Most customers tell me they don’t see their staff returning to the office anytime soon. This means we will continue to see employees working from home. In other words, remote work is “the new normal”. (Those of you with COVID-19 bingo cards, please mark your square now.) With virtually all your staff working from outside the organization’s network, it’s imperative that you strengthen your network’s defenses wherever you can. I recommend that you use conditional access to do this.
Why Strengthening Remote Network Access Matters
I made the point during a recent security training that “your home network is the network now. These days hackers don’t have to break into the organization’s network to get to your stuff. They can just break into your users’ home networks.
As the person who worries about network security, you are probably less confident these days that every network access request is legitimate. What can you do to let people do their work, but properly secure network assets at the same time? Conditional access can help you here.
Conditional Access Explained
For most of time, network access has been a binary decision: you get in or you don’t. If you present the proper credentials (username and password) you get in. If you don’t… press your nose against the window and see what all the cool people are doing at the club. (These days, the club is closed due to coronavirus restrictions, but work with me here!)
Conditional access presents a greater range of choices. Come with me back to Computer Science class and review IF-THEN statements:
IF <condition is true> THEN <do something> ELSE <do something else>
When you use conditional access, you set up some of these statements. You specify that IF one or more conditions occur, THEN your Identity and Access Management (IAM) system should take one or another action.
For instance, you can use conditional access to require that users only access an application from an approved device. Or you can use conditional access to require that users access an application from an approved client application. For instance, you want users to access SharePoint via the SharePoint app, not via a browser.
Use Conditional Access with Your Identity and Access Management Platform
You use conditional access with your Identify and Access Management platform. I’ll mainly discuss Azure Active Directory (AAD) here. But other IAM platforms, such as Okta, have their own conditional access tools. Some platforms provide support in conjunction with AAD. Others can operate on their own. Read about Okta’s developments here.
In Microsoft land, you use conditional access via Azure Active Directory. You’ll need an Azure Identity Protection P1 or P2 license. You can purchase this subscription by itself, but you may already have it. Azure Identity Protection P1 and P2 subscriptions are included in (respectively) Enterprise Mobility + Security E3 and E5 subscriptions. They’re also part of Microsoft 365 E3 and E5 subscriptions (along with a lot of other valuable things).
I won’t be discussing conditional access implementation in detail here; start with this document if you want to jump in. That said, here are the main steps to follow when you want to use conditional access.
Start With Your Concept
Start with your concept. Define a likely risk that you want to manage. For instance, if your staff all work in the US, seeing a login attempt from China would be suspicious. Maybe you want to use conditional access to block all sign-in attempts from China.
Get familiar with the conditions that conditional access can check for. They include
- Who is the user?
- Do they belong to a defined AAD group?
- What device are they using?
- What app are they using?
- What is the level of sign-in risk?
- What is their IP number?
- Where in the world are they located?
On the other side of our IF-THEN statement, understand the controls you can use conditional access to set. They include
- Grant full access
- Grant access with multi-factor authentication
- Grant access if using an approved device or app
- Set session controls, such as restrictions on SharePoint usage
- Block access
You’ll save yourself some pain if you create a flow chart for your policy. Just a few process and decision icons should suffice. The key point here is that you want to think about the behavior of Azure AD. Ask yourself: if the condition is true, is AAD taking the action I expect? If the condition is false, what will happen?
One word of warning: don’t go crazy when you use conditional access. It’s easy to create multiple conditional access policies that conflict with one another. It’s even possible to lock yourself out of Azure AD administration. So, fewer policies are better than more policies. For instance, think about using conditional access to set a policy for all apps, vs. one policy for each app.
Create Some Emergency Azure Admin Accounts
As I said earlier, it’s possible to create a conditional access policy that locks everyone—including Azure Admins—out of Azure AD. You do not want to experience this “Wanna Get Away?” moment. Create some emergency admin accounts and exclude them from the conditional access policy you create.
Test, Communicate, Go
Before you roll out your conditional access policy, be sure to test it! Create a couple of sample user accounts, have them try to access Azure AD, and see if you get the results you expected. Another testing step you can implement is to run the conditional access policy in report-only mode. When you use conditional access in this mode, AAD keeps track of what grant or session controls would have been put in place for each user that logs in. This report gives you a log of how your users would be affected by a conditional access policy.
You might want to proceed from here to enacting the policy for just a set of users. Once you’re comfortable that things are working the way you intended, you can roll out the policy to all users. But before you do that, make sure you communicate with users to tell them what’s happening, what they can expect, and what you want them to do.
Now that you know a little more, think about how you can use conditional access to eliminate or reduce some risk of network compromise. Close off connections from China if your users aren’t there. Make sure users log in with IT-supplied devices or apps. Make sure IT Admins use MFA. Figure out what threats you could face and how you can prevent them from happening. Be surgical. Be proactive.
Hi Dan, thanks for the pointers. I have been testing conditional access policies but encountered a problem in trying to limit sign-ins to a specific country or countries. Azure appears to have no problem recognizing geographic origin for IPv4 addresses, however with IPv6 addresses Azure mostly leaves location blank, so users get locked out. My research tells me this is because Microsoft does not yet support location for IPv6 – do you know if this is coming soon? Thanks!
Hi Richard,
I found an article that says IPv6 is supported by Microsoft 365, but “not for all services.” Let me check with Microsoft ans see if I can get some clarity on the situation. Thanks, Dan