Over the last few years security breaches have cemented a place in the daily news. It is no wonder that security along with digital transformation has become the manifesto for thriving in the digital age for organizations of all sizes. Organizations are assuming a breach position and embracing zero-trust policies to combat security threats.

With rapid cloud adoption the four walled network perimeter, firewall, and physical access controls to protect corporate data are insufficient. Identity has become the new primary security boundary for cloud-based solutions and security risk is being mitigated with authentication and authorization controls Achieving the data layer security is crucial to protect against wide range of sophisticated threats, but many organizations are still lagging in implementing protections at the data layer.
Modernizing the collaboration solutions that enhance business productivity to innovate iteratively has contributed to a steady uptick in Microsoft 365 usage. Although businesses are being proactive and investing significantly in modernizing the workplace solutions, we are still seeing many organizations still leveraging the four walled security approach for cloud apps. 

Conditional Access (CA) policies for managing security risk only

Companies are leveraging CA policies to mitigate the security risk and using them like a firewall or VPN. For example, in on-premises environments the users could get access to Outlook only when connected to networked or via VPN. The same strategy is being implemented with CA policies to limit Outlook access to when connected to network or VPN.  

Conditional Access (CA) policies for managing security risk and enhancing business productivity 

Moving to cloud to take advantage of scale, features, anywhere\anytime access requires careful balance of security and access, but risk mitigation and business productivity do not have to be mutually exclusive. For example, Outlook access can be protected across several factors such allowing access only when there is no sign-in risk, with MFA when accessed from untrusted networks, and from a corporate issued or managed device\app. This implementation ensures that access is being granted only when certain conditions are satisfied and fostering business productivity. 

Benefits of CA Policies: 

  • Increase productivity while managing security risk 

Provides anywhere\anytime access and increases business productivity with cloud-scale identity protection and risk-based access control capabilities.  

  • Integration with other M365 security features 

The risk can further be mitigation with integration of other M365 features such as advanced identity protection and Cloud App Security.  

  • Address compliance and governance 

Auditing access requests and approvals for the application and understanding overall application usage is easier with Azure AD. Auditing includes requester identity, requested date, business justification, approval status, and approver identity. This data is also available from an API, which can be imported into a Security Incident and Event Monitoring (SIEM) system.  

  • Manage cost 

Moving access policies to Azure AD reduces reliance on custom or on-premises solutions such as Active Directory Federation Services (ADFS) for Conditional Access. Reduces infrastructure costs and licensing costs.  

  • Included in Microsoft business plans 

As of June 2019, the CA baseline policies are included in the business plans without requiring Azure AD P1 license.  

Best Practices for Implementing CA Policies: 

Below are some of CA policy best practices to follow:   

  • Exclude break glass accounts from CA policies 

Create break glass accounts and exclude them from CA policies to reduce the risk of lockout during unforeseen disruptions. Take all the extra security measures on these break glass accounts.  

  • Enable baseline policies  

MFA for privileged accounts, MFA for all users, Block legacy authentication3 baseline policies to protect from majority of cyber-attacks.         

  • Only allow service account sign-in from specified locations 

Organizations still have legacy apps that do not support OAuth or app registrations in Office 365 and need to rely on a password and basic authentication to access Office 365. Limit the service accounts to sign-in only from trusted and\or specific locations.  

  • Use Azure AD access reviews to manage users excluded from Conditional Access policies 

Leverage Azure AD access reviews to be compliant and secure by monitoring access that is excluded from CA policies such as break glass accounts, legacy apps or international travelling users.  

  • Create CA policies for managing security risk and enhancing business productivity 

Implement organizations security posture and requirements, while ensuring ease of use and fostering business productivity.