What is Conditional Access
Conditional Access is one of Microsoft’s most powerful security features and the central engine for their zero trust architecture.
- Daniel Chronlund
As highlighted in the article “The Attackers Guide to Azure AD Conditional Access” by Daniel Chronlund, he states that “if you don’t understand how Conditional Access works, it might bring you a false sense of security.”
Conditional Access is at the heart of Zero Trust methodologies and helps to govern the trust that many employees/security teams have at their organizations. It is a premium feature for Azure Active Directory and is disabled by default.
Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. Example: A payroll manager wants to access the payroll application and is required to do multi-factor authentication to access it.
Before you beat me to it… Nope, I’m not talking about trusting your employees personally - I’m talking about trusting the devices within the organization and that the users of those devices are who they say they are.
Ensure the Testing of Conditional Access
Make sure you’re regularly testing these examples below:
Exploit Legacy Authentication
Identify Conditional Access Policy excluded users
Identify Conditional Access Policy excluded apps
Avoid each available condition by interpreting the Conditional Access error messages
If denied repeatedly, attempts some other attacks that Daniel mentions in his blog here.
Tips for Defenders
Ensure the use of a quality SIEM to capture log events and anomalies (e.g. SentinelOne)
Capture and monitor Azure AD sign-ins/attempts
Implement Azure AD Identity Protection for advanced risk-based Conditional Access protection.
Big thanks to Daniel for his incredible writeup on Conditional Access Abuse. Check out his content here: https://danielchronlund.com/mentions/danielchronlund/
Share this post