Conditional Access

Overview

Users can access corporate resources from a variety of devices and from wherever they are.

For this reason, it is necessary to establish who can access certain resources and, above all, to define the way in which they must have access.

Solution

“Conditional Access” is a feature included in Azure Active Directory and aims to determine the right of access based on predefined conditions.

Some conditions are illustrated below:

  • Membership of users or groups: In order to reduce the risk of loss of sensitive data, it is possible to define the users or groups of users who can access certain applications and / or resources.
  • Location.  position can be considered risky for example:
    • if you are in a country with limited security policies;
    • in the event that the wireless network is not secure;
    • because it is not a place where the organization generally develops its business
  • You can also change the access requirements for logins from locations that are not in an IP Safe List (About IP Addresses) or that are risky for other reasons. Users who access a service when they are outside the corporate network should be required to use a Multi-Factor Authentication mechanism
  • Device: To enforce conditional access policies, you can consider users with devices on specific platforms or marked with a specific status.
  • Application: Users are able to access many “cloud” applications using different types of applications (web-based, mobile app or desktop app). In this context, it is possible to apply security policies, for example, to deny access if a user uses a certain application.

Requirements

  • The minimum required license is Azure Active Directory Premium P1 (also included in Microsoft Enterprise Mobility + Security E3).
  • Even with the Microsoft 365 Business Premium license, you can access conditional access features.

Benefits

  • Control over how, when and from where users can access services and / or applications.
  • Security guaranteed by the fact that users are able to use only approved “client” devices and / or applications to access corporate data.