In today’s digital world, you hear a lot about granting privileges, rights, and accesses to shared resources on the most minimal level possible.  Technically, this is known as the concept of “Least Privilege”, and it simply means that you are giving your employees just what they need in terms of access to shared resources in order to get their daily job tasks done.

Nothing more, nothing less.

This is a security measure in order to prevent security breaches from happening in both the external and internal environments of your businesses.  But despite this, people can find a way around it.

What is needed at this point are more granular privileges in order to mitigate this risk, and this is where Conditional Access for Microsoft Azure comes into play.

What It Is All About

This new tool takes into account a number of factors in order to make decisions as to who can access what, based upon the security policies that you have set forth.  Probably the strongest of this is that it is completely an automated process, using both Artificial Intelligence (AI) and Machine Learning (ML).

All you have to feed into the system are the conditions that should be followed at the initial stages of deployment, and from there, Conditional Access will learn from this, and build more sophisticated access scenarios.

At the heart of all of this is one cardinal rule:  The “If Then” Statement.  For example, “if IT Security Manager needs to gain access to the log files to the SIEM, then they should be allowed access to it”.  It is important to note at this point that it is not holistic access, but as mentioned, just granular levels of access, often based on job roles.

For instance, rather than granting access to the whole history of log files, he or she should be given instead access to the time frame that they specifically need.  This is illustrated in the diagram below:

(SOURCE:  1).

The Signals

But what also makes Conditional Access even more powerful is that it also takes into account electronic based factors of the person requesting access to a shared resource.  These are referred to technically as “Signals”, and examples of them are as follows:

  • User or group profiles:

As its name implies, certain employees or even the departments that they belong to in your business are targeted from within Azure Active Directory. Based upon what their job function and daily duties are, they are then given access to just what they are requesting, and not more.

  • IP Geophysical Location:

With more employees now being scattered all over the world, one of the biggest security threats is that of IP Address heisting or theft by the Cyberattacker.  With Conditional Access, certain IP Address ranges can be whitelisted and blacklisted, and the geographic locations of where the suspicious activity has originated from (such as those of the nation-state actors).

  • The Type Of Device:

Under this scenario, only company issued devices will be recognized for further granting of access to share resources, and not the personal devices of the employees.  You can even set up a condition that a lost or stolen device can be recognized, and be blacklisted.  You can even issue a “Remote Wipe” command to erase all business information and data that is stored in the device.

  • The Application Being Used:

With Conditional Access, you can even specify the types of applications that your employees are allowed to have access to or not.  And if they try to access an application that they are not supposed to access, they will of course be automatically blocked.

  • Real Time Risk Governance:

If over a period of time, there is an unusual amount of suspicious login behavior from either the employee or the user group that they belong to, alerts will be automatically triggered by Conditional Access to the IT Security team.  In this case, the employee may have to undergo additional levels of authentication, change their login credentials, or even be blocked entirely until their authorized rights and permissions have been reset.

  • The Initiation of Microsoft Defender:

This can be automatically launched by Conditional Access according to the parameters that you have set forth.  You will then be able to view on a real time basis all of the accesses and activities that your employees are engaged in.

These features are illustrated in the diagram below:

(SOURCE:  1).


There are two important things to note about Conditional Access:

  • It can only be activated after the first layer of authentication has been completed (such as successfully inputting a password, providing the right response to a challenge/answer question, etc.).;
  • If you have the Microsoft 365 Business Premium license, Conditional Access comes automatically with it. If not, you will have to acquire the Azure AD Premium P1 license.

If you have more questions about this or need further assistance, contact us today.

Additional documentation from Microsoft about Conditional Access can be seen here.