Close Menu
Blog
  Back
Posted by Andrew Ballantyne on 14th September 2022

Optimising Information Security with Conditional Access

The contemporary security perimeter now spreads beyond a company’s network to embrace device and user identity.

Businesses can utilise identity-driven signals as part of their access control decisions. Conditional Access brings these signals together to simplify decision-making and enforce organisational policies.

As a powerful product within the Microsoft 365 suite, Conditional Access helps organisations improve the security of Office 365. 

How Conditional Access Works

Conditional Access is the ability to set policies at a tenant level to review every authentication attempt that comes into your tenant and see if it meets the criteria of that policy. The beauty of Conditional Access is that it is not manually enabled at a user level; it’s at a tenant level so it will always apply.

Conditional Access restricts access to a company’s platforms and data by enforcing standards that have to be met by a device or network before accessing information. At their most basic level, Conditional Access policies are if-then statements. If someone wants to access a resource, then they have to carry out an action. 

For instance, if an HR manager wants to access the HR app, they will have to do multifactor authentication (MFA) to access it.

Conceptual Conditional Access process flow

Source: Microsoft

Keep in mind that Conditional Access policies are applied after the completion of first-factor authentication. These policies aren’t intended to be an organisation's first line of defence for events such as denial-of-service (DoS) attacks. However, Conditional Access can use signals from these scenarios to determine access.

Three Conditional Access Policies You Should Implement in Office 365

We believe these three key policies can be implemented a lot quicker and increase your security massively without excessively impacting users.

1. Require MFA for Admins

Accounts that are assigned administrative rights are often targeted by attackers. Requiring MFA on those accounts is an easy way to decrease the risk of those accounts being compromised.

This policy will ensure that all admin accounts use MFA for Office 365 regardless of where they log in from. Instead of relying on your administrators to manually enable MFA, you can configure a conditional access policy that would ensure every time an admin authenticates or logs in to an account with any administrative role, it would basically ask them to provide a second type of authentication. 

To make sure you aren’t locked out of your own tenant account in the event you don't have your second factor or authentication, we recommend that you create some exceptions in that policy for your break-glass account. So you can use these exceptions to get in if you ever get locked out of your tenant account. However, you need to make sure that break glass accounts have extremely complex passwords in place.

Here is how the policy to require MFA for admins would need to be set up in the Office 365 Portal:

MFA for admins

2. Block Legacy Authentication

Due to the increased risk associated with legacy authentication protocols, we recommend that organisations block authentication requests where possible and enforce the use of modern authentication.

Legacy authentication is allowed in the tenants and blocking it will hugely improve your security posture straight away. According to Microsoft, over 99% of password spray attacks and over 97% of credential stuffing attacks utilise legacy authentication. Statistics also reveal that organisations that do not allow legacy authentication undergo 67% fewer compromises compared to those that have enabled legacy authentication. Those are huge numbers with a fairly small change!

If you do require legacy authentication for some applications, you can use exceptions here as well. For instance, you can block legacy authentication for everything and then go through and allow the accounts you’d still need it to work for or even IP addresses if it’s a server. 

3. Require MFA for Users on Non “Approved” Devices

This policy will require users who are using a non-compliant device to use MFA to authenticate. According to this policy, you can either request MFA or block any non-compliant devices. 

If a device meets your security baseline criteria and is deemed compliant, it will be allowed into your tenant without any MFA. If the device is not compliant because it doesn’t meet the criteria you set out, there are two options. 

  • You can tell the policy to force the user to be multifactor authenticated to make sure it really is them and not some brute force attack. However, only a few organisations opt for it. That’s because if it’s not one of your devices or a compliant device then you may not want it in your tenant at all. 
  • You may also require an Exchange ActiveSync policy for mobile devices. It’s a secure protocol that makes sure that the exchange is using active sync and not some sort of third-party app to interface with the exchange.

That does leave an obvious question: what is a ‘non-compliant device’? This is where the relationship between Conditional Access and Microsoft Intune is really important. Intune allows you to create baseline criteria that devices must meet to be considered an ‘approved device’ (for example, one criterion point you might set is ‘device must be using the latest version of Microsoft’). We will explore this in our upcoming Microsoft Intune blog. What’s important here though, is Intune’s relationship with Conditional Access. When somebody tries to log into your tenant, if you have a policy around ‘approved devices’ in place, Conditional Access will assess the device that’s trying to connect against the criteria enforced in Intune (see the below diagram for basic representation). Action will then be taken depending on whether the device meets that criteria or not.

 

Diagram Description automatically generated

 

Conclusion

In a conventional on-premises infrastructure, the system admin has full control over user access to corporate resources. When using cloud solutions, access to resources can be carried out both from the corporate network and externally. 

Condition Access is a feature that can be used to allow or deny access to company resources based on user, device, location, and several other factors. It allows you to dramatically increase the security of your resources without complicating user access. By using Conditional Access policies, you can apply the right access controls when needed to keep your organisation secure

 
Recent Posts

Some of our happy clients...

