Conditional Access Policies You Should Turn on Now

6 Conditional Access Policies You Should Turn on Now

Editor’s note: In recognition of National Cybersecurity Awareness Month this October, we are publishing a series of blog posts dedicated to educating and informing you about cybersecurity practices. This is the second in a series of posts. Below, you can find a list of links to the rest of the series:

Conditional access policies are simply defined as if-then statements: If a user wants access to a resource (like an account or application) then they must complete an action.

Enabling conditional access policies within the Microsoft ecosystem allows you to empower your employees to be productive wherever and whenever while also protecting your organization’s assets.

With these policies enabled, one of two things can happen: either access is blocked or granted.

Multiple conditional access policies could apply to one user. In this case, the user must meet all policies to gain access.

Here are six conditional access policies your organization should implement now to improve your security posture.

1.) Enforce Multifactor Authentication

Enforcing multifactor authentication, or two-factor authentication, is the quickest and easiest way to protect your organization.

We’ve previously discussed how a Microsoft study concluded that your account is more than 99.9% less likely to be compromised if you use MFA.

So, it stands to reason that enforcing MFA would be the top conditional access policy to implement.

It’s much harder for an attacker to steal that second factor — something you have, something you are or somewhere you are — than it is to steal just a password.

It is possible to enable MFA without using the conditional access policy to enforce it for all employees. However, using the policy will act as a safety net in case you forget to turn on MFA for a new employee.

2.) Restrict MFA Registration

When your employee gets a new phone or you hire a new employee, this policy only allows MFA device registration while at an office location. In other words, your employees can only get their devices registered as their trusted MFA devices while connected to your organization’s network.

The reason is if an attacker ever gained temporary access to one of your employee’s accounts, they probably would try to register a new MFA device to extend their ability to connect again in the future. This policy stops new devices from being registered in that scenario.

If your employee is unable to come into the office, whether for personal reasons or because they live too far away, they can always call your IT team and work with them to get a device registered.

Ultimately, the goal is to prohibit bad buys from doing it on their own.

“Enabling conditional access policies within the Microsoft ecosystem allows you to empower your employees to be productive wherever and whenever while also protecting your organization’s assets.”

3.) Allow Only U.S. Logins

This conditional access policy prohibits anyone connecting from an IP address located outside the United States from accessing company information.

For any United States-based company with no international offices, it doesn’t make sense to allow access to IPs that are outside of the country.

It should be noted if you have employees who travel outside the United States and need to access their work accounts, exclusions can be put in place.

Additionally, if you use a personal VPN on your devices, the policy could block access. VPNs allow you to connect to servers beyond your physical location, so if you appear to be connecting from somewhere outside the U.S. — despite being physically located within the country — you could get blocked.

4.) Block Legacy Authentications

Legacy authentication refers to outdated and insecure methods of verifying a user’s identity. These methods usually rely on single-factor authentication (a username and password) and do not include MFA.

Because you already are enforcing MFA as one part of your conditional access policies, you’ll also want to block any legacy authentications that can be easily compromised by phishing, brute-force and credential-stuffing attacks.

Applications that use legacy authentication include Microsoft Office 2013 or older versions of Office, as well as applications that use mail protocols like POP, IMAP, ActiveSync, etc.

5.) Block Persistent Browser Login

This policy blocks global administrative accounts from letting the web browser or any apps remember them and force sign-in every hour.

If an attacker did gain access to an admin account, they would have to re-authenticate in an hour. This means logging in with another MFA request.

This only applies to global admin accounts and does not force your employees to sign in every hour.

Because global admins can change network settings and other organizational policies, it’s imperative to keep attackers from doing damage if they were to access those accounts.

6.) Restrict Administrative Access

By default, accounts that are not admin accounts can navigate to the Azure or Entra portals and view company information. This policy blocks those accounts from viewing that data.

Non-admin accounts don’t need access to this information, and attackers, posing as your employees, could see information about your company that would help them mount further attacks.

Your IT team or managed service provider should set up these conditional access policies for you.

Implementing them will improve your organization’s security measures and help protect your important data.