Few months ago i decided to redesign my Conditional Access Framework. While reading some docs and blogs for recent changes i found Claus Jespersen his Conditional Access Framework Documentation, which can be found here. This framework was way to much for what i needed as a new starting point.

I decided to build a new Conditional Access Framework based on Claus Jespersen and Microsoft their framework. This one is slightly minimized and less difficult to understand but still protects almost everything you could wish for. Use this baseline to start off with and expend or modify where needed.

Note: The complete framework, with downloadable policies and instructions on how to import these can be found in my Github.

Persona’s

Global

Global is a persona/placeholder for policies that are general in nature or do not only apply to one persona. So it is used to define policies that apply to all personas or don’t apply to one specific persona. The reason for having this persona is to be able to have a model where we can protect all relevant scenarios. It should be used to hold policies that apply to all users or policies that enforce protection on scenarios not covered by policies for other personas

Admins

We define admins in this context as any non-guest identity (cloud or synced) that have any Azure AD or other Microsoft 365 admin Role (like in MDCA, Exchange, Defender for Endpoints or Compliance). As guests who have such roles are covered in a separate persona, guests are excluded from this persona.

Internals

Internals cover all users who have an AD account synced to Azure AD who are employees of the company and work in a standard end-user role.

Guests

Guests holds all users who have an Azure AD guest account that has been invited into the customer tenant

Conditional Access policies

CA000-Global-IdentityProtection-AnyApp-AnyPlatform-MFA

This policy requires MFA for all cloud apps, from every platform. It captures all authentications in scope not captured by other MFA policies.

CA001-Global-AttackSurfaceReduction-AnyApp-AnyPlatform-BLOCK-CountryWhitelist

This policy blocks all countries, to all cloud apps, from every platform except for the countries configured in the named location ALLOWED COUNTRIES. This named location is excluded in this policy.

Important: Modify the named location with your approved countries. By default only Belgium, Luxembourgh and Netherlands are allowed to have access from.

CA002-Global-IdentityProtection-AnyApp-AnyPlatform-Block-LegacyAuthentication

This policy blocks legacy authentication for all users, to all cloud apps, from any platform.

CA003-Global-BaseProtection-RegisterOrJoin-AnyPlatform-MFA

This policy requires MFA for all users, to register or join a device to your tenant/environment.

Tip: Make sure to disable Require Multifactor Authentication to register or join devices with Microsoft Entra. This can be found under https://portal.azure.com -> Entra ID -> Devices -> Device settings.

CA004-Global-IdentityProtection-AnyApp-AnyPlatform-AuthenticationFlows

This policy prevents all users from transfering authentication flows from PC to mobile for example. This feature is currently in preview.

CA005-Global-DataProtection-Office365-AnyPlatform-Unmanaged-AppEnforcedRestrictions-BlockDownload

This policy prevents all users from downloading, printing or syncing Office 365 data from an unmanaged device. It requires App Enforce Restrictions.

CA100-Admins-IdentityProtection-AdminPortals-AnyPlatform-MFA

This policy requires MFA for certain admin roles when they access the Admin Portals.

CA101-Admins-IdentityProtection-AnyApp-AnyPlatform-MFA

This policy requires MFA for certain admin roles when they access the any cloud app.

CA102-Admins-IdentityProtection-AllApps-AnyPlatform-SigninFrequency

This policy sets a Sign-in frequency for certain admin roles to a maximum of 12 hours. Admins need to re-authenticate of logon after 12 hours.

CA200-Internals-IdentityProtection-AnyApp-AnyPlatform-MFA

This policy requires MFA for all internal identities, for all cloud applications, from any platform.

Important: Verify the included group(s) and/or add your custom groups which have all internals in it. APP_Microsoft365_E5_DEV is added as an example.

CA201-Internals-IdentityProtection-AnyApp-AnyPlatform-BLOCK-HighRisk

This policy blocks all internal users which have a high risk (sign-in and user risk) status, to all cloud apps, from all platforms.

Important: Verify the included group(s) and/or add your custom groups which have all internals in it. APP_Microsoft365_E5_DEV is added as an example.

CA202-Internals-IdentityProtection-AllApps-WindowsMacOS-SigninFrequency-UnmanagedDevices

This policy sets a Sign-in frequency to a maximum of 12 hours for internals, to all cloud apps, using unmanaged Windows or MacOS devices.

Important: Verify the included group(s) and/or add your custom groups which have all internals in it. APP_Microsoft365_E5_DEV is added as an example.

CA203-Internals-AppProtection-MicrosoftIntuneEnrollment-AnyPlatform-MFA

This policy requires MFA for internals when enrolling their devices in Intune.

Important: Verify the included group(s) and/or add your custom groups which have all internals in it. APP_Microsoft365_E5_DEV is added as an example.

CA204-Internals-AttackSurfaceReduction-AllApps-AnyPlatform-BlockUnknownPlatforms

This policy blocks unknown/unsupported device platforms for internals.

Note: Currently only Windows, MacOS, Android and iOS are supported. If (for example) Linux or Windows Phone is allowed you need to modify the policy.

Important: Verify the included group(s) and/or add your custom groups which have all internals in it. APP_Microsoft365_E5_DEV is added as an example.

CA205-Internals-BaseProtection-AnyApp-Windows-CompliantorAADHJ

This policy requires internals to make use of a Windows device that is compliant or AADHJ (Azure AD Hybrid Joined / Entra ID Hybrid Joined) while accessing any cloud app.

Important: Verify the included group(s) and/or add your custom groups which have all internals in it. APP_Microsoft365_E5_DEV is added as an example.

CA400-GuestUsers-IdentityProtection-AnyApp-AnyPlatform-MFA

This policy requires guest to use MFA, from any platform when accessing any cloud app.

CA401-GuestUsers-AttackSurfaceReduction-AllApps-AnyPlatform-BlockNonGuestAppAccess

This policy blocks access for guests to all cloud apps (except for those excluded), from any device.

Important: Make sure to exclude additional cloud apps if any guest needs access to these apps.

CA402-GuestUsers-IdentityProtection-AllApps-AnyPlatform-SigninFrequency

This policy sets a Sign-in frequency to a maximum of 12 hours for guests, to all cloud apps, using any device.

Caution: Be careful activating the policies! Make sure you have decent exclusions and/or a break the glass account in place. Enable the policies one by one or start with report-only.

Considerations

  1. You might want to remove the “CA – BreakGlassAccounts – Exclude” group from Admin MFA policies (CA101, CA102) if they use MFA and/or only exclude 1 single BreakGlass account.
  2. You might want to lower the risk state in CA201 and/or separate User-Risk and Sign-in Risk in 2 single policies.

Resources

Related Posts

2 thoughts on “Conditional Access Framework

Leave a Reply

Your email address will not be published. Required fields are marked *

seventeen + two =