Conditional Access policies are a feature of Azure Active Directory (AAD) which allow administrators to control how your users gain access to resources in a secure fashion. For example, you may decide your Azure admins should always use multi-factor authentication to secure their logins or your users are always allowed to access resources in your main office or on a corporate managed device. Conditional access is included with an Azure AD Premium P1 license and is managed via the Azure Portal.
Late last year Microsoft provided a number of OoTB Conditional access policies designed to easily secure your azure environment with a few clicks. These weren't without their issues (namely the Require MFA for admins policy made having a break glass admin account impossible) but did achieve their goal of providing a minimum level of security (mainly for your high level administrative users) without needing to spend time evaluating and developing a detailed conditional access policy for your environment.
In late December 2019, Microsoft announced that these policies were being deprecated, meaning the simple security policies admins were able to easily apply will be lost, meaning that your organisation could be left vulnerable if steps aren't taken to replace these policies before the deadline of 28th February. With organisations increasingly focusing heavily on cloud security, letting these policies expire without taking any remedial action could expose organisations to additional security risks, something highlighted during the Ignite session on Conditional Access.
With the number of additional features now being added to Conditional Access, such as Persistent Browser Sessions and customisable sign-in frequency now is a good time to review your conditional access configuration, along with reviewing other related areas, such as your current role-based access control for Azure and introduce technologies such as Azure Privileged Identity Management to further secure your admin roles.
HybrIT understand these technologies and have a wealth of experience deploying these to our customers. If this is something that we can help with then don't hesitate to contact us.
Comments