In August last year, I published eight articles in a series on Conditional Access, and later when finished I decided to bundle those articles in a paper which I made available on the TechNet Gallery. In March this year, Microsoft decided to retire the TechNet Gallery, so I had to find another solution to host this paper and some of the additional workflows and spreadsheets I posted as well. For now I’ve decided to host these on GitHub since that is an easy accessible location as well.

The articles I wrote at that time, will remains as is, and I’ve decided to update the paper once in a while to reflect the current status of Conditional Access. Even though some of the information in the articles is outdated, I still think that they can be of value.

Below I’ve summarized the articles I published last year:

So what’s new?

The following updates have been made:

Workflow Cheatsheet

The goal of the cheatsheet was to have an A4 sized flowchart which can help you while you are either trying to understand your current policies, troubleshooting or just want to make sense of how Conditional Access policies work.

Machine generated alternative text:
user and
location
Application
Signals
User connects to a cloud
app on itsdevice
Verify every access
attempt
Allow access
Require MFA
Block access
ot effective, b
applicability
logged
Apps and data
101010
010101
101010
Rules:
All policies are enforced in two phases:
In the first phase, all policies are evaluated and all access
controls that arent satisfied are collected.
In the second phase, you are prompted to satisfy the
requirements you havent met.
If one of the policies blocks access, you are blocked and not
prompted to satisfy other policy controls. If none of the
policies blocks you, you are prompted to satisfy either one or
all selected policy controls. (see picture on the right)
External MFA providers and terms of use come next. All
assignments are logically ANDed. If you have more than one
assignment configured, all assignments must be satisfied to
trigger a policy.
Block access thrumps all other configuration settings
RequiR a
Require to
re AD joined
Requi re app @
Requi re app protection policy
*hey "feted a "S
Real-time
-Reporting-only------------
NO
. No
Policy
enabled
Policy
assigned to
user, role or
group user
is mem ber
Of?
Policy
assigned to
cloud app?
Yes
Is the sign-
in risk
condition
ena bled ?
Does the
user meet
the sign-in
risk
requireme
Yes
No
No
Policy
No
assigned
to user
actions?
No
No
The policy i
t applicabl
All/One selected:
Require Multi Factor
Authentication
Require device to be marked as
compliant
Require Hybrid AD joined device
Require approved client app
Require app protection policy
Terms of use (Custom)
he user is allowed acce
to the cloud a
e user is allowed acce
to the cloud app (Lim ited
Is the client
app con dition
enabled?
Yes
Does th e
No
policy in clu de
the client
app?
Y es
Is the device
state con dition
enabled?
Yes
Does the
No
policy in clu de
the d evice
state?
Yes
Does th e
policy grant
access?
Does the d evice
and/or app
meet the
requirements?
Are any
session
controls
ena bled ?
Yes
Use app
enforcement
restrictions
enabled?
No
Use
Conditional
Access App
Control
ena bled ?
No
No
No
No
Is the d evice
platform
con dition
enabled?
Does th e
No
policy in clu de
the d evice
platform?
Is the location
con dition
enabled?
Yes
Does th e
No
policy in clu de
the location ?
Yes
Access is
blocked
Persistent
browser
session
defined?
No
Is sign-in
Frequency
defined?
ssion isactive a
—Yes> either always or neve
ersistent
ssion is active withi
—Yes>
specified frequency
esson Is reverse proxi
through MCAS
Date:
May 2020 | Version 1.1 | Author: Kenneth van Surksum I www.vansurksum.com

Download: Conditional Access Workflow – v4.pdf

Implementation workflow

The goal of the implementation workflow is to help you get started when you want to implement Conditional Access, based on the information in the paper the workflow can be really helpful to make the necessary steps visible. I’ve updated the workflow by removing the Baseline policies, for which Microsoft decided not to continue with them in favor of Security Defaults, see: Microsoft deprecates Conditional Access baseline policies in favour of Security Defaults, here is what you need to know and do. Instead I create references to the Microsoft recommended Conditional Access policies which have the same functionality as the Baseline policies.

Download: Conditional Access Implementation Workflow – V1.2.pdf

Documentation spreadsheet

The documentation spreadsheet (in Microsoft Excel format), can help you to document your current Conditional Access policies, or document the policies you want to create. I found out myself that If you document all your conditional access policies, you automatically see if some policies can be simplified or combined. In the end, it’s better to keep your policies simple and easy to understand.

To give you a start, I also integrated the described policies from the workflow in the documentation spreadsheet to give you a starting point.

Download: Conditional Access Policy Description-v1.1.xlsx

Conditional Access Demystified Whitepaper

The paper has been updated with the latest information to my knowledge, between august last year and May 2020 some things have changes, and I’m sure some things will change again in the next coming months.

In the paper I created some references to articles or implemented information from them which I wrote in the meantime, like:

Download: Conditional Access demystified-v1.1.pdf

Conclusion

Updating the conditional access material requires a lot of work and validation, but I hope it was worth it. If it can at least help some people, I’ve reached my goal.

If you have any comments, or find some things which are wrong, please let me know in the comments or by reaching out to me on social media.

Follow me

Tweet #WPNinjasNL