A Microsoft 365 Conditional Access policy is a feature that allows administrators to control access to Microsoft 365 services based on specific conditions/ attributes including:
Microsoft provides various licensing requirements for conditional access policies. The basic requirement for conditional access to be available in Azure AD/ O365 is an Azure AD Premium P1 or a Microsoft 365 Business Premium license.
Further real-time and calculated risk functions are available with Azure AD Identity Protection.
Given the attack surface that is now Microsoft’s online and cloud services, Secure-ISS recommends that customers and partners implement a number of uses cases to restrict access to services based upon location.
For organisations using Intune, policies should also incorporate device risk and compliance settings.
Reducing the number of geographic locations that have access to services can significantly reduce your attack surface.
We would recommend that login from countries outside of Australia are restricted or where this isn’t achievable that further challenges are put in place prior to a user being granted access to a service.
Where users are mobile, create a Security Group that includes approved users that can login from oversease locations. This policy should include more frequent challenges for access to services (whereby a user may be required to re-authenticate and provide a MFA code once every 24 hours for instance).
Ensure that all Administrators are challenged via a second factor of authentication regardless of location.
To access conditional access policy settings: