This course covers conditional access policies in Azure. You’ll learn what Conditional Access is, why you use it, and what it offers. We’ll then explore how to build a Conditional Access policy, and you'll see a demonstration of how to create a conditional access policy.
Learning Objectives
- Understand the fundamentals of conditional access policies
- Learn how to build a conditional access policy
Intended Audience
This course is intended for anyone who wishes to learn about conditional access policies.
Prerequisites
To get the most out of this course, you should already have some experience with Azure AD.
Hello, and welcome back. What we're gonna do here in this demonstration is walk through the process of creating a Conditional Access policy. Now we're not gonna do anything crazy here, but I did just want to show you the process for creating a policy using the Azure portal.
Now, on the screen here, I'm logged into my Azure portal, and I'm in my Azure Active Directory Overview page here. So if I were to go Home, what I would do is select Azure Active Directory here. Now what we'll do, here, is create a policy that enforces MFA. Now since the Microsoft recommended way to enable multi-factor authentication is with Conditional Access policies, we're gonna do that here.
Now to create this policy from the Azure Active Directory Overview page, what we're gonna do down here is select Security, here, in the left pane. And, then, from here, we can just go to Conditional Access under Protect. You'll notice there's lots of different stuff we can do here, but for this exercise, here, we'll go into Conditional Access. And now we're getting this screen, here, that explains what Conditional Access is because we don't have any Conditional Access policies configured yet.
So what we'll do, here, is select New policy, and we need to give it a name, we need to configure the Assignments, Cloud apps or actions, the Conditions, what the Access controls are, and Session information. Not all of this is mandatory, but we'll walk through what we need to do to make this work for us. We'll start, here, with a name for our policy, I'll just call this MFA Policy. And then what we'll do, here, under Assignments, I don't wanna assign this to everybody yet because this is a lab I have for other things so I don't wanna affect anything I'm doing. So what we'll do, here, is we'll select Users and groups. And what we'll do, here, is we'll just scroll down and we'll set this for Lester Murphy.
So, basically, this Conditional Access policy is going to apply only to Lester Murphy. Now if I wanted to apply this to everyone, I just select All users. Now what we're gonna do next is specify the Cloud app that this is going to apply to. If we select the link here for Cloud apps, actions, or authentication, we can see the different actions or apps that this policy will apply to. So what we'll do is leave this at Cloud apps, and then what we'll do is Select apps, and what we'll do is we'll just set this to Office 365.
So, basically, what we're doing is we're telling the Conditional Access policy, here, that this should apply to Lester Murphy when he tries to use the Office 365 app. Now since we want to allow access, if this policy is met, what we'll do, here, under Grant, within the Access controls section, is we'll select zero controls, and what we're gonna do is require multi-factor authentication. Now if we select multiple controls, here, what we would have to do is define whether we want to require all controls to be met or just selected controls.
I'm just going to select the multi-factor authentication, here, and leave the all selected at the default setting because it's only one control here. So we'll go ahead and select it, and then what we'll do down here is you'll see this option at the bottom for Enable policy, we can either Report only, we can turn the policy on or turn the policy off.
Right now, as it stands, this policy will Report only. It's not going to do any enforcement, it's just going to tell us what it sees, but what we're gonna do for this demonstration, here, is turn the policy on, and then we'll create the policy. And there you have it, we now have a Conditional Access policy called MFA Policy. If we select the policy, here, we can see that it is applied to Lester Murphy for when he accesses Office 365. And when he does that, multi-factor authentication is required for access. We also have the policy enabled, and that's it. That's how you create a Conditional Access policy.
Now we could go into Conditions, here, and specify Filters for devices, Device platforms, for example, an Android, or iOS, or Windows phone. We're not gonna do that here. Just wanted to show you where you'd specify that device platform, or we could specify a location, and what this would do is control user access based on the physical location of the user. We're not gonna do any of that here, so we'll close this out. But, as you can see here, we now have the policy, we have it in the On state, and it gives us the creation date. So that is how you create a basic Conditional Access policy.
Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.
In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.
In his spare time, Tom enjoys camping, fishing, and playing poker.