Few months ago i decided to redesign my Conditional Access Framework. While reading some docs and blogs for recent changes i found Claus Jespersen his Conditional Access Framework Documentation, which can be found here. This framework was way to much for what i needed as a new starting point.
I decided to build a new Conditional Access Framework based on Claus Jespersen and Microsoft their framework. This one is slightly minimized and less difficult to understand but still protects almost everything you could wish for. Use this baseline to start off with and expend or modify where needed.
Note: The complete framework, with downloadable policies and instructions on how to import these can be found in my Github.
- Persona’s
- Conditional Access policies
- CA000-Global-IdentityProtection-AnyApp-AnyPlatform-MFA
- CA001-Global-AttackSurfaceReduction-AnyApp-AnyPlatform-BLOCK-CountryWhitelist
- CA002-Global-IdentityProtection-AnyApp-AnyPlatform-Block-LegacyAuthentication
- CA003-Global-BaseProtection-RegisterOrJoin-AnyPlatform-MFA
- CA004-Global-IdentityProtection-AnyApp-AnyPlatform-AuthenticationFlows
- CA005-Global-DataProtection-Office365-AnyPlatform-Unmanaged-AppEnforcedRestrictions-BlockDownload
- CA100-Admins-IdentityProtection-AdminPortals-AnyPlatform-MFA
- CA101-Admins-IdentityProtection-AnyApp-AnyPlatform-MFA
- CA102-Admins-IdentityProtection-AllApps-AnyPlatform-SigninFrequency
- CA200-Internals-IdentityProtection-AnyApp-AnyPlatform-MFA
- CA201-Internals-IdentityProtection-AnyApp-AnyPlatform-BLOCK-HighRisk
- CA202-Internals-IdentityProtection-AllApps-WindowsMacOS-SigninFrequency-UnmanagedDevices
- CA203-Internals-AppProtection-MicrosoftIntuneEnrollment-AnyPlatform-MFA
- CA204-Internals-AttackSurfaceReduction-AllApps-AnyPlatform-BlockUnknownPlatforms
- CA205-Internals-BaseProtection-AnyApp-Windows-CompliantorAADHJ
- CA400-GuestUsers-IdentityProtection-AnyApp-AnyPlatform-MFA
- CA401-GuestUsers-AttackSurfaceReduction-AllApps-AnyPlatform-BlockNonGuestAppAccess
- CA402-GuestUsers-IdentityProtection-AllApps-AnyPlatform-SigninFrequency
- Considerations
- Resources
Persona’s
Global
Global is a persona/placeholder for policies that are general in nature or do not only apply to one persona. So it is used to define policies that apply to all personas or don’t apply to one specific persona. The reason for having this persona is to be able to have a model where we can protect all relevant scenarios. It should be used to hold policies that apply to all users or policies that enforce protection on scenarios not covered by policies for other personas
Admins
We define admins in this context as any non-guest identity (cloud or synced) that have any Azure AD or other Microsoft 365 admin Role (like in MDCA, Exchange, Defender for Endpoints or Compliance). As guests who have such roles are covered in a separate persona, guests are excluded from this persona.
Internals
Internals cover all users who have an AD account synced to Azure AD who are employees of the company and work in a standard end-user role.
Guests
Guests holds all users who have an Azure AD guest account that has been invited into the customer tenant
Conditional Access policies
CA000-Global-IdentityProtection-AnyApp-AnyPlatform-MFA
This policy requires MFA for all cloud apps, from every platform. It captures all authentications in scope not captured by other MFA policies.
CA001-Global-AttackSurfaceReduction-AnyApp-AnyPlatform-BLOCK-CountryWhitelist
This policy blocks all countries, to all cloud apps, from every platform except for the countries configured in the named location ALLOWED COUNTRIES. This named location is excluded in this policy.
Important: Modify the named location with your approved countries. By default only Belgium, Luxembourgh and Netherlands are allowed to have access from.
CA002-Global-IdentityProtection-AnyApp-AnyPlatform-Block-LegacyAuthentication
This policy blocks legacy authentication for all users, to all cloud apps, from any platform.
CA003-Global-BaseProtection-RegisterOrJoin-AnyPlatform-MFA
This policy requires MFA for all users, to register or join a device to your tenant/environment.
Tip: Make sure to disable Require Multifactor Authentication to register or join devices with Microsoft Entra. This can be found under https://portal.azure.com -> Entra ID -> Devices -> Device settings.
CA004-Global-IdentityProtection-AnyApp-AnyPlatform-AuthenticationFlows
This policy prevents all users from transfering authentication flows from PC to mobile for example. This feature is currently in preview.
