Microsoft Conditional Access Changes - Potential Vulnerabilities


Conditional Access policies are a feature of Azure Active Directory (AAD) which allow administrators to control how your users gain access to resources in a secure fashion. For example, you may decide your Azure admins should always use multi-factor authentication to secure their logins or your users are always allowed to access resources in your main office or on a corporate managed device. Conditional access is included with an Azure AD Premium P1 license and is managed via the Azure Portal.


Late last year Microsoft provided a number of OoTB Conditional access policies designed to easily secure your azure environment with a few clicks. These weren't without their issues (namely the Require MFA for admins policy made having a break glass admin account impossible) but did achieve their goal of providing a minimum level of security (mainly for your high level administrative users) without needing to spend time evaluating and developing a detailed conditional access policy for your environment.


In late December 2019, Microsoft announced that these policies were being deprecated, meaning the simple security policies admins were able to easily apply will be lost, meaning that your organisation could be left vulnerable if steps aren't taken to replace these policies before the deadline of 28th February. With organisations increasingly focusing heavily on cloud security, letting these policies expire without taking any remedial action could expose organisations to additional security risks, something highlighted during the Ignite session on Conditional Access.


With the number of additional features now being added to Conditional Access, such as Persistent Browser Sessions and customisable sign-in frequency now is a good time to review your conditional access configuration, along with reviewing other related areas, such as your current role-based access control for Azure and introduce technologies such as Azure Privileged Identity Management to further secure your admin roles.


HybrIT understand these technologies and have a wealth of experience deploying these to our customers. If this is something that we can help with then don't hesitate to contact us.

Head Office & Central Service Centre:

Building 3

Royal Ordnance Depot

Weedon Bec

Northamptonshire

NN7 4PS

Head Office Number:

0333 015 6701

General Enquiries:

hello@hybrit.co.uk

Something for you to consider:

01010111 01100101 00100000 01110111 01100001 01101110 01110100 00100000 01110100 01101111 00100000 01110111 01101111 01110010 01101011 00100000 01110111 01101001 01110100 01101000 00100000 01111001 01101111 01110101 00100001

  • LinkedIn Social Icon
  • Facebook Social Icon

Company Number:

OC389608

Modern Slavery Act Statement

Privacy Policy