Apply Conditional Access Control Policies

(Back)

Objective

Conditional Access is the tool used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies. A Conditional Access policy specifies the app or services you want to protect, the conditions under which the apps or services can be accessed, and the users the policy applies to. Policies are enforced after the first-factor authentication has been completed. For example, policies to prevent any unauthorised devices from accessing sensitive business or personal information should be considered.

Key Considerations

• Ensure that users understand their responsibilities when using personal devices to access the data and services and the risks of sharing business data with unauthorised users
• Establish Conditional Access Policies to address common access concerns such as:
  • Blocking or requiring Multifactor Authentication (MFA) for any access attempt from outside of the corporate network;
  • Requiring multi-factor authentication for users with administrative roles
  • Requiring multi-factor authentication for Azure management tasks
  • Blocking sign-ins for users attempting to use legacy authentication protocols
  • Requiring trusted locations for Azure Multi-Factor Authentication registration
  • Blocking or granting access from specific locations
  • Blocking risky sign-in behaviors
  • Requiring GC-managed devices for specific applications with consideration of the categorization of the data
• Implement policies to monitor and prevent:
  • Risky users;
  • Risky sign-ins; and
  • Risk detections
• Implement device-based conditional access policy and compliance status to either allow or block access to apps and services

Additional Considerations

• For Corporate Owned Devices, consider implementing the following settings:
  • Allowing access to the Web Application Proxy (WAP) and authentication policies to ensure that the device is corporately owned
  • Ensuring that MFA is enabled for all accounts including use of OTP application
• For personal devices, consider implementing the following settings:
  • Ensuring that MFA is enabled for all accounts including use of OTP application
  • Explore data classification capabilities to monitoring and protect sensitive data
  • Explore a reverse proxy configuration using Microsoft Cloud App Security (MCAS) to protect data when using web browsers (additional licensing required)
  • Explore the use of Intune Mobile Application Management (MAM) to protect data within an application. This includes using MAM and application protection policies on devices not enrolled with Intune Mobile Device Management (MDM).

Validation

• Validate that conditional access policies are in place for devices
• Validate that conditional access policies are in place for enabling MFA

References

1. Directive on Security Management - Appendix B: Mandatory Procedures for Information Technology Security Control, subsections B.2.3.1, B.2.3.2.4
2. SPIN 2017-01, subsection 6.2.3
3. CSE Top 10 #3
4. Refer to CCCS ITSP.30.031 V2 User Authentication Guidance for Information Technology Systems
5. Refer to the Guidance on Cloud Authentication for the Government of Canada
6. Refer to the Recommendations for Two-Factor User Authentication Within the Government of Canada Enterprise Domain
7. Related security controls: AC‑2, AC‑2(1), AC‑3, AC‑5, AC‑6, AC‑6(5), AC‑6(10), AC‑7, AC‑9, AC‑19, AC‑20(3), IA‑2, IA‑2(1), IA‑2(2), IA‑2(11), IA‑4, IA‑5, IA‑5(1), IA‑5(6), IA‑5(7), IA‑5(13), IA‑6, IA‑8