#AzureAD : Conditional Access

Microsoft Azure AD is truly an Identity and Access Management platform for cloud services. It is not only providing basic identity needs but at the same time it provides advanced features natively such as MFA, dynamic groups management, conditional access etc. Conditional access is like “Icing on the Cake” for cloud apps access control. Every organization runs on transactions, these transactions could be in any form and applications enables these transactions to be happen while rest of the IT works behind the scene. Appropriate access to the applications make your IT secure and reliable, and deliver the business value.

Companies uses many applications either for internal access/users or external access/users or for both. Let me explain, conditional access through an example. Company ABC is a Financial organization and provides many financial services to their customers including Banking, Financing and Share Market services, and they deal with both B2B and B2C market segments. Because of the nature of business, organization doesn’t allow their employees to access their financial transaction applications outside of their bank branches and corporate offices. Due to the employee attrition rate, organization allows their employees to work from remote locations such as home on the rotational basis without impacting any consumer services. Because of the rotation of these employees, you don’t want to provide access based on their rotation. Azure AD conditional access fulfills these requirement by enabling conditional access for cloud apps.

If you don’t know about cloud apps or my apps, read the following articles.

SSO to SaaS

Application Proxy

Access Panel/My Apps

Using My Apps, you can publish both SaaS application available through enterprise gallery and internal applications through application proxy and then you can enable conditional access on these applications. In this scenario, I need to create a policy with following conditions and controls.

Condition Control
When a user is outside the corporate network They can’t access the internal transactions app, even though they are connected to corporate network through VPN

Login to Azure AD https://aad.portal.azure.com

Go to the Conditional access.

Select + New policy to define the conditions.

Write the name of the policy.

Now, choose either include or exclude option based on your need.

Select the specific users or groups.

Select your cloud apps.

Now, configure conditions based on your need and available specifications.

Once, you are done with conditions. Click on Done.

Now, configure the access controls based on your requirement.

Now, Enable policy and click on create.

Now, you can see that this policy has been created and enabled.

This was just an example but you can play with it and configure your policies in many permutation and combinations.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s