Nowadays, modern security extends beyond the boundaries of an organization's network to include user and device identity. These identity signals can be used by organizations as part of their access control decisions.
Azure Active Directory provides conditional access to bring all those identity signals together. These signals can then be used to make certain decisions and enforce rules and policies over them.
In their most basic form, conditional access policies are if-then statements. If a user wants to access a certain resource, they must complete a certain action. For instance, a guest user wants access to data that is stored in an Azure SQL database and is required to perform multi-factor authentication to access it. This achieves administrators' two main goals: protecting the organization's assets and empowering users to be productive wherever and whenever. By implementing conditional access policies, you can apply the right access controls for all those different signals when needed to keep the organization's data and assets secure and enable different types of users and devices to easily get access to it. With conditional access policies, you have the choice to block access or grant access based on different signals.
The following common signals can be taken into account when policy decisions need to be made:
- User or group membership: Administrators can get fine-grained control over access by targeting policies for specific users and groups.
- Device: Policies and rules can be enforced for specific devices or platforms.
- Application: Different conditional access policies can be triggered when users are trying to access specific applications.
- IP Location information: Administrators can specify IP ranges and addresses to block or allow traffic from.
- Microsoft Cloud App Security (MCAS): User applications and sessions can be monitored and controlled in real time. This increases control and visibility over access and activities inside the cloud environment.
- Real-time and calculated risk detection: The integration of signals with Azure AD Identity Protection allows conditional access policies to identify risky sign-in behavior. These risk levels can then be reduced, or access can be blocked by enforcing conditional access policies that perform multi-factor authentication (MFA) or password changes.
In the next section, we are going to cover how we can join devices directly to Azure AD.