Cloud Security – Azure Active Directory authentication – Configuring Multi-Factor Authentication (MFA) with Conditional Access – Part 4

Azure Conditional Access

Hi All,

LIFE IS BEAUTIFUL 🙂 I hope we all are safe:) STAY SAFE, STAY HEALTHY 🙂 STAY HOME 🙂

In last couple of articles we are discussing about cloud security – Azure AD and authentications

Best practice is to have multiple verification methods for all users.

Recommended way to use MFA is with Conditional Access Policies.

In this article we will discuss what is MFA with conditional access how to configure it.

Take Away from this article:

  • What is Conditional Access?
  • License requirement for Conditional Access
  • How to configure Conditional Access Policies for Multi-Factor authentication with example?
  • Deleting Conditional Access Policy

What is Conditional Access?

  • Any organization mainly faces following challenges related to the security
    • Empower users to be productive wherever and whenever
    • Secure the organization’s resources
  • Conditional Access is a tool used by Azure AD
  • Conditional Access enforces the organizational policies
  • Conditional Access allows to create and define policies which happens during signing events and request to perform some additional actions and then user granted to access a resource / application / service.
  • Conditional Access policies are nothing but some set of access if any identity (User, Device, Application etc.) wants to access a resource (for ex – organization secured application), these actions must need to complete
  • By applying these Conditional Access Policies we keep our organization very secure and right users can access right data only what they need to access
  • Conditional Access policies secure our organization
  • Conditional Access policies are enforced after the first-factor authentication has been completed. 

License requirement for Conditional Access feature?

  • Azure AD Premium P1 license is required to use this feature
  • Customer having Microsoft 365 Business Premium licenses also can use this feature

Prerequisites for Creating Conditional Access Policies:

  • Azure AD tenant with one of the license mentioned in above section “License requirement for Conditional Access” OR trial license
  • An account with Global Administrator role
  • Test account for testing

Creating Conditional Access Policies:

  • Sign in to the Azure portal using an account with global administrator permissions
Azure - Signing to Azure portal - https://portal.azure.com/
Fig1 Azure – Signing to Azure portal – https://portal.azure.com/
  • From Azure Portal go to “Azure Active Directory” , click on “View” button as shown in above Fig1
  • We will be redirected to “Azure Active Directory” dashboard as shown in below Fig2
  • From “Azure Active Directory” dashboard we will go to “Security” section as shown in below Fig2
Azure - Azure Active Directory >> Security option
Fig2 Azure – Azure Active Directory >> Navigating to “Security”
  • We will be redirected to “Security” dashboard as shown in below Fig3
Azure - Azure Active Directory >> Security >> Navigating to "Conditional Access"
Fig3 Azure – Azure Active Directory >> Security >> Navigating to “Conditional Access”
  • In right hand side pane there is “Documentation” section, to know more details please have a look once “Azure AD Conditional Access” link.
  • Click on “Conditional Access” from left side pane as shown in above Fig3, we will be redirected to “Conditional Access” dashboard as shown in below Fig4
Azure - Azure Active Directory >> Security >> Conditional Access
Fig4 Azure – Azure Active Directory >> Security >> Conditional Access
  • There are various options available on “Conditional Access” dashboard like for creating “New Policies”, For “Named locations” – adding new locations, “Terms of use” – Creating new Terms and so on. In next subsequent articles we will discuss thoroughly.
  • Now in this article we will go for creating new policy.
  • New Policy use caseConfigure condition for Multi-Factor authentication : Consider your organization need to control the access to only “Graph Explorer” app and not to whole Office 365 portal or other Microsoft 365 Apps. And this condition is also for only one user. This is just sample use case to demonstrate conditional access feature.
  • Lets create new policy. Click on “+ New policy” link available in right side pane on the top on Conditional Access dashboard as shown in above Fig4
  • We will be redirected to “New Conditional access policy” dashboard as shown in below Fig5
Azure - Azure Active Directory >> Security >> Conditional Access >> New conditional access policy
Fig5 Azure – Azure Active Directory >> Security >> Conditional Access >> New conditional access policy
  • On “New Conditional access policy” dashboard we have various options as
    • Name – policy name – “testing MFA with Graph Explorer App”
    • Assignments >> Users and groups – here we need to select either users or groups for which we need to enable MFA / Condition. Here as shown in above Fig5, we have user thirduser@knowledgejunction1.onmicrosoft.com – for this user we are enabling Multi-Factor authentication for accessing “Graph Explorer” app
    • Cloud apps or actions – App for which we need to set policy or here need to enable “MFA”. Here in this example we are selecting “Graph explorer (official site) as shown in below Fig6
    • Grant – This setting controls whether to allow user access or deny. Whether require “multi-factor authentication” or not and respective other settings as shown in Fig7
Azure - Azure Active Directory >> Security >> Conditional Access >> New conditional access policy >> Selecting app - "Graph Explorer (official site)
Fig6 Azure – Azure Active Directory >> Security >> Conditional Access >> New conditional access policy >> Selecting app – “Graph Explorer (official site)
Azure - Azure Active Directory >> Security >> Conditional Access >> New conditional access policy >> Grant - setting to control user access
Fig7 Azure – Azure Active Directory >> Security >> Conditional Access >> New conditional access policy >> Grant – setting to control user access
  • Next click on “Create” button at the bottom and new policy will be created successfully as shown in below Fig8
Azure - Azure Active Directory >> Security >> Conditional Access >> New conditional access policy created successfully
Fig8 Azure – Azure Active Directory >> Security >> Conditional Access >> New conditional access policy created successfully
  • We have new policy in place we are ready to test. We have restricted the app for specific user – “thirduser@knowledgejunction1.onmicrosoft.com” for specific app – “Graph Explorer (official site)”

