts like an SSO broker and can communicate with the modern authentication Microsoft Outlook client.

Block Legacy Protocols

Simply replicate the legacy : Baseline policy: Block legacy authentication (Preview)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s