Conditional Access Policies and Microsoft Cloud App Security
Microsoft Cloud App Security (MCAS) can provide great benefit for security or compliance when used in combination with Conditional Access Policies as additional granularity of control can be enforced. Specifically when used in combination, Access and Session controls can be enforced on the user or device which we will explore later.
In this article we will explore how we can set up MCAS and a conditional access policy so we can get started with custom policies.
Conditional Access Policies
At the time of writing, per the pricing model¹, Azure Active Directory comes in four editions — Free, Office 365 apps, Premium P1 and Premium P2. In order to use conditional access policies we must have either a AAD Premium P1 or P2 license. There are a number of differences between the two which we will cover later. We can trial AAD Premium P2 or Enterprise Mobility + Security E5. For this tutorial we will be using the trial AAD Premium P2 license.
There are two ways you can enable the trial, the first being the easiest and the fastest but we with show both methods below.
Method 1: Trial AAD P2 from Conditional Access Policies
Step 1. Begin to type ‘conditional access’ in the search bar and you will see ‘Azure AD Conditional Access’
Step 2. Click ‘Azure AD Conditional Access’ and you will see the following
Step 3. Click the violet/purple tooltip at the top which states ‘Create your own policies and target…’ which will show the following. You can now choose which license you wish to trial from here
Method 2: Trial AAD P2 from AAD Licenses
Step 1. Begin to type ‘Azure Active Directory’ in the search bar and you will see the corresponding service. Click the name
Step 2. You will then see a similar screen for your tenant. Click ‘Licenses on the left under ‘Manage’
Step 3. Now you will see the Licenses Overview. Click ‘All Products’
Step 4. You will now see the ‘All Products’ page for ‘Licenses’. Click the button ‘Try/Buy’
Step 5. This will now popup the ‘Activate’ tab on the right which will allow you to choose which license you wish to trial
Once activated you will receive a notification message as shown below
After a while it will also show in the ‘All products’ page of ‘Licenses’
Note: Enabling this trial has been seen to enable Security Defaults but this can be disabled again if undesired.
Enabling Cloud App Security
In a new tenant Microsoft Cloud App Security (MCAS) will not be enabled by default.
There are a number of prerequisites required before it can be enabled² but we will presume they have already been met as part of this tutorial.
Upon visiting https://portal.cloudappsecurity.com/ for the first time we will be prompted that it must be enabled as seen below
This will redirect us to the ‘Manage advanced alerts’ section of Office 365 Security & compliance. Then we simply check the ‘Turn on ‘Office 365 Cloud App Security’ which will allow us to click the ‘Go to Office 365 Cloud App Security’ button. There we have it, MCAS is now enabled!
Creating a conditional access policy
A Conditional Access Policy (CAP) is comprised of numerous different elements³ such as:
- Users and groups — these are the users and/or groups and/or directory roles to be affected or excluded from the CAP
- Cloud apps and actions — applications included or excluded from the policy and user actions to apply
- Conditions — when the policy will apply which can be triggered by; user risk, sign-in risk, device planforms, locations, client apps and device state
- Access controls — grant — this option defines whether access should be blocked or granted as well any requirements such as requiring a password change or multi-factor authentication or requiring both
- Access controls — session — this option allows you to configure certain restrictions such as app enforced restrictions, sign-in frequency, persistent browser session and conditional access app control.
Selecting ‘Use Conditional Access App Control’ and ‘Use custom policy’ allows us to route app sessions to MCAS where we can configure custom policies⁴.
MCAS Custom Policies
If MCAS was recently enabled then it will show that the sync is in progress and can take some time to complete.
Session controls work by redirecting the user through a reverse proxy instead of directly to the app and this is known as a typical URL
luke.com will be transformed into something such as
luke.com.mcas.ms . Access controls are typically used in combination with session controls to block certain access to applications.
To create a custom policy we click ‘Control’ on the left. Then ‘Policies’. We can then create a number of different policies. However, our aim is to effect the
The following will show if the conditional access policy is created before trying to create either a access or session policy
AAD Premium P1 vs P2
Two additional features exist in AAD P2 which are not in AAD P1⁵:
- Identity Protection — risky accounts detection, risky events investigation and risk-based conditional access policies
- Identity Governance — Privileged Identity Management (PIM), access reviews and entitle management
Learning how you can place extra granularity of controls on users and devices can greatly protect your organization from any security nuances.
I hope you’ve enjoyed the article. If you have any questions, ideas, or suggestions, please feel free to reach out via Twitter or in the comments below!
Thanks for reading!