The proliferation of cloud-based applications and mobile workforces has been felt across the business landscape like never before. Digital solutions offer increased mobility, flexibility, and enhanced productivity, but they also introduce new security challenges. Conditional Access Policies in Microsoft Intune, however, can help.
Conditional Access is a Microsoft 365 Endpoint Manager security feature, which includes Intune, that allows organizations to selectively restrict and control access to apps and resources. It enforces security policies that are based on several logical things, such as where the user is, who they are, the health of their device, and their compliance state.
Components of Conditional Access Policies
- User identity: Policies are applicable based on user identity, role, or group membership. Higher-risk user types such as administrators can be subjected to tighter policies, for instance.
- Device Health and Compliance: Policies may require security checks based on the health of the device, like having antivirus software updated or compliance with corporate compliance as set in Intune.
- Authentication and Authorization: Location-dependent rules can serve as an additional layer to limit access by point of origin IP address, for example. Access can be restricted to locations you know are secure, such as from the office network.
- Application: Conditional Access policies are applied to specific applications. As an example, sensitive financial apps might need a higher level of security, as opposed to general access.
- Conditional Access risk levels: When combined with Azure AD Identity Protection, Conditional Access integrates with risk level gathering to make dynamic security assessments based on signals from the evaluated sign-in.
Details of Intune Conditional Access Policies
Conditional Access Policies work by continually assessing user and device states as an access request is exercised. Depending on the settings that admins hard code into the system, it will allow, block, or limit users to connect.
An example might be that an organization has a policy mandating MFA for employees connecting to Microsoft Teams from an unmanaged device. When an employee tries to log into Teams from his or her laptop, Intune confirms whether the device is managed by the company. If it is not, the employee will be challenged with an MFA before gaining entry into the application.
Such real-time decision-making ensures that only trusted users and devices have access to resources, while also enhancing employee experience.
Advantages of Conditional Access Policies
- Enhanced Security: Conditional Access provides additional security through policies that block access by unauthorized users. Organizations can reduce security breaches and data leaks by assessing user identity, device compliance, and location. If a user’s credentials are stolen, the attacker would still need to meet security criteria, such as having a managed device or doing MFA.
- Reduced Attack Surface: Conditional Access helps to reduce the attack surface by limiting requests based on certain conditions from accessing apps and resources. An organization may block high-risk locations, or even restrict access to critical applications to trusted devices with proper security configurations. This minimizes the chances of attackers attacking weak points in the system.
- Improved Compliance: Helps ensure security and data protection requirements, especially for organizations subject to industry regulations. Applying device compliance via policies means gaining peace of mind that even your dorm room business meets regulatory requirements like GDPR, HIPAA, or the latest ISO standards.
- Seamless User Experience: Security is paramount, but a seamless user experience reigns supreme. Thus, if you sign in from a trusted location with a compliant device, you will not be prompted for another form of authentication. This flexibility enables workers to remain productive, while preserving security.
- Dynamic Control Based on Risk: Conditional Access evaluates risk before changing the required security level, using real-time risk measurements from Azure AD Identity Protection. For example, you could set up Conditional Access to automatically prompt for additional authentication or outright deny access when certain types of suspicious behavior are detected — like logging in from an unfamiliar location, or repeated failed login attempts.
- Granular Access Control: The broad support for Conditional Access, combined with granular options that can be created on a per-department or application level, are a few reasons that have been cited in nearly every conversation I have had this year addressing the impact of Covid-19 and remote worker security. As an example — a finance department would have stricter access controls compared to the marketing department, since the data they work on is much more sensitive. Conditional Access allows security policies to be very granular, and matched to specific business requirements.
How to Create Conditional Access Policies in Intune
- Specify policy target: Indicate users or groups the policy will be enforced on.
- Define the Encompass: Specify what are those conditions for this policy to trigger (Device compliance, location, app access, and more).
- Specify the controls: Identify what happens when all conditions are met (trust, deny, MFA).
- Test and apply: All new policies should be tested in an isolated environment first to ensure they are working as anticipated before a broader rollout.
Experienced professionals from eMazzanti can help you with Microsoft Intune and other apps and issues.
