Pricing  Get Quote
 
 

Conditional access policies

Conditional access

The remote work model has proven to be advantageous to organizations and many have offered their workforce the option to work from home currently. As remote users are more susceptible to cyberattacks, strict security measures like multi-factor authentication (MFA) need to be enforced to prevent mishaps. But applying a stringent organization-wide access policy like MFA might have adverse effects on the user experience. While two or three-factor authentication can secure remote logins, it might be an unnecessary hassle for on-premise users already secured within the perimeter of the office. A more efficient approach is to apply access policies based on context. ADSelfService Plus' Conditional Access feature helps achieve this. The feature aids organizations in:

  • Implementing access controls without IT administrator intervention.
  • Improving an organization's security posture without affecting the user experience.

Automate access decisions with conditional access

Conditional access implements a set of rules that analyze various risk factors, such as IP address, time of access, device, and the user's geolocation, to enforce automated access control decisions. The decisions are implemented in real time based on user risk factors to avoid unnecessarily strict security measures imposed in no-risk scenarios. This ensures an enhanced user experience without affecting security.

Some of the common scenarios and the corresponding security measures that can be applied using conditional access:

  • Mandating biometric authentication during IT admin logins.
  • Allowing access from authorized machines only to important applications through single sign-on (SSO).
  • Enforcing three levels of authentication for password reset requests from untrusted IPs, or from computers that are not joined to the domain.

How does conditional access work?

Before learning how conditional access work, let us look at the basics of building a conditional access rule:

  1. Conditions

    This includes the list of factors that may make or break the security of your organization. ADSelfService Plus enables you to configure conditions based on the following risk factors:

    • IP address (trusted and untrusted)
    • Device (device type and platform)
    • Business hours (business hours and non-business hours)
    • Geolocation (based on request origin)
  2. Criteria

    After configuring the conditions, a criteria can be devised using operators like AND, OR, and NOT. It is this criteria that is associated with the access policy.

  3. Access policy

    The criteria is then associated with a preconfigured access policy, referred to in ADSelfService Plus as a self-service policy. IT admins can create self-service policies and enable specific features for users belonging to particular domains, organizational units (OUs), and groups.

For more details about building conditional access rules, check out the guides on self-service policy and conditional access configuration.

Once a conditional access rule is built, here is what happens:

conditional-access-policy

  1. A user attempts to log into their machine, or after logging in, tries to access an application or one of the self-service features in ADSelfService Plus.
  2. Based on predefined conditions, risk factors such as the user's IP address, time of access, and geolocation are analyzed.
  3. If the data satisfies the conditions, the user is assigned to a self-service policy that enables one of these actions:
    • Complete access to the domain account and features.
    • Secure access using MFA.
    • Limited access to certain features.
    • Restricted access to particular features.
  4. If the user does not satisfy any of the configured conditional access rules, a self-service policy will be applied based on the user's group or OU.

Here are some use cases that illustrate the above process.

Use case 1: When remote logins to an organization's Active Directory (AD) domain need to be secured using MFA.

In our example, consider that on-premises users make up 50 percent of your organization's workforce. Another 20 percent are remote users. The remaining 30 percent are users that alternate between remote and on-premises work models as required. We will have to enforce MFA for users who login remotely. Leveraging conditional access for this scenario involves:

  1. Enforcing a self-service policy that enables endpoint MFA is configured.
  2. Configuring two conditions:
    • IP address: A list of trusted IP addresses is provided.
    • Location: Selecting locations outside the organization's premises.
  3. Creating the following criteria:

    (NOT trusted IP addresses) AND selected locations

  4. The criteria is associated with a self-service policy.

Here is how this conditional access policy will work:

When a user tries to log into a machine, the user's IP address and geolocation are analyzed. If it is not a trusted IP address, and a selected geolocation, the criteria is satisfied and the user is assigned the self-service policy that enforces endpoint MFA. When the conditions aren't satisfied, any other self-service policy that applies to the user is assigned.

Use case 2: Allow only users with domain-joined machines to access enterprise applications using SSO.

Enterprise applications are often used to process and store sensitive user data. Since most of these applications are now deployed in the cloud and outside the security perimeter of your network, they are a favorite target for cyber attackers. They use phishing and other attack techniques to gain access to the applications and exfiltrate data remotely. With conditional access, you can allow only users who have a domain-joined computer to access important applications that contain sensitive data. You can go one step further and permit only a list of trusted IP addresses to access critical applications, ensuring that attackers can't have access to these applications even if they steal your users' credentials. Here is an example for configuring a conditional access rule for this scenario:

  1. Configuring a self-service policy that enables SSO for the required applications.
  2. Configuring two conditions:
    • IP address-based: A list of trusted IP addresses is provided.
    • Device-based: All domain-joined computer objects are selected.
  3. Creating the following criteria:

    Trusted IP addresses AND Selected computer objects

  4. Associating the criteria with the created self-service policy.

Here is how this conditional access rule will work:

When a user tries to login to an enterprise application through SSO, the device IP address and type are analyzed. If it is a trusted IP address, and the computer object belongs to the AD domain, the criteria created is satisfied. Then, the self-service policy associated with the criteria is assigned to the user. This enables the user to access enterprise applications using SSO.

Fortify access management with risk-based contextual authentication.

  Download a free trial now!  Request demo

feature-page-banner

Highlights

Password self-service

Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console. 

One identity with Single sign-on

Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus! 

Password/Account Expiry Notification

Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.

Password Synchronizer

Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more. 

Password Policy Enforcer

Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.

Directory Self-UpdateCorporate Search

Portal that lets Active Directory users update their latest information and a quick search facility to scout for information about peers by using search keys, like contact number, of the personality being searched.

ADSelfService Plus trusted by

A single pane of glass for complete self service password management