Table of Contents

Security Simplified: Conditional Access

Picture of CyberDuo
CyberDuo
Security Simplified: Conditional Access

The current security playing field travels beyond an organization’s network and incorporates user and device identity. These identity indicators can be used by organizations as part of access control decisions.

What is Conditional Access?

Conditional Access is a capability that better protects users and enterprise data by ensuring that access to apps is granted to secure devices only. Conditional Access policies are if-then statements; if a user wants access, then an action must be completed.

Security conditions can be specified for devices and applications to run and access data from the network. This is done through enforcing policies on applications to stop them from running until a device is restored to a compliant state. Conditional Access allows controlled access to enterprise information based on the device risk level, which helps maintain access exclusive to trusted users using trusted apps on trusted devices.

Microsoft Intune device compliance policies and Azure Active Directory conditional access policies together make up the implementation of Conditional Access in Defender for Endpoint. Using a compliance policy with Conditional Access allows app access only to devices that meet one or more device compliance policy rules.

Understanding how conditional access works in Microsoft.

Under Conditional Access, when a threat is detected on a device, access is blocked until the threat is remediated. The process starts with determining the risk level of a device as low, medium, or high risk, then sending this information to Intune. The process can be set up to apply policies when certain conditions are met. For example, configuring Intune to apply Condition Access on only high risk devices.

Within Intune, Azure AD Conditional Access and a device compliance policy work in conjunction to block access to applications. Meanwhile, an automated investigation and remediation process begins. A user is still able to utilize the device while the automated process takes place. Only access to enterprise data is blocked until the threat is fully eliminated. The device needs to be returned to a compliant state to resolve the risk found. A device only returns to a compliant state when there is no longer a risk detected. Once the risk is removed through remediation and the device returns to a compliant state, access to applications and data is granted.