What is conditional access?
Conditional access is the process of protecting access to IT resources based on predefined conditions. By creating access policies based on users’ device types, time of access, IP addresses, or geolocation, you can strictly control access to your network and data. Conditional access provides added security and helps prevent attackers from gaining access to IT resources.
ADSelfService Plus helps you implement conditional access to ensure only authorized users have access to workstations, applications, and various features that are available in ADSelfService Plus, including Change Password and Directory Self-Update.
Understanding how conditional access works in ADSelfService Plus
To understand how conditional access works in ADSelfService Plus, you need to understand the basics first. Conditional Access relies on certain conditions and criteria, which are used to create a conditional access rule. This rule determines which self-service policy will be applied to a user, which in turn determines the multi-factor authentication methods, cloud applications, and self-service features that are enabled for that user.
A condition is a user-related factor, such as device type, IP address, or geolocation. You can enable any one or multiple conditions as per your requirement. ADSelfService Plus supports the following conditions:
- IP address: Controls access based on the IP address of the user. You can configure static IPs, proxy server IPs, and VPN IPs. You can either opt to trust or untrust the configured IPs. Trusted IPs will be allowed access, while untrusted IPs will be denied access.
- Device: Controls access based on the computer object and the platform (Windows, macOS, Linux, mobile web app and mobile native app) they run on.
- Business hours: Controls access based on business hours or non-business hours.
- Geolocation: Control access based on the location from where the request originated.
Note: Geolocation-based condition relies on IP address of the user to determine the location. Hence, only access from public IP addresses will be evaluated. Users with private IP addresses will fail this condition.
Once you have enabled the conditions based on your requirement, you can combine the enabled conditions using AND, OR, and NOT operators to formulate a criteria. This criteria will determine how the different conditions will be evaluated to determine the access request's result.
For example, assume your users are located all over the world except in some countries. You need to ensure that they access resources only during business hours and from trusted IP addresses alone. In such a case, you need to enable IP address condition (1) with the trusted IPs, business hours condition (2) with allowed time, and geolocation condition (3) with the countries where you don’t have users. Then, you can use a criteria like the one below:
Criteria: 1 AND 2 AND (NOT 3)
Conditional access rule
A conditional access rule consists of enabled conditions and a criteria that is associated with a self-service policy. A self-service policy allows you to enable the product’s features and configure how it should work for different sets of users based on their OU and group membership. By associating the conditions and criteria with one or more self-service policies, you create a conditional access rule.
If you create multiple conditional access rules, you have the option to prioritize them. So, if a user falls under multiple rules, the rule with the highest priority will take effect, and subsequently the self-service policies associated with that rule will be applied to the user. If a user does not fall under any conditional access rule, then the self-service policies will be applied based on the priority set to the policies in the Policy Configuration page.
Configuring Conditional Access
- Login in to ADSelfService Plus as an admin.
- Navigate to Configuration → Self-Service → Conditional Access.
- Click Configure New Conditional Access (CA) Rule.
- Enter a CA Rule Name and Description.
- Select the Conditions based on your requirement.
Now, create a Criteria with the conditions you have enabled. You can use AND, OR, and NOT operators to formulate the logic. Each condition is assigned a number: IP Address is 1, Device is 2, and so on. You can use these numbers and the allowed operators to create the Criteria. For example, 1 AND (2 OR 3) and 1 AND (3 OR (NOT 4))
In the Associate Policies drop-down, select the policies that will be applied to users who pass this criteria.
- IP Address
- Select the types of IP addresses by checking the respective boxes.
- For users who connect to your network directly through their client computers, you can enable Static IP.
- If your users connect through a proxy server, you can enable Proxy Server IP.
- If your users connect through a VPN server, you can enable the VPN IPs.
Note: If you have enabled all three types of IPs, the following rule applies.
* (Static IPd AND Proxy IPd) OR VPN IP
- Select whether to trust or untrust the entered IPs. Trusted IPs will be allowed access and untrusted IPs will be blocked.
- For Static IPs, enter the range of IP addresses in the IP Range fields. Use the + icon to add more IP ranges. You can also enter individual IPs and use * as the wildcard character for selecting a whole class of IP.
- Select the Computers checkbox and then click on the + icon.
- In the Select Client Computer dialog box that opens, select the domain and then the computer objects. Click OK.
- Select the Platforms checkbox and then use the drop-down to select the platforms. You can choose from Windows, macOS, Linux, mobile web app, and native mobile app.
- Business Hours
- Select the Business Hours checkbox.
- Select whether you want to configure business hours or non-business hours by clicking on the corresponding radio button.
- From the Day and Time range provided, configure your business or non-business hours.
Note: The time will be applied based on the time zone you have selected in the Admin → Personalize → Time Zone setting.
- Select the Geolocation checkbox.
- Select the Countries from the drop-down.
The policy here refers to the self-service policy that you can configure by going to Configuration → Self-Service → Policy Configuration
. To learn more, refer to this page
Prioritizing the conditional access rules
If you have created multiple conditional access rules, you can set priority for each rule so that the rule with the highest priority is applied to users who fall under multiple rules.
To prioritize the conditional access rules:
- In the Conditional Access configuration page, click on the change priority icon at the top right corner (next to the Configure New Conditional Access (CA) Rule button).
- Drag the rules and order them based on your requirements. The rule at the top will have the highest priority.
Modifying, copying, disabling, and deleting conditional access rules
A rule can be modified to change the conditions or condition logic, copied to create a new rule, disabled, or deleted.
- Go to the Conditional Access configuration page (Configuration > Self-Service > Conditional Access).
- You will see a table containing all the conditional access rules that have been created.
- Under the Actions column, click on an icon based on the action you want to perform.
- Toggle the and icons to enable or disable a rule. If there is a ☑ icon, it means the rule is enabled, and if there is a ☒ icon, it means the rule is disabled.
- Click on the icon to modify the rule.
- Click on the icon to copy the rule and create a new rule from it.
- Click on the icon to delete a rule.