Security policies with Conditional Access in Microsoft Entra for hybrid environments

Conditional Access in Microsoft Entra ensures that user logins to the cloud are as secure as possible. To do this, Entra checks the logins and recognizes whether further verification such as multi-factor authentication or blocking of access is necessary. In hybrid environments, users can log into the cloud with their Active Directory accounts via replication and synchronization to Entra ID.

This is the idea behind Conditional Access

Conditional access to sensitive data

Conditional Access in Entra ID offers organizations using Entra ID Premium P2 comprehensive security features that integrate with identity governance. In addition to vulnerability and risky account detection and management, organizations can access risk-based policies for conditional access to Azure resources. These measures ensure that access to sensitive data and systems is only granted under strictly controlled conditions.

Entra ID Protection

Entra ID Identity Protection, which is also part of Entra ID Premium P2, enhances these security mechanisms with a combination of automatically generated, expertly developed and customized signals to detect risks early.

1. A key element of Entra ID Identity Protection is the use of machine learning models to automatically generate signals. These models analyze various attributes of login attempts, including unusual login times, unknown devices or logins from unfamiliar locations. By continuously evaluating these attributes, the system automatically detects anomalies, such as new devices, unfamiliar IP addresses or unusual login locations, and reacts accordingly.
2. Another key feature of Entra ID’s threat detection is the analysis of token usage behavior. Entra ID can identify anomalies in token usage, such as unusually old tokens or tokens used in an uncharacteristic sequence.

In addition to automatically generated signals, Entra ID’s security mechanisms also use signals created by experts. Security experts and researchers continuously track threat actors and identify IP addresses associated with malicious activity. Entra ID classifies IP addresses used by known cybercriminals or state-sponsored actors as high risk. Administrators can also manually mark login attempts as compromised or safe, which helps Entra ID to further improve its risk detection models.

Manage Conditional Access

Creation of policies in Entra Admin Center

The Conditional Access is managed and configured via the Entra Admin Center in the “Protection > Security Center > Conditional Access” area. Here, administrators can create policies that control the user login process. These policies are based on predefined parameters such as location, time and device from which users log in.

Conditional access flexibly reacts to unusual login patterns. For example, if a user logs in from a different country for the first time that does not correspond to their usual location, Entra can

• block the login,
• require additional measures such as multi-factor authentication (MFA) or
• restrict access to certain resources.

These measures provide a high level of protection for corporate resources by ensuring that only trusted and authenticated access takes place.

Conditional Access policies – Overview of all categories

The Conditional Access guidelines in Entra ID include three main categories:

• User risk policy
• Sign-in risk policy
• MFA registration policy

Each of these policies serves a specific purpose and allows administrators to customize security policies based on organizational needs.

User risk policy

The user risk policy assesses the cumulative risk of a user account. This risk is based on user behavior and login conditions, which are defined by anomalies such as unusual locations, new devices, or unusual login times. Based on these conditions, the system assigns a specific risk level to a user, classified as “high,” “medium and higher,” or “low and higher.” Administrators can determine which measures apply to users with different risk levels. This can include blocking access, requiring a password change, or initiating other security-related actions.

Sign-in risk policy

In contrast to the user risk policy, the sign-in risk policy focuses on the assessment of individual logon processes. This policy analyzes specific factors such as the IP address, the device used or the location and classifies the security of each logon accordingly. Here, too, additional security measures such as MFA or a password change can be enforced to ensure the protection of the system. This measure helps to immediately detect and respond to suspicious or unauthorized logins.

MFA registration policy

The MFA registration policy is designed to control and enforce the registration and use of multi-factor authentication in an organization. Administrators can define requirements under which conditions users must register for MFA. This helps to significantly improve the security of user accounts by preventing compromised credentials from being sufficient on their own to access sensitive resources. This policy is particularly effective for ensuring that users who exhibit increased risk, such as logging in from an unknown device or location, are required to register for MFA.

However, the individual settings of the policies should no longer be made via “User risk policy”, “Sign-in risk policy” and “MFA registration policy”, but directly within a new policy at “Conditional Access”.

 Use Entra ID Protection

Recognizing risks to user accounts in Microsoft Entra ID

The Entra ID Protection dashboard shows all detected attacks and the user accounts that are protected by these measures. A dedicated button allows administrators to view users at increased risk and take manual action as needed. The “Confirm user as safe” button can be used to mark a user account as safe. Alternatively, the risk analysis can be reset to trigger Entra ID Protection to re-evaluate the account. In addition, the dashboard provides comprehensive reporting on the security events captured by the policies.

Integration of conditional access policies

Another key element of Entra ID’s security architecture is the integration of conditional access policies in Microsoft 365 and other Entra resources. These policies can be combined with external MDM systems such as Microsoft Intune to implement a comprehensive security strategy. Devices that do not meet the specified security requirements can automatically be denied access to certain resources. This applies not only to Windows devices, but also to iOS/iPadOS, Android, macOS and Linux devices. By tightly integrating Conditional Access with Entra ID Identity Governance and the various access packages, organizations ensure that only compliant devices and users access corporate resources..

Administrators create policies through the Entra Admin Center. Using the “New Policies” feature, administrators define specific rules that control user login behavior. This allows you to specify the conditions users must meet to access resources, including defining trusted IP addresses and safe login locations. In addition, administrators define which device platforms or user groups are affected by the policies.

Administrators can use the “Login logs” menu item to monitor the login behavior of users. This provides precise information about

• login times,
• used IP addresses,
• the login location and
• the use of MFA.

Failed login attempts, which could indicate potential cyber attacks, are also visible here.

Entra ID uses a variety of signals to control access. Administrators can apply conditional access policies to users, devices, and applications. Organizations can set IP ranges to block or allow specific geographic regions. They can also block non-compliant devices that do not meet security and compliance requirements from logging on. These comprehensive mechanisms enable organizations to ensure the security of their resources and proactively prevent attacks.

Summary

In summary, Conditional Access in Entra ID Premium P2 offers a powerful and flexible way to control login attempts and access. By integrating machine learning, expert knowledge and custom signals, it enables organizations to respond to threats in a targeted manner and to optimally secure access to resources. The close integration with Entra ID Identity Protection and Microsoft 365 detects and addresses security risks at an early stage.