Azure AD and Conditional Access allow IT or your MSP to administer a tight ship.
Conditional Access (CA) is a security policy enforcement solution available with your Azure AD Premium P1 or Microsoft 365 Business Premium subscription.
Once users initiate the log-in process with a password, the application employs If/Then logic to grant access or deny access based on certain conditions or “signals.”
For instance, a known user, on a known device, from an approved region in the United States will receive a pop-up to continue with Multi-Factor Authentication (MFA). On the other hand, a stranger trying to log in from another country gets blocked.
CA is a powerful and sophisticated gatekeeper that takes Identity Access and Management (IAM) to an all-new level of granularity.
Most importantly, your team will love its ability to protect assets and ignite user productivity.
I hope the following four examples of signals (and their relation to decision-making rules and enforcement measures within CA) will inspire you to explore the strategic merits with your MSP.
They can also help you select the correct licenses. Microsoft has a bottomless pit of constantly morphing service options, and you’ll probably need an interpreter.
#1 – Azure AD – User or Group Membership
IT administrators or your MSP can create customized policies based on the functional requirements of Finance, HR, IT, Marketing, Operations, and Sales. MSPs and IT admins can also set up user profiles within each to gain additional control.
For example, the CFO has unfettered access to every last folder and application within the Finance file share, but her executive assistant has limited access.
#2 – Azure AD – IP Location Information
Due to IP ranges and their association with specific geographical locations, traffic can be blocked or allowed based on its country or region of origin.
If you’re a manufacturing company headquartered in South Carolina and your CEO is the only one who travels to Taiwan to work with partners, he is the only one who will be logging in from overseas using a trusted IP address. Any other attempts will hit a brick wall.
#3 – Azure AD – Device
Do you have a combination of desktops, laptops, and mobile devices with different operating systems? Your Windows, Android, and iOS devices can be tagged and managed with customized profiles and access rules.
The latest Windows machines get full access, while older ones (that don’t match the specs of the recent companywide Dell laptop refresh) will be denied and required to try again with a compliant workstation.
#4 – Azure AD – Application
Like the signal example discussed in the first section, application access is contingent upon functional roles.
Let’s assume a mortgage brokerage firm has forty sales reps and a subscription to Salesforce.com (CRM) and NetSuite (Financials).
CA policies allow the Director of Finance to access both, while the sales team can’t enter the accounting application. Blocked!
Learn More: Conditional Access Overview
What’s Next?
Your digital workspaces will require more ingenious security protocols as the world shifts to a less decentralized computing environment.
Microsoft is at the forefront of this movement with a business model that relies on partner MSPs to decode the tech jargon, specify the proper licensure, and support all moving parts.
Do you need help implementing a conditional access policy? Integris is here to assist.
