In the wake of the Solorigate breach, a huge emphasis has been placed on the security of the Applications and Service Principals in your Microsoft 365 environment. Many recommendations coming out now revolve around using Azure Monitor to continuously review log events and take appropriate action in case of unauthorized action. While an extremely thorough measure, many organizations out there are not at the security maturity level that constantly reviewing logs will be helpful. They still need to understand what are some of the baseline actions to take. This is where Azure Conditional Access Policies come into play. Conditional Access on your Applications is a simple but powerful tool in your arsenal

 

User Access

A common measure to take is to select the Application you wish to secure and allow only certain users or groups access to it. By limiting who has access, your limit the potential attack vectors. Any Application you write can have a Policy applied. It also includes the multitude of Service Principals available to your organization, like Office 365, Microsoft Teams, and Outlook.

Select Users & Groups Access to include or exclude

Select Users & Groups Access to include or exclude

Another great start point is to lock where an Application can be accessed. You can achieve this with Location-based and Machine-based Policies.

Location Access

Location based Policies will give some or all IP Addresses access to the Applications. This allows you to limit the usage of these Applications and sensitive data or actions they use to trusted locations. These can be your company office, giving you protection such as company firewall.

Use Trusted Locations to Control Application Access

Use Trusted Locations to Control Application Access

 

Machine Access

The other way is through Machine Based Policies. These Policies limit these Applications to selected Machines. Your organization can use Hybrid Joined devices. Your organization owns Hybrid Joined devices. Compliant devices will be a personal device such as a laptop or phone has been approved for organization access by your administrator.

Hybrid Joined devices are owned by your Organization

Hybrid Joined devices are owned by your Organization

 

 

Compliant are personal devices that your Organization recognizes

Compliant are personal devices that your Organization recognizes

Wrap-up

Taking all these together for sensitive Applications can provide a breadth of security options. You can restrict which users can use them, from certain locations, and what device they use to access. A very easy but very powerful way to secure down AD Applications if you’re starting out.

Conditional Access Policies are tiered in Microsoft 365 to the Azure Premium P1 and P2 license levels, but many organizations are using the Microsoft 365 E3 or E5 licenses which include these P1 and P2 licenses with them. If using those bundled enterprise-grade licenses is too much cost, Azure P1 & P2 licenses can be purchased on an individual user basis that then provide your whole Microsoft 365 tenant with powerful security tools.

As shown, Conditional Access on your Applications can be a simple and effective tool for organizations to use. Consider using them if you aren’t today.