ASD - Australian Signals Directorate

ASD's Blueprint for Secure Cloud

Conditional Access policies

This page describes the configuration of Conditional Access policies within Microsoft Entra ID associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.

Estimated reading time: 2 minutes

All Conditional Access policies in the DSC are set to report only and will need to be enabled manually.

Microsoft-managed policies may be created as a result of other Entra ID settings and identified by a MICROSOFT-MANAGED tag. These policies can be disabled as they’re superseded by Blueprint policies.

ItemValue
NameMultifactor authentication for admins accessing Microsoft Admin Portals
Enable policyOff
ItemValue
NameMultifactor authentication for per-user multifactor authentication users
Enable policyOff
ItemValue
NameMultifactor authentication and reauthentication for risky sign-ins
Enable policyOff
ItemValue
NameBlock legacy authentication
Enable policyOff
ItemValue
NameRequire multifactor authentication for Azure management
Enable policyOff
ItemValue
NameRequire multifactor authentication for admins
Enable policyOff
ItemValue
NameRequire multifactor authentication for all users
Enable policyOff

Refer to the Microsoft-managed policies article for additional information.

ADM - S - Limit admin sessions

This page describes the configuration of policies for Conditional Access within Microsoft Entra ID associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.

DEV - B - Block access from unapproved devices

This page describes the configuration of policies for Conditional Access within Microsoft Entra ID associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.

DEV - G - Compliant devices

This page describes the configuration of policies for Conditional Access within Microsoft Entra ID associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.

DEV - G - Intune enrolment with strong auth

This page describes the configuration of policies for Conditional Access within Microsoft Entra ID associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.

GST - B - Block guests

This page describes the configuration of policies for Conditional Access within Microsoft Entra ID associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.

GST - G - Guest application access with strong auth

This page describes the configuration of policies for Conditional Access within Microsoft Entra ID associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.

LOC - B - Block access from unapproved countries

This page describes the configuration of policies for Conditional Access within Microsoft Entra ID associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.

USR - B - Block access via legacy auth

This page describes the configuration of policies for Conditional Access within Microsoft Entra ID associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.

USR - B - Block high-risk sign-ins

This page describes the configuration of policies for Conditional Access within Microsoft Entra ID associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.

USR - B - Block high-risk users

This page describes the configuration of policies for Conditional Access within Microsoft Entra ID associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.

USR - B - Block users with elevated insider risk

This page describes the configuration of policies for Conditional Access within Microsoft Entra ID associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.

USR - G - Agreement to terms of use

This page describes the configuration of policies for Conditional Access within Microsoft Entra ID associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.

USR - G - Register security info with strong auth

This page describes the configuration of policies for Conditional Access within Microsoft Entra ID associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.

USR - G - Require strong auth

This page describes the configuration of policies for Conditional Access within Microsoft Entra ID associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.

USR - G - Risky sign-ins with strong auth

This page describes the configuration of policies for Conditional Access within Microsoft Entra ID associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.

USR - S - Limit user sessions

This page describes the configuration of policies for Conditional Access within Microsoft Entra ID associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra