The remote work model has proven to be advantageous to both organizations and employees and is here to stay. As remote users are more susceptible to cyberattacks, strict security measures like multi-factor authentication (MFA) need to be enforced to prevent data breaches. However, applying a stringent, organization-wide access policy like MFA might have adverse effects on the user experience. While two- or three-factor authentication can secure remote logins, it might be an unnecessary hassle for on-premises users already secured within the perimeter of the office. A more efficient approach is to apply access policies based on context. ADSelfService Plus' Conditional Access feature helps achieve this. This aids organizations in:
Conditional access implements a set of rules that analyze various risk factors, such as IP address, time of access, device, and the user's geolocation, to enforce automated access control decisions. The decisions are implemented in real time based on user risk factors to avoid unnecessarily strict security measures imposed in no-risk scenarios. This ensures an enhanced user experience without affecting security.
Some of the common scenarios and the corresponding security measures that can be applied using conditional access include:
Before learning how conditional access works, let's look at the basics of building a conditional access rule:
This includes the list of factors that may make or break the security of your organization. ADSelfService Plus enables you to configure conditions based on the following risk factors:
After configuring the conditions, criteria can be devised using operators like AND, OR, or NOT. It is this criteria that is associated with the access policy.
The criteria is then associated with a preconfigured access policy, referred to in ADSelfService Plus as a self-service policy. IT admins can create self-service policies and enable specific features for users belonging to particular domains, organizational units (OUs), and groups.
For more details about building conditional access rules, check out the guides on self-service policy and conditional access configuration.
Once a conditional access rule is built, here is what happens:
In our example, consider that on-premises users make up 50% of your organization's workforce. Another 20% are remote users. The remaining 30% are users that alternate between remote and on-premises work models as required. We will have to enforce MFA for users who log in remotely. Leveraging conditional access for this scenario involves:
When a user tries to log in to an enterprise application through SSO, the device IP address and type are analyzed. If it is a trusted IP address and the computer object belongs to the AD domain, the criteria created is satisfied. Then, the self-service policy associated with the criteria is assigned to the user. This enables the user to access enterprise applications using SSO
Enterprise applications are often used to process and store sensitive user data. Since most of these applications are now deployed in the cloud and outside the security perimeter of your network, they are a favorite target for cyberattackers. They use phishing and other attack techniques to gain access to the applications and exfiltrate data remotely. With conditional access, you can allow only users who have a domain-joined computer to access important applications that contain sensitive data. You can go one step further and permit only a list of trusted IP addresses to access critical applications, ensuring that attackers can't have access to these applications even if they steal your users' credentials. Here is an example for configuring a conditional access rule for this scenario:
When a user tries to log in to an enterprise application through SSO, the device IP address and type are analyzed. If it is a trusted IP address and the computer object belongs to the AD domain, the criteria created is satisfied. Then, the self-service policy associated with the criteria is assigned to the user. This enables the user to access enterprise applications using SSO.
Use over 20 advanced authentication factors to implement MFA
Moderate access to machines, VPNs, RDP, OWA, and the Exchange admin center from a single console
Enable granular conditional access policies for different departments in the organization
Enable context-based MFA with 19 different authentication factors for endpoint and application logins.
Learn moreEnable context-based MFA with 19 different authentication factors for endpoint and application logins.
Learn moreDelegate profile updates and group subscriptions to end users and monitor these self-service actions with approval workflows.
Learn moreEnhance remote work with cached credential updates, secure logins, and mobile password management.
Learn moreEstablish an efficient and secure IT environment through integration with SIEM, ITSM, and IAM tools.
Learn moreSimplify auditing with predefined, actionable reports about authentication failures, logon attempts, and blocked users.
Learn more