CA005-Global-DataProtection-Office365-AnyPlatform-Unmanaged-AppEnforcedRestrictions-BlockDownload
This policy prevents all users from downloading, printing or syncing Office 365 data from an unmanaged device. It requires App Enforce Restrictions.
CA100-Admins-IdentityProtection-AdminPortals-AnyPlatform-MFA
This policy requires MFA for certain admin roles when they access the Admin Portals.
CA101-Admins-IdentityProtection-AnyApp-AnyPlatform-MFA
This policy requires MFA for certain admin roles when they access the any cloud app.
CA102-Admins-IdentityProtection-AllApps-AnyPlatform-SigninFrequency
This policy sets a Sign-in frequency for certain admin roles to a maximum of 12 hours. Admins need to re-authenticate of logon after 12 hours.
CA200-Internals-IdentityProtection-AnyApp-AnyPlatform-MFA
This policy requires MFA for all internal identities, for all cloud applications, from any platform.
Important: Verify the included group(s) and/or add your custom groups which have all internals in it. APP_Microsoft365_E5_DEV is added as an example.
CA201-Internals-IdentityProtection-AnyApp-AnyPlatform-BLOCK-HighRisk
This policy blocks all internal users which have a high risk (sign-in and user risk) status, to all cloud apps, from all platforms.
Important: Verify the included group(s) and/or add your custom groups which have all internals in it. APP_Microsoft365_E5_DEV is added as an example.
CA202-Internals-IdentityProtection-AllApps-WindowsMacOS-SigninFrequency-UnmanagedDevices
This policy sets a Sign-in frequency to a maximum of 12 hours for internals, to all cloud apps, using unmanaged Windows or MacOS devices.
Important: Verify the included group(s) and/or add your custom groups which have all internals in it. APP_Microsoft365_E5_DEV is added as an example.
CA203-Internals-AppProtection-MicrosoftIntuneEnrollment-AnyPlatform-MFA
This policy requires MFA for internals when enrolling their devices in Intune.
Important: Verify the included group(s) and/or add your custom groups which have all internals in it. APP_Microsoft365_E5_DEV is added as an example.
CA204-Internals-AttackSurfaceReduction-AllApps-AnyPlatform-BlockUnknownPlatforms
This policy blocks unknown/unsupported device platforms for internals.
Note: Currently only Windows, MacOS, Android and iOS are supported. If (for example) Linux or Windows Phone is allowed you need to modify the policy.
Important: Verify the included group(s) and/or add your custom groups which have all internals in it. APP_Microsoft365_E5_DEV is added as an example.
CA205-Internals-BaseProtection-AnyApp-Windows-CompliantorAADHJ
This policy requires internals to make use of a Windows device that is compliant or AADHJ (Azure AD Hybrid Joined / Entra ID Hybrid Joined) while accessing any cloud app.
Important: Verify the included group(s) and/or add your custom groups which have all internals in it. APP_Microsoft365_E5_DEV is added as an example.
CA400-GuestUsers-IdentityProtection-AnyApp-AnyPlatform-MFA
This policy requires guest to use MFA, from any platform when accessing any cloud app.
CA401-GuestUsers-AttackSurfaceReduction-AllApps-AnyPlatform-BlockNonGuestAppAccess
This policy blocks access for guests to all cloud apps (except for those excluded), from any device.
Important: Make sure to exclude additional cloud apps if any guest needs access to these apps.
CA402-GuestUsers-IdentityProtection-AllApps-AnyPlatform-SigninFrequency
This policy sets a Sign-in frequency to a maximum of 12 hours for guests, to all cloud apps, using any device.
Caution: Be careful activating the policies! Make sure you have decent exclusions and/or a break the glass account in place. Enable the policies one by one or start with report-only.
Considerations
- You might want to remove the “CA – BreakGlassAccounts – Exclude” group from Admin MFA policies (CA101, CA102) if they use MFA and/or only exclude 1 single BreakGlass account.
- You might want to lower the risk state in CA201 and/or separate User-Risk and Sign-in Risk in 2 single policies.
Thank you for the excellent work converting the large framework made by Claus to a handy “starter” format.
It looks like you are crediting the wrong Claus Jespersen, though. This is the right one: https://www.linkedin.com/in/claus-jespersen-25b0422/
Thanks for the notice! I know Claus, probably did the wrong copy/paste somehow. Its fixed now.
Hey Joey,
In what way is this minimized when compared to the original framework.
Did you decide on a policy by policy whether you wanted it or not, or did you use another process to trim it down?
Hi Kim, this one does not have separate policies for developers, guestadmins, service accounts for example. Most policies have been stripped down to what most of our customers needed that time.
Oh and, claus is retired now so his framework is probably not being updated anymore.