Testing with the user with No Admin Access

Graph Explorer
Fig9 – Graph Explorer
  • Sign in to “Graph Explorer” by clicking on “Sign in to Graph Explorer” blue button from left side pane as shown in above Fig9
  • Sign in with user – “thirduser@knowledgejunction1.onmicrosoft.com”, make sure this user has no Admin access
  • Once signed with user, “More information required” dialog will appear as shown in below Fig10
 Microsoft Graph Explorer - Signing with user having no admin rights >> Testing Conditional Access policy
Fig10 Microsoft Graph Explorer – Signing with user having no admin rights >> Testing Conditional Access policy
  • Click on “Next” blue button at bottom as shown in above Fig 10
  • We will be redirected to “Additional security verification” dialog as shown in below Fig11
Microsoft Graph Explorer - Signing with user having no admin rights >> Testing Conditional Access policy >> Additional security verification dialog
Fig11 Microsoft Graph Explorer – Signing with user having no admin rights >> Testing Conditional Access policy >> Additional security verification dialog
  • Complete the verification process, make sure it happens successfully as shown in below Fig12.
Microsoft Graph Explorer - Signing with user having no admin rights >> Testing Conditional Access policy >> Additional security verification done successfully
Fig12 Microsoft Graph Explorer – Signing with user having no admin rights >> Testing Conditional Access policy >> Additional security verification done successfully
  • Once “Additional security verification” happens successfully, user could successfully log in to “Graph Explorer” app 🙂
  • When same user (here – thirduser@knowledgejunction1.onmicrosoft.com) logins with other Microsoft 365 apps like SharePoint Online, OneDrive, Outlook, OneNote and so on additional security verification is not required. Only UserName and Password is sufficient. Since only “Graph Explorer” app is restricted for the user.
  • If we are do not want this policy now, we could delete the policy as shown in below Fig13
Azure - Conditional Access Policy - Deleting the policy
Fig13 Azure – Conditional Access Policy – Deleting the policy

References:

We have very good series on Azure, lots of discussion on Azure, please visit – https://knowledge-junction.com/?s=azure

Thanks for reading 🙂 If its worth at least reading once, kindly please like and share. SHARING IS CARING 🙂

Enjoy the beautiful life 🙂 Have a FUN 🙂 HAVE A SAFE LIFE 🙂 TAKE CARE 🙂

One thought on “Cloud Security – Azure Active Directory authentication – Configuring Multi-Factor Authentication (MFA) with Conditional Access – Part 4

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: