Conditional Access Policies review and update plan

In this blog post I’ll write down my recommendations on how to effectively come up with Conditional access policies review and update plan to enhance the security of your environment. Someone recently asked me how they can assess if their current policies still serve their organization’s security needs and this got me thinking. Most companies deploy conditional access policies when they migrate to the cloud and continuously add new ones but fail to review if their existing policies still serve a purpose in their quest to secure identities, applications and workloads.

In larger organizations, i have observed the use of fifty or more Conditional Access policies, which can make changing, reviewing or troubleshooting policies extremely difficult for service desk or other parties involved. It is therefore crucial to consider the overall picture from the onset and to consolidate as many conditions as possible into a single policy to reduce the number of active policies and simplify the management process.

Five steps – Conditional Access Policies review and update plan:

  1. Assess your current environment
  2. Evaluate your current Policies
  3. Analyze policy usage
  4. Update Policies that no longer meet organization’s security requirements
  5. Test and deploy new polices

Assess your current environment

Deployment of new resources in your environment or changes in configurations over time could impact how well Conditional Access Policies protect your resources. As the environment changes, it’s important to regularly assess and evaluate policies to ensure that they continue to meet your organization’s security and compliance requirements. For example, when new resources are deployed, such as a new application, Conditional Access policies in place may need to be updated to include conditions for accessing this resource. Similarly, when new configurations are introduced, such as changes to the network infrastructure or the addition of new devices, the policy may need to be updated to reflect these changes.

Assessment involves identifying resources your organization intends to secure, evaluating user access conditions, reviewing existing authentication methods, evaluating devices requirements, evaluating the network infrastructure, and evaluating compliance and regulatory requirements. This information will help you determine if the Conditional Access policies deployed align with your organization’s security and compliance standards.

If for instance there have been new applications deployed in your environment, you would probably need to check your Cloud apps or actions configuration and evaluate if this applies to any application, user action, or authentication context.

If yes:

  1. What application(s) will the policy apply to? Is the new application included or does the policy only apply for certain applications?
  2. What user actions will be subject to this policy?
  3. What authentication contexts does will this policy be applied to?

Ensure that every app has at least one Conditional Access policy applied. From a security perspective it’s better to create a policy that encompasses All cloud apps, and then exclude applications that you don’t want the policy to apply to. This ensures you don’t need to update Conditional Access policies every time you onboard a new application.

Evaluate your current Policies

Review and evaluate your current policies to ensure that they still meet your organization’s requirements, including (if any) conditions, access controls, and exceptions to the policy.

  1. Will new users, groups, directory roles and workload identities be included in or excluded from the policy?
  2. What emergency access accounts or groups should be excluded from policy, and do you need to make any updates?
  3. Do the same access conditions apply? For example, does the organization’s trusted location still apply or has there been some changes? A Trusted Location in Microsoft 365 is a specified location that accounts are allowed to sign in from. Trusted Locations can also be used to avoid having to enter MFA codes or approve sign-ins for users who are physically in the office. This is done based on the IP address of your office’s Internet connection. 
  4. Do you still want to enforce the same session controls e.g App restrictions? App restrictions can include controls such as limiting the use of certain apps to specific users, devices, or network locations, or disabling certain features or functions within an app.
  5. Are there any new Conditional Access features from Microsoft that can be beneficial to the organization at this particular time?

Analyze policy usage

Use the data available in Azure AD to understand how specific policies are being used and if there are any areas of concern, such as high-risk sign-ins or access from non-compliant devices and adjust the policies accordingly. Microsoft recommends using Conditional Access insights and reporting workbook to understand the impact of Conditional Access policies in your organization over time. During sign-in, one or more Conditional Access policies may apply, granting access if certain grant controls are satisfied or denying access otherwise. Because multiple Conditional Access policies may be evaluated during each sign-in, the insights and reporting workbook lets you examine the impact of an individual policy or a subset of all policies. To use this workbook:

  1. Sign into the Azure portal.
  2. Browse to Azure Active Directory > Security > Conditional Access > Insights and reporting.

The insights and reporting dashboard lets you see the impact of one or more Conditional Access policies over a specified period. Read about how Conditional Access insights and reporting works here.

Update Policies that no longer meet organization’s security requirements

Based on the results of your analysis, make any necessary adjustments to policies, including adding new policies or re-configuring conditions, session controls, Grant/Block requirements and exceptions to existing policies. With a growing number of active policies, documentation becomes critical. The documentation should include details of configurations and a clear explanation of the purpose of each policy. This will aid in reverting the policy to its original state, if necessary, and serve as a reminder of why it was implemented. Although it may not be necessary for smaller environments, it is imperative for large enterprises, particularly if multiple administrators are responsible for managing policies.

Test and deploy new polices

Test new policies with a small group of users and devices before deploying them across the organization. By default, any new policy will be created in report only mode so here you have a chance to test and monitor usage in real time and ensure intended result before deploying the updated policy across the organization. Microsoft recommends troubleshooting Conditional Access Policies with What If Tool to understand why a policy was or wasn’t applied to a user in a specific circumstance or if a policy would apply in a known state.

Use case:

Organizations often create policies that grant/deny access based on network location. Trusted locations are granted permission, while access to prohibited locations is blocked. An administrator can check the validity of these configurations by using the “What If” tool, which simulates access from both approved and restricted locations.

In this simple illustration, the user Catherine would be blocked from accessing any cloud app on her trip to Russia as this particular company has blocked access from countries outside Scandinavia.

In conclusion, continuous monitoring and evaluating policies is essential to ensure they are functioning effectively thus help organizations meet their security and compliance requirements. Although a growing number of conditional access policies may seem overwhelming initially, a well-designed Conditional Access Policies review and update plan combined with comprehensive documentation will make the management process both efficient and manageable.


Leave a Comment