Information Technology Navigator

Tips, Advice & Insights from Technology Pros

Conditional Access – Deployment Best Practices

Posted by Steve Caprio

Mon, Jun 15, 2020


Conditional Access in Azure AD provides a level of security required to maintain appropriate controls over who can access confidential and privileged information. It was the topic of discussion at our most recent “Ask the Engineer Q&A Roundtable” where attendees learned tips for a successful Conditional Access deployment and got answers to their specific questions.

Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. Example: A payroll manager wants to make an entry in the payroll application and is required to perform multi-factor authentication in order to open and access the application.

Azure administrators are faced with two primary goals:

  • Empower users to be productive wherever and whenever
  • Protect the organization's assets

By using Conditional Access policies, you can apply the right access controls when needed to keep your organization secure and stay out of your users’ way when not needed.

Based on our many experiences with Conditional Access, here are some recommended best practices that will help make for a smoother deployment:

1. Establish a Steering Committee
  • Depending on the size and complexity of your organization there may be numerous scenarios and/or work personas that need to be considered while planning.
  • Including members of all business units will speed buy-in across the organization. This helps set employee expectations around the new polices and should make end-user training go smoothly.
2. Use the Zero Trust Security Model
  • Verify explicitly
    • Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.
  • Use least privileged access
    • Limit user access with just-in-time and just-enough-access (JIT/JEA), risk-based adaptive polices, and data protection to help secure both data and productivity.
  • Assume Breach
    • Minimize blast radius for breaches and prevent lateral movement by segmenting access by network, user, devices, and app awareness. Verify all sessions are encrypted end-to-end. Use analytics to get visibility and drive threat detection and improve defenses.
3. Plan Your Costs
  • Understand minimum requirements for all users and uplifted licenses and features for special user cases
  • Microsoft 365 has several different levels to Azure AD with security features that come as ‘a la carte’ or bundled inside certain licenses.
4. Communicate with Users and IT
  • Do not be afraid to overcommunicate within your organization, these changes will likely impact almost every single user at some point.
  • Communication with the service desk and others in IT will help get issues addressed quickly and prevent undue escalation.

Utilizing Conditional Access policies provided through Azure AD can add an important layer of security to your organization. However, without proper planning and execution these security features can become cumbersome and unnecessarily complicated.

These were some of the helpful insider tips provided at our recent “Ask the Engineer Q&A Roundtable” where our Daymark cloud-certified consultants shared their experiences deploying Conditional Access in organizations with 100 to 10,000 users. These sessions are a great way to get advice from those who have encountered and tackled real-world problems. We’re doing more of these Q&A Roundtables throughout the summer. Some of our upcoming topics include Hybrid Azure AD Join, and Managing Office 365 Click to Run Deployment with the Office Customization Tool (OCT). It’s an hour well spent and an opportunity to get your questions answered. I encourage you to register today.