ASD's Blueprint for Secure Cloud

Conditional Access

This section describes the design decisions associated with conditional access for system(s) built using ASD's Blueprint for Secure Cloud.

Estimated reading time: 5 minutes

Conditional Access provides access controls that can be applied to user login requests. These access controls provide an extra level of security to help protect corporate data and information. When a user attempts to access an application or system from any device, one or more conditions must be met before authentication is successful.

Conditional Access offers the following types of access controls:

  • User and location based - User and location based Conditional Access limits or blocks user access based on their geolocation or IP address.
  • Device based - Device based Conditional Access ensures only enrolled and approved devices can access corporate data.
  • Application based - Application based Conditional Access policies provide the ability to allow or block an application based on policy configuration.
  • Risk-based - Risk-based Conditional Access protects corporate data from malicious hackers based on a user’s sign-in risk. The sign-in risk is an indicator of the likelihood (high, medium, or low) that a sign-in attempt was not performed by the legitimate owner of a user account. Entra ID calculates the sign-in risk level during the sign-in process of a user.
  • Session based - Session based Conditional Access policies enables the control of user sessions by redirecting the user through a reverse proxy instead of directly to the app. From then on, user requests and responses go through Cloud App Security rather than directly to the app.

Based on the above conditions the user will either: be allowed, prompted for multi-factor authentication or blocked.

Microsoft provides Conditional Access policy templates which cover a range of scenarios and are considered Microsoft’s best practice for Conditional Access.

Conditional Access policies

Using the Microsoft templates as a base, the below is the list of Conditional Access policies recommended by the Blueprint:

PolicyDescription
Allow access from compliant iOS devicesGrants access to managed iOS devices that are enrolled and compliant in Intune. An approved Microsoft app is required on iOS.
Allow access from compliant Windows devicesGrants access to managed Windows devices that are Intune enrolled and compliant and/or Hybrid Entra ID joined. This policy also enforces MFA to access resources.
Block countries not allowedBlocks all connections from countries not in the allowed countries list.
Block guest accessDeny all guest and external users by default.
Block legacy authenticationBlocks all connections from insecure legacy protocols such as ActiveSync, IMAP, and POP3.
Block non-trusted IPsBlocks access from IP addresses not in the allowed IPs list.
Block unapproved devicesPrevents access from device types not included in the Blueprint (Android, Windows Phone and macOS).
Enforce MFA Legacy MethodsEnforces MFA using only Windows Hello, Security Key, Password + Hard Token for all users.
Expire administration sessionsEnforces a sign-in frequency to ensure administrators sessions do not remain active for longer than 4 hours.
Expire user sessionsEnforces a sign-in frequency to ensure non-privileged users are required to complete an MFA prompt every 12 hours.
Require acceptance of Terms of UseMeet requirement for user acceptance of terms and conditions.
Require multi-factor authentication for all usersMS004: Meets the requirement to enforce MFA for all users. This is a fallback policy given enforcement of MFA Legacy Methods.
Require multi-factor authentication for administratorsMS001: Meets the requirement to enforce MFA for all users. This is a fallback policy given all users require MFA.
Require multi-factor authentication for management Azure ManagementMS006: Meets the requirement to enforce MFA for all users. This is a fallback policy given all users require MFA.
Require multi-factor authentication for risky sign-insAdditional authentication check when sign in identified as outside normal behaviour. This is a fallback policy given all users require MFA.
Require password change for high-risk usersThis is the preferred method as opposed to just using Entra ID Protection settings for risky sign-ins as it provides additional capabilities.
Require phishing-resistant multi-factor authentication for administratorsEnforces use of phishing resistant multi-factor authentication for all administrators.
Securing security info registrationEnforces the requirement for token or temporary password issue before registering other MFA methods.

Conditional Access Exceptions

Device Enrolment Exception

During device enrolment a new machine needs to be registered with Microsoft Intune. To register the Device ID a powershell script is run on the device which connects to Microsoft Intune and prompts the administrator enrolling the device to login. When the administrator authenticates, two Conditional Access policies block authentication:

  • Allow access from compliant Windows devices - At this stage the device has not had policies applied and therefore is not compliant.
  • Block non-trusted IPs - At this stage the device has no VPN and cannot be connected to the network. Any login is coming from the “cloud”.

To enable device enrolment a group is excepted from these policies. This group will be a privileged group containing a limited number of Platform Administrators who carry out device enrollments with an “approval” workflow to stop compromised account self elevation. This is a temporary time bound elevation of 30 minutes duration. Strong MFA is enforced when the user logs in from the non-compliant device outside the network.

Security & Governance

  • None identified

Design

References

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra