Powered by MukeshLPM
coreview post banner

Governing Conditional Access Policies – EMS Route

by

[ad_1]

There are millions of signals passing through Entra every day, some of which are legitimate and some malicious. Having a strong set of Conditional Access (CA) Policies will help you make sure malicious requests do not slip through the cracks and that every access request is verified before access is granted. As your CA Policy set grows, it requires more insights to see what’s not being covered, to understand the overall health of your policies, and to gain granular control over access to your most important data, resources, and assets.

Conditional Access Policies: “Gatekeepers of Modern Work”

That’s how I always like to start a conditional access policy conversation. Conditional Access Policies (CA Policies) are only growing in an enterprise as there are a lot to check and validate before completing an authentication request to access resources or completing an access elevation request and so on. And it is required to stay on top of your policies and to have a better view on their behavior. Poorly constructed Conditional Access Policies can be a user productivity killer in an organisation, as well as a welcome mat to bad actors.

CA policies are not new, and they’ve been there in Entra Portal, and the features keep on introducing by Microsoft which makes the policy creation more flexible, fit for “right” purpose and most of all honouring “Always Verify” pillar in Zero-Trust practice.

As the organisations grow, there will be new policies coming into the CA Policies list. Some of the expansion reasons can be the Cross-Tenant Access, Guest access, new resources, Apps, etc. Do you know who has access to the CA policies in your organisation? Who has the Conditional Policy Access Administrator RBAC assigned, or anyone with access to the policies in general? Are any changes to policies going through proper Change Control? These are the things you need to answer and keep a track of, as you need the proper rigour around Identity and Access.

  1. Getting Started with Conditional Access Policies
    1. Creating a Conditional Access Policy
    2. Defining a Baseline 
    3. Maturing CA Policies
  2. Using a Cybersecurity Framework
    1. Policy as Code
  3. Policy Misconfigurations and Uplifting
  4. Why Insights Matter?
    1. What-If Tool
    2. Checking Per Policy Impact
    3. Policy Coverage
    4. Using Workbooks in Log Analytics Workspace 
  5. Why CoreView?
    1. Navigating Multi-Tenant Scenarios with CoreView
    2.  Power of an “All-In-One” Solution

Table of Contents

Getting Started with Conditional Access Policies

Creating a Conditional Access Policy

CA Policies are nothing but intelligent IF-ELSE statements where you work on a scenario to match with one or more conditions and achieve a decision-based outcome for that specific sign-in instance, (i.e. Grant or Block). Who needs to be in the policy (Users), What are they accessing (Target resources), What to fulfil (Conditions), decision (Grant or Block), other controls applied if granted (session).

Once the policy is created, it is important to enable it in Report-only mode to better understand the policy behaviour. This gives you a window to correct the policy if the desired outcome is not met.

Making sure you have an easily understandable policy naming is important as a clearly defined policy name will tell you the intended outcome, what the policy captures and a policy number.

Defining a Baseline 

Once you know how to create a policy, the basics and the logic behind it, there are CA policies you can easily implement to gate keep your identity environment. Blocking Legacy Authentication is a major one, and MFA for all users is a no-brainer as well. However, it can get trickier when you want to adhere to a framework. To start with, you can use the Microsoft-managed policies, as this ensures you have enabled the required polices in your environment. Microsoft will create them for you and set them in the Report-Only mode, and they will be enabled within 45 days after introducing the policies. Organisations can’t rename or delete any Microsoft-managed policies. Those police are shown below. 

  • Block legacy authentication 
  • Block device code flow 
  • Multifactor authentication for admins accessing Microsoft Admin portals 
  • Multifactor authentication for all users 
  • Multifactor authentication for per-user multifactor authentication users 
  • Multifactor authentication and reauthentication for risky sign-ins 

Using In-Built Templates

You can also start creating the polices from the template as it as the standard sections such as Secure Foundation, Zero Trust, Remote Work, Protect Administrator, Emerging Threats. Once created from a selected template, you can add include/ exclude users apps etc and change the mode from Report-Only to Enable.

Maturing CA Policies

Emerging threats, new features in policies, new access management requirements are some reasons why you need to be on top of the policies and making sure you have a mature set of CA policies. Aligning to a framework, using policy as code to minimize misconfigurations, policy uplifting and deep insights into policies will help you in that cause.

Using a Cybersecurity Framework

Organisations today require aligning according to Cybersecurity frameworks. NIST, CIS or ASD Blueprint (Australian Signals Directorate) etc. This will usually involve creating the policies manually according to the documentation. Also, it is challenging to keep up with the changes that may introduce in those policies at a later point. However, creating the policy as a JSON file and import to Entra can be a good option.

Policy as Code

Another great option is to manage the Conditional Access Policies are policy as code. Once you have installed the Graph PowerShell and assign the necessary Graph permissions, you can start working on the task. This will make sure the Policies are backed up, version controlled, minimised manual effort, easy rollback etc. However, this requires specialised skills and SMEs who can understand both Conditional Access Policies and the behaviour of Graph and also the development knowledge.

Policy Misconfigurations and Uplifting

While aligning with a framework is important, there are reasons why you need to uplift the policies and fine-tune them as you go. Why you ask? Emerging threats is the quickest way to explain the reason. Attackers are always looking for the loopholes and the best way to get into the environment. It will only take one misconfigured or outdated CA Policy for a bad actor to compromise the environment. 

