Conditional Access – step by step configuration instructions – part 1

Part 1

Where to look for the configuration panel

Network Configuration

Part 2

Conditional access policy configuration

Options overview

Part 3

Examples of business requirements

How to configure them

Azure conditional access often proves difficult to configure. This is usually due to an insufficient understanding of the principles of conditional access policies.

In this article, you will find detailed step-by-step configuration instructions. Each element will contain a screen and an explanation. Additionally, at the very end, you will find a list of business examples with an explanation of how and why they should be set up.

Conditional access – configuration panel

Conditional access is configured from the Azure portal ( ). After logging in to the portal, find the tab: Azure AD Conditional Access.

How to find conditional access configuration panel
1. How to find conditional access configuration panel

In the configuration panel you will find the following options:

Options in the azure conditional access configuration panel
  1. Access to the list of currently configured policies (i.e. to the view as in the picture above)
  2. Editing known networks – we can define conditions on their basis
  3. Adding a new policy
  4. List of policies – clicking on the name will take you to edit
  5. Policy Status
  6. Quick menu

The list of policies visible in Fig. 2 is a list which, as announced above, will be deleted. So we won’t deal with them. These are the default, predefined policies that you must now configure yourself.

Named locations – network configuration

In many cases, we want to make our policy dependent on the location from which the user is trying to get to the resources. For example, when connecting to a corporate network, we do not require additional security. For a public network connection, we require, for example, two-factor authentication (MFA).

To add a new location, select the option: New location
Conditional Access - Adding a new named location
  • Complete the name of the location, e.g. “Corporate network”
  • Select the “IP ranges” option – you will define networks based on IP addresses or “Countries” – you will define them based on a predefined list of States
  • Select the option if this network is a trusted network – you will find out what trusted networks are in the next paragraph
  • Enter a range or several ranges of IP addresses as shown in the picture
  • please read the notes below!
What are trusted networks?

By marking a network as trusted, you make it rated as less risky. It matters when you use risk-based policies – more on that later.

Don’t confuse trusted locations with MFA trusted IPs.
  • Trusted locations relate to the configuration of conditional access and risk assessment of access from specific addresses
  • MFA trusted IPs applies to MFA configuration and addresses from which two-component authentication is not required and is not related to the configuration of conditional access.
Private addressing, VPNs, what to look for?

Remember that you get to the cloud with a public address. So do not use private addressing in your network definitions.

If you use a VPN that you use to connect to a private corporate network and through it (NAT) to the cloud, do not define the VPN as a named location. You can connect to the cloud with the public address of your company network.

Always think carefully about what address you connect to the cloud. Lack of knowledge in this matter may result in incorrect operation of conditional access or blocking access to services.

Example definition of trusted network, corporate network

An example definition of a corporate network might look like this.

An example definition of a corporate network

To complete the network configuration, we define two additional networks:

PARNER_NET – in which we define all networks of our partners and cooperating companies known to us. It will be a network with a greater degree of trust than the public internet and less secure than the corporate network.

UNTRUST_NET – in which we define all dangerous addresses known to us. All connections from this network will be considered as potentially dangerous. These can be, for example, known addresses of open VPNs.

The final list of networks may look like this:

Conditional access - list of named locations

Let’s summarize the knowledge.

  • We know where to configure conditional access policies
  • We know the purpose of selected elements of the configuration panel
  • We have defined IP addresses known to us

We can proceed to the configuration of the conditional access policy and discuss its individual elements.