top of page
  • Writer's pictureChaz Vossburg

Conditional Access: Modernizing Multi-Factor Authentication

In today’s increasingly decentralized IT environment, the modern security perimeter now extends beyond an organization’s network to include user and device identity.  People connect from organization-owned, personal, and pubic devices on and off their corporate networks using various device types on varying platforms.  In this environment, security of user accounts is more important than ever.  As we discussed in our post “Phishing In Your Company Pond?” passwords, no matter their complexity, used across devices, networks, and platforms, are no longer sufficient to ensure the security of the user account.

Multi-factor Authentication (MFA) is more often used to help safeguard access to data and applications by providing an additional layer of security, using a second form of authentication.  This would seem to make it a no-brainer for organizations to adopt MFA, as it is a relatively easy way to counter the high-risk factor associated with vulnerable credentials.  However, according to a global survey of global IT administrators conducted by Venture Beat, the single largest impediment to adoption is user perception.  Users view adding an additional factor to the authentication process as negatively affecting the user experience and as a potential disruption to their productivity if authentication fails.  Admins also pointed to implementing MFA in a “blanket” manner as a lack of flexibility, making it more difficult for remote workers to perform the same authentication process as those within the corporate network.

Regardless, Administrators are ultimately faced with two primary goals:

  1. Empower users to be productive wherever and whenever

  2. Protect the organization’s assets

Enter: Conditional Access (CA).  Conditional Access is a tool used by Azure Active Directory that brings signals together (how access is requested), to make decisions (grant full or conditional access, block access), and enforce organizational policies.  According to Microsoft, Conditional Access is at the heart of the new identity-driven control plane.

Conditional Access allows administrators to apply the proper access controls when needed to keep the organization secure, and stay out of user’s way when not needed.  This allows for a more granular approach to security.  See the diagram below for a graphical representation and then read further regarding the various signals, decisions, and policies that are common with CA.

Common signals

  1. User or group membership

  2. IP Location information – whitelist/blacklist IP ranges

  3. Device – specific platforms

  4. Application – attempted access to specific applications can trigger defined CA policies

  5. Real-time and calculated risk detection – can identify risky sign-in behavior

Common decisions

  1. Block access

  2. Grant access – can still require one or more of the following options:

  3. Require MFA

  4. Require device to be marked compliant

  5. Require Azure AD joined device

  6. Require approved client app

Common policies

  1. Require Multi-Factor Authentication for users with administrative roles

  2. Require Multi-Factor Authentication for Azure management tasks

  3. Block sign-in for users attempting to use legacy authentication protocols

  4. Requiring Azure Multi-Factor Authentication registration to be complete

  5. Blocking or granting access from specific locations

  6. Blocking risky sign-in behaviors

  7. Requiring organization-managed devices for specific applications

Administrators know that protecting assets and empowering users are their two primary goals.  In a decentralizing environment, using a “one size fits all” approach is no longer viable.  Implementing Multi-Factor Authentication with Conditional Access provides the balance of flexibility and security assurance that the modern organization needs.

Click here to contact a Wellforce Azure expert and see if you qualify for a free security assessment and consultation.


Recent Posts
bottom of page