Published: 3 June 2024
Prepared by: Brad Morgan, SOC Manager
MICROSOFT ENTRA CONDITIONAL ACCESS POLICIES
In today's digital landscape, it is paramount to secure your organisation's data and ensure only authorised access to critical resources.
Microsoft Entra Conditional Access Policies offer a robust framework to protect your environment by enforcing various access controls based on specific conditions.
This blog outlines the minimum recommended Conditional Access Policies and their configurations to enhance your security posture.
Require Phishing Resistant Multi-factor Authentication (MFA)
Implementing phishing-resistant MFA adds an extra layer of security, making it harder for unauthorised users to access your systems even if they obtain a user's credentials. This should be enforced for all users and guests, with particular attention to administrators and high-risk employees.
- Configuration: require MFA for all users and admins.
- Benefit: Reduces the risk of credential-based attacks.
Block Legacy Authentication
Legacy authentication protocols do not support MFA and are more susceptible to attacks. Blocking these protocols is crucial to enforcing modern, secure authentication methods.
- Configuration: Block all legacy authentication methods.
- Benefit: Enhances security by enforcing modern authentication protocols.
Conditional Access by Location
Restricting access based on geographic location helps mitigate the risk of unauthorised access from high-risk regions. This includes blocking access from non-trusted IPs and allowing access only from allow-listed countries.
- Configuration: Block access from non-trusted IPs and restrict access to allow-listed countries.
- Benefit: Reduces the risk of unauthorised access from suspicious or high-risk locations.
Sensitive Applications
Critical applications require added security measures to ensure that only authorised users can access them. Applying conditional access policies to these applications enhances their protection.
- Configuration: Apply policies that enforce MFA and restrict access to sensitive applications.
- Benefit: Protects sensitive data and applications from unauthorised access.
Service Management Controls
Restricting access to service management functions to trusted locations and users is vital to prevent unauthorised configuration changes.
- Configuration: Block access for service management by location and require MFA for service management tasks.
- Benefit: Ensures only trusted personnel can make critical changes to the environment.
Microsoft-Managed Policies
Leveraging Microsoft-managed policies for admin access provides a baseline security configuration that can be customised further.
- Configuration: Enable Microsoft-managed policies for multifactor authentication for admins accessing Microsoft Admin Portals.
- Benefit: Provides a secure starting point that aligns with best practices recommended by Microsoft.
Conclusion
Implementing these minimum recommended Conditional Access Policies ensures a strong security posture for your organisation. By enforcing MFA, blocking legacy authentication, applying conditional access by location, and using Microsoft-managed policies, you can significantly reduce the risk of unauthorised access and protect your critical resources. Start by assessing your current policies and gradually implementing these recommendations to enhance your overall security.
For more detailed guidance on configuring Conditional Access Policies, you can refer to the official Microsoft Learn page: Microsoft Learn - Conditional Access in Microsoft Entra https://learn.microsoft.com/en-us/entra/identity/conditional-access/
