In the wake of the Solorigate breach, a huge emphasis has been placed on the security of the Applications and Service Principals in your Microsoft 365 environment. Many recommendations coming out now revolve around using Azure Monitor to continuously review log events and take appropriate action in case of unauthorized action. While an extremely thorough measure, many organizations out there are not at the security maturity level that constantly reviewing logs will be helpful. They still need to understand what are some of the baseline actions to take. This is where Azure Conditional Access Policies come into play. Conditional Access on your Applications is a simple but powerful tool in your arsenal
A common measure to take is to select the Application you wish to secure and allow only certain users or groups access to it. By limiting who has access, your limit the potential attack vectors. Any Application you write can have a Policy applied. It also includes the multitude of Service Principals available to your organization, like Office 365, Microsoft Teams, and Outlook.
Another great start point is to lock where an Application can be accessed. You can achieve this with Location-based and Machine-based Policies.
Location based Policies will give some or all IP Addresses access to the Applications. This allows you to limit the usage of these Applications and sensitive data or actions they use to trusted locations. These can be your company office, giving you protection such as company firewall.
The other way is through Machine Based Policies. These Policies limit these Applications to selected Machines. Your organization can use Hybrid Joined devices. Your organization owns Hybrid Joined devices. Compliant devices will be a personal device such as a laptop or phone has been approved for organization access by your administrator.
Taking all these together for sensitive Applications can provide a breadth of security options. You can restrict which users can use them, from certain locations, and what device they use to access. A very easy but very powerful way to secure down AD Applications if you’re starting out.
Conditional Access Policies are tiered in Microsoft 365 to the Azure Premium P1 and P2 license levels, but many organizations are using the Microsoft 365 E3 or E5 licenses which include these P1 and P2 licenses with them. If using those bundled enterprise-grade licenses is too much cost, Azure P1 & P2 licenses can be purchased on an individual user basis that then provide your whole Microsoft 365 tenant with powerful security tools.
As shown, Conditional Access on your Applications can be a simple and effective tool for organizations to use. Consider using them if you aren’t today.