If you reached this blog i assume you already know what Conditional Access is and where it’s used for. Therefor we can skip the smooth introduction and go into technical depts.
Keep in mind that every organization is different and therefor there’s no good or bad. I cannot promise the CA policies below will work for you but at least they should give you a good starting point on where to improve.
Require MFA for users
With this conditional access policy, users are required to use Multi Factor Authentication (MFA). It’s up to you who’s included and excluded in this policy. If you assign licenses (Office 365 for example) based on group memberships, these group could also be used for this policy. As a result all users who are able to use Office 365 are then required MFA. If you have specific users (e.g. service accounts, scanners, printers) they could be excluded from the policy. I also require MFA for all locations. To my opinion trusted locations don’t exist!
Require MFA for Admin roles
The conditional access policy requires Multi Factor Authentication (MFA) most administrator roles. I did not include all available Azure AD administrator roles. The selection above can be modified to your needs. Excluding administrator roles from MFA is maybe not the best idea.
Block legacy authentication
Probably the most important one for security reasons. Not all environments are ready for this one. Therefor it is important to monitor all authentications first. Go to Azure AD -> Sign-in Logs ->Select Client app -> Select all Legacy Authentication Clients.
If your filter shows “no sign-ins found” you’re good to go. If not, you should investigate the logons and try to get rid of these ASAP! It’s possible to create this CA policy and configure it to be active at Report-Only or exclude the identities who are still using legacy authentication. I would recommend to enable to policy and exclude the identities who are still using legacy authentication. You’ll then limit legacy authentication which is better then allow it in Report-Only mode.
MFA – Web Based Office 365 Access
Users and Groups Include: Chose the Azure AD Group which is used to managed Intune Users and/or is used to assign them a license (e.g. Microsoft 365, Office 365).
Users and Groups Exclude: Check if service accounts and/or user accounts in the assigned groups should be excluded.
Session: For app enforced restrictions separate actions should be configured. See the official documentation: Session controls in Conditional Access policy – Azure Active Directory | Microsoft Docs
Windows – Require compliant device
This also applies to external users their devices. We cannot control external devices and we are not responsible for the external devices. Therefor this CA policy focusses on our own (managed) devices. Excluding guests and external users is required in this case.
Note: For testing purposes i mostly use a VMware virtual machine platform. Because of TPM issues with the endpoint i’ve excluded the device.manufactor variable from this policy. While using VMware for (e.g. VDI or RDS) this exception should be removed and/or modified for your operation.
Note: There are no Cloud Apps selected as i can’t predict these for you.
MFA – Guest accounts
One of the most forgotten conditional access policies! Guests! As a human being we focus on our own employees and environment. While using Azure AD, Office 365, Teams, SharePoint or any other application within the Microsoft 365 suite, chances are their that your tenant has guest users.
These guest are connecting to your tenant from everywhere. We have to protect the data where guest users are allowed to! Therefor it’s good to have a separate policy especially for guest and external users where we require MFA, at least!
Office 365 – Idle session timeout (unmanaged devices)
Update 07-04-2022: Since a few weeks Idle session timeout is available. For managed devices it is enough to enable the idle session timeout in the Microsoft 365 admin center. For unmanaged devices the following CA policy is required to.
Ending
I’ll hope you have found these policies useful as a starting point. I’ll recommend to activate these policies in Report-Only mode first. Check the Azure AD Sign-In logs for monitoring and impact on these policies. If your good to go you can switch over to Enabled.
Keep in mind that modifications to CA policies can take up to 10 minutes before they are active.