Policy misconfigurations can be anything from not including the required users in the policy to not configuring the Grant actions appropriately. You have to make sure the Conditions are accurate and the goal you are trying to achieve with that CA Policy is meeting all the required conditions before it reaches the verdict (Grant or Block).

As mentioned above, Emerging Threats is a big issue for the organisations. You always have to be ready for the next one. This is why there are new policy types and features are being introduced into the policies. An example can be Authentication Code Flow scenarios where you have to use a different device to complete the authentication as it can’t be done on the device which is trying to access a cloud resource (devices without a keyboard such as a TV screen, meeting room phone system etc.), with the CA Policies, you can get that external device to meet the conditions before it completes the auth request. 

So, in other words, exploring your policies, tweaking them and creating new policies are required.

Why Insights Matter?

Finding out policy misconfigurations to uplift or correct them or finding out policy gaps will be a challenge if you don’t have proper insights into the policy set.

As mentioned previously, policy list grows, and you need more and more insights into, 

  • Policy behavior 
  • Policy changes/ Audit 
  • Policy coverage 
  • Actions performed in the policies 
  • Understand if the policy set is aligned with a framework, etc. 
  • Missing policies 

This will help you to clearly navigate and resolve any issues and more importantly close the gaps as soon as possible. 

Microsoft Entra provides features to support some above activities. Let’s check those briefly.

What-If Tool

This can be used to test the impact of Conditional Access on a user or service principal when signing in under certain conditions. Usually What if tool will be used to troubleshoot policy issues and when you need to make sure the right policy was applied during the sign-in process. The UI in Entra portal is backed by the What If Evaluation API. This will not test for Conditional Access Service dependencies. Example, if you are testing a CA Policy for Microsoft Teams, that will not cover anything related SharePoint or Office 365 Exchange Online services.

Inspecting Per Policy Impact

This can be used to understand the policy-based impact. For every policy, this will show a graph that contains the total sign-ins for this CA Policy captured and how the number of times the policy applied successfully. Also, there are some sample sign-in data where you can easily start digging into the logs.

Policy Coverage

Policy Coverage will give some insights related to apps that were accessed with and without CA polices in the last 7 days. This will give you an idea of what apps requires immediate attention. And you can start digging into the sign-in logs for any investigation/ troubleshooting work.

Using Workbooks in Log Analytics Workspace 

A Log Analytics workspace can be used to stream Entra diagnostics that will help admins and Security teams in many ways. The ability to quickly adopt pre-built workbooks in Entra, check the gallery for community contributions or create your own workbooks, easily identify the policy gaps, understanding missing policies, policy evaluation insights etc. Workbooks can be configured to update dynamically, and you can use them as dashboards to respond quickly. However, this requires some knowledge on KQL, creating workbooks and most impertinently having an Azure subscription as the Log Analytics workspace lives there.

Why CoreView?

CoreView Governance Center is your one-stop shop for resolving Conditional Access Policy challenges.  Let’s break that down and look at how and why using CoreView helps to resolve Identity and Access problems.

CoreView gives you a centralized view of all users and groups, , showing who has conditional access policies applied and who doesn’t so you can identify gaps or exceptions, such as accounts without MFA or CA policies, etc.

Navigating Multi-Tenant Scenarios with CoreView

While CoreView can help you streamline the Entra Governance tasks in a single Entra tenant scenario, it is vital to understand that organizations scale up due to mergers and acquisitions, or collaborations with other organisations, and security teams need to scale up their approach at the same time

In many scenarios the new organisation that comes under a parent company brings their own Entra/ M365 tenant with them, creating a situation where multiple tenants need a consistent set of policies applying.  How do you make sure you have Conditional Access Policies that are identical, correctly managed, and that the gaps are closed? The beauty of CoreView Governance Center is it will act as Virtual Tenant on top of your Entra/ M365 tenants. This gives you the ability to apply consistent policies and close the gaps in no time.

 Power of an “All-In-One” Solution

When using the CoreView Governance Center, one of the major benefits is you have a pallet of features that you mix and match to get the desired outcome. You can build automated workflows that enforce CA policies, for example if a new user is created without a CA policy, CoreView can automatically apply the right one. There are a variety of Reports that can be generated depending on your requirement. Once the Report is generated (in-built or custom) you can attach that to a Custom Policy which has a Remediation Action and provides the opportunity to create a Playbook or attach an existing one. You can even use Event-based custom policies to trigger an action for the results captured in the report such as Risk detections.

Now apply this to our core problem. Closing Conditional Access Policy gaps, auditing policy behaviour like users who don’t have MFA, aligning to frameworks, and gaining insights into sign-in and CA Policy activities. CoreView makes it easier to deal with all these scenarios in a single tenant environment and when acting as a Virtual Tenant in an Entra multi-tenant environment. This helps IT teams to save their time and energy while securing and governing the environment. It makes it easier to inspect the access requests and apply the right remediation and use policies to ensure Conditional Access Policies (AKA Gate-keepers) are configured and managed in the right way.

Discover more from EMS Route

Subscribe to get the latest posts sent to your email.

[ad_2]

Share this content:

I am a passionate blogger with extensive experience in web design. As a seasoned YouTube SEO expert, I have helped numerous creators optimize their content for maximum visibility.

Contact

Leave a Comment

© 2025 Marketer • Built with GeneratePress
Privacy Policy Terms Contact