Microsoft Entra ID (Formerly Azure AD) Conditional Access (CA) policies are the key components to a Zero Trust strategy, as it provides the ability to function as the front door for users and devices. CA policies use attributes, or signals, of various components as variables to be used to enforce specific access controls. Attributes include user and device attributes, such as location and device risk. By defining and controlling the conditions in which access is granted, we can reduce risk and enhance security.

Conditional access is a cornerstone of a Zero Trust strategy. The ability to explicitly verify, evaluate context, and leveraging adaptive access on a continuous basis allows for granular access control and monitoring. Key benefits of using conditional access in a Zero Trust framework include a reduced attack surface and enhanced dynamic security. Organizations can enforce ‘trust but verify’ principles and ensure that only authorized users have access to assets and resources, on a dynamic basis.

A Conditional Access policy can be broken down into two components: conditions and controls.

Conditions define under which circumstances access is granted; they can also be used to explicitly deny. The conditions evaluated are primarily user, app, and device focused, such as user risk or device compliance. One example of a CA policy may state that a Windows 10 device must have current malware and signatures applied.

A control is a set of actions to be taken when conditions are met. By defining what actions occur when given a certain set of attributes exist, security automation and orchestration begins to take place. Access can be granted, blocked, or on hold until risk is remediated. To use the above antimalware example, a CA policy that requires a current AV signature to grant access would block an out-of-date signature, and then redirect the user to update the AV signature.

Entra ID CA is only one platform that has Security Orchestration capabilities, many security platforms in use today have added enhanced capabilities, and updated the user experience, to support Zero Trust.

For additional information, please visit the Conditional Access overview page, and note at the bottom how these functions contribute to Zero Trust.

tony d0t carothers –gmail

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.