Mark Arundale
Managing Director- Sine Consulting

We moved to Circle Cloud just over a year ago because our IT was costing us productivity. There was a lot of downtime and unpredictability, which made running our business harder than it needed to be. Circle Cloud have made things so much more straightforward. Their IT Management Plans are perfect for our needs as a small business. The service is so clear and well designed, we have regular reviews and now have a more proactive and professional provider

Beverly Goodall
Managing Director- Abacus Bean

As the owner of an accountancy practice, there’s so much to think about. I need to stay focussed on our own products and services and making sure our customers are looked after. That’s why working with Circle Cloud has been perfect. They’ve taken away any concerns I’ve had around information security. The initial 30 day onboarding process made such a big difference, and the support we’ve had since has been excellent.

Andy Craddock
Managing Director- Accurate Data Services

In our industry it is critical to be constantly focussed on information security. At Accurate Data Services Ltd we always deal with extremely sensitive data, so remaining one step ahead of IS risk is our top priority.  We wanted to work with Circle Cloud because there IS infrastructure design continuously ticks all of the right boxes, can be delivered quickly and is scaleable.  It really is a comfort to everyone in the business that Circle Cloud are there, constantly having our back and making sure that our IS systems are always best in class.

Tony Crocker
Managing Director- IWC Wills & Probate

Circle Cloud’s IT Managed Service has been brilliant for us. It really is focussed on the security side of things. That matters a lot. When you think about all the emails and information that get shared on a daily basis, there is always that worry that something important might slip through. But Circle Cloud have put everything in place to make sure we’re safe.

Mark Pendlebury
IT Manager- Cosatto Limited

Working with Circle Cloud to implement the transition of our ERP system and SQL server into Azure has been a great choice. They have shown great knowledge of the platform and it's possibilities and have worked closely with us to ensure key project milestones and testing phases were met resulting in a successful and on time go live. Furthermore, they have also offered great advice and help on licensing to ensure costs are kept to a minimum.

Deborah Hugill
IT Director- Nigel Wright Ltd

We needed to modernise our server infrastructure in order to enhance resilience, as well as improve accessibility for our European workforce.  This is why we decided to move to the cloud, however we needed a supplier that could help us on our journey. We found the perfect technology partner in Circle Cloud, who specialise specifically in the Microsoft Cloud. They moved all our applications and files to Microsoft Azure which has proven extremely robust, ticking all the boxes we needed it to.

Urfan Durrani
IT Director- Protec International

As a business we had various challenges from moving a legacy on premise exchange system into hosted Office365 environment. Our Office365 system offers the users almost guaranteed uptime, accessible from any place and device, whilst its management facilities make it easier to monitor and control. The commitment to quality and care by Circle Cloud, provided the management team with assurances.

Craig Kippling
Director- Studio Anyo

We needed a telephone system that offered the functionality of a PBX solution. Circle Cloud were the perfect partner to guide us. They demonstrated how Microsoft Teams itself could be used as our full, business-wide telephone solution. They scoped our requirements and migrated our group to Microsoft Business Voice, which bolts seamlessly onto Microsoft Teams.  Our decentralised workforce can now make and receive business calls from anywhere using mobile apps and laptop headsets. This has proven invaluable over the last year and will assist in our future growth. 

Rebecca Pendlebury
Customer Care Manager- Scamp & Dude

As our Customer Care team grew we soon realised we needed to open up forms of contact for our customers. We also needed a system that was flexible and easy to use. As we already used Teams, it felt natural to incorporate Teams Voice and we couldn’t be happier with the result. As a result of Circle Cloud’s recommendations, implementation and training, we now have a happy team and customers.

Ian Burns
IT Services Manager- Waterton Academy

Circle Cloud’s offer of Office 365 security audits catered for every aspect of the brief, however it excelled in the way it was delivered to us as a customer. The added value area of mapping out detailed next steps alongside flagged areas was highly valued and demonstrated their unique ethos of being able to provide an external sound board/advisory presence and where needed, action change by their internal staff as a commissioned service. Based on the experience we had from Circle Cloud, including value for money, the accuracy and attentiveness from staff, we have now adopted the company as our external consultant for Microsoft cloud technologies.

John Painter
IT Systems & Development Manager- Denbury Homes

In November 2021 Circle Cloud were engaged after a shortlisting process, for a time sensitive tenant to tenant domain migration following a business separation- each tenant being wholly separate to the other. Several companies were contacted and their tools assessed, but none could provide a ‘one stop shop’. The expectation was that end users would see no visible difference with regards to experience or content, with the exception of a new temporary password and new MFA registration process. Circle Cloud were able to achieve this within the tight deadline. Denbury Homes are happy to recommend Circle Cloud for Office 365 and Azure Cloud to Cloud migrations, as well as On Premise to Cloud migrations.

Circle Cloud Limited
Company

Circle Cloud Ltd.
Fusion Hive
North Shore Road
TS18 2NB

  0191 672 7012
  info@circlecloud.co.uk
Products
Company
Social
Accreditation
  • ISO/IEC 27001
    Cert Number: IS 697 097
  • Cyber Essentials Certified
Site by Calm Digital Limited
© 2024 Circle Cloud Ltd.
Drop us a message...
Open Menu Open Menu
Contact Us
Open Menu Open Menu
CONTACT US