View on GitHub

cloud-guardrails-O365

Recommended configuration guidance for Microsoft O365 / Conseils de configuration recommandés pour Microsoft O365

Apply Conditional Access Control Policies

Objective

Conditional Access is the tool used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies. A Conditional Access policy specifies the app or services you want to protect, the conditions under which the apps or services can be accessed, and the users the policy applies to. Policies are enforced after the first-factor authentication has been completed. For example, policies to prevent any unauthorised devices from accessing sensitive business or personal information should be considered.

Key Considerations

Additional Considerations

Validation

References

  1. Directive on Security Management - Appendix B: Mandatory Procedures for Information Technology Security Control, subsections B.2.3.1, B.2.3.2.4
  2. SPIN 2017-01, subsection 6.2.3
  3. CSE Top 10 #3
  4. Refer to CCCS ITSP.30.031 V2 User Authentication Guidance for Information Technology Systems
  5. Refer to the Guidance on Cloud Authentication for the Government of Canada
  6. Refer to the Recommendations for Two-Factor User Authentication Within the Government of Canada Enterprise Domain
  7. Related security controls: AC‑2, AC‑2(1), AC‑3, AC‑5, AC‑6, AC‑6(5), AC‑6(10), AC‑7, AC‑9, AC‑19, AC‑20(3), IA‑2, IA‑2(1), IA‑2(2), IA‑2(11), IA‑4, IA‑5, IA‑5(1), IA‑5(6), IA‑5(7), IA‑5(13), IA‑6, IA‑8