Conditional access

Conditional access (CA) in ADSelfService Plus is a powerful security feature that allows you to define and enforce granular access policies to your IT resources. You can create access policies using various parameters such as users’ device compliance status, time of access, IP addresses, and geolocation. This ensures stringent control over who can access your network and sensitive data.

With conditional access, you can guarantee that only authorized users gain access to workstations, applications, and specific features within ADSelfService Plus, including external endpoints and third-party applications.

How conditional access works

Conditional access operates by evaluating incoming user access requests against a set of predefined rules. These rules are made up of conditions combined using logical operators to form a criteria.

When a user attempts to access ADSelfService Plus, their request is assessed to determine if it meets the criteria defined in an active rule. If the conditions are satisfied, the user is granted or restricted access to the ADSelfService Plus portal, or an assigned self-service policy takes effect based on the rule's assignment. The self-service policy then dictates the available MFA methods, accessible enterprise applications, and the self-service features enabled for that user.

Fig.1: How conditional access works in ADSelfService Plus.

Conditions

Conditions are user- or device- related factors that influence access decisions.You can define and select your conditions based on the following factors:

IP Address: Configure this condition to evaluate incoming connections based on the source IP. You can specify static IPs, proxy server IPs, or VPN IPs, and classify them as trusted or untrusted IP addresses.

Device: Configure this condition to evaluate the incoming connection based on the type of device it originates from: specific computer objects or the platform (Windows, macOS, Linux, mobile web app, or native mobile app) they run on.

Business hours: Define business and non-business hours, and choose to evaluate the incoming connections based on these defined windows.

Geolocation: Configure this condition by selecting the country of origin determined from public IP addresses.

Criteria

Once you have defined and enabled the conditions based on your requirement, combine them using AND, OR, and NOT operators to formulate a criteria. This will determine how the different conditions are evaluated to determine the access request's result.

Access controls

After configuring a conditional access rule, you must define the access controls for it to take effect. You can:

• Assign the rule to a self-service policy, and/or
• Permit or restrict access to the ADSelfService Plus portal using the NTLM SSO and Grant Access options.

Use the appropriate radio buttons to configure these settings for users who satisfy the CA rule.

Configuring conditional access

Rule configuration

To build a conditional access rule, you need to specify conditions and formulate the criteria using logical operators. These conditions are the foundation for every conditional access decision.

Here are the steps for configuring a rule:

1. Log in to ADSelfService Plus as an admin.
2. Navigate to Configuration > Self-Service > Conditional Access > Rule configuration.
3. Click Configure New Conditional Access (CA) Rule.
4. Enter a CA Rule Name and Description.
5. Select the Conditions based on your requirements. You can choose IP Address, Devices, Business Hours and Geolocation.

   IP address

   To include this condition in your criteria, select the types of IP addresses to be evaluated by checking the respective boxes:

   • For users connecting directly to your network through their client computers, you can enable Static IP.
   • If users connect via a proxy server, enable Proxy Server IP.
   • If users connect through a VPN server, enable VPN IP. To ensure that IP-based conditional access works for the VPN MFA feature, refer to this section to make the required changes at the NPS extension.
   • For static IPs, select whether the IPs you've entered are Trusted or Untrusted. Enter the range of IP addresses in the IP Range fields. Use the + icon to add more IP ranges. You can also enter individual IPs and use * as the wildcard character for selecting an entire class of IP addresses.
   • For Proxy Server IPs and VPN IP address, enter the server IP address.
   Note If all three types of IPs are enabled, the priority will be determined by the rule: * (Static IP AND Proxy IP) OR VPN IP.

   

   Devices

   To include this condition in your criteria, you can either enable the Select Devices checkbox or the Select Platform checkbox or both.

   • To filter specific devices, enable the Select Devices checkbox and click the + icon. In the Select Devices dialog box that opens, select the domain (if multiple domains are configured) and then the computer objects. Click Save.
   • Enable the Select Platforms checkbox and use the drop-down to select the platform(s). You can choose from Windows, macOS, Linux, the ADSelfService Plus mobile web app, the ADSelfService Plus native mobile app, and ManageEngine Applications (which covers requests from ManageEngine application service accounts).

   Important: When both Device and Platform conditions are enabled, a device will satisfy the rule if either condition is met.
   For example, if you select specific devices A, B, and C under Select Devices, and also choose Windows under Select Platform, then all Windows devices—not just A, B, and C—will satisfy the rule.

   Note

   Devices are identified via reverse DNS lookup. Ensure DNS records point to the fully qualified domain name (FQDN) of the computer object.

   Platform restriction relies on the user-agent header of the HTTP request.

   Access requests from other ManageEngine products, such as AD360, are identified using the ManageEngine Applications Platform.

   

   Business hours

   To include this condition in your criteria, select the Business Hours checkbox.

   • Configure Business Hours or Non-business Hours by clicking the corresponding radio button.
   • From the provided day and time ranges, configure your business or non-business hours.
   Note The time applied will be based on the time zone selected in Admin > Personalize > Time Zone.

   

   Geolocation

   To include this condition in your criteria, select the Geolocation checkbox.

   • Select the applicable countries from the drop-down.
   Note

   Geolocation-based conditional access relies on the user's IP address to determine the location. Hence, only access from public IP addresses will be evaluated. This condition will not include users with private IP addresses.

   ADSelfService Plus connects to the geolocation server using Zoho Creator. Please ensure that https://creator.zoho.com is excluded from your firewall settings for geolocation-based conditional access to work.

   

6. A Criteria is automatically created with the conditions you have enabled. If the created criteria matches your requirements, no further changes are required. Only modify it if you are certain that it does not satisfy your needs. You can use AND, OR, and NOT operators to formulate the logic.
7. Click Configure to create the new CA Rule.

Rule assignment

Once a rule has been configured, the next crucial step is to define its access controls. This determines how the rule will impact user access.

To assign a rule and configure its access controls:

1. Log in to ADSelfService Plus as an administrator.
2. Navigate to Configuration > Self-Service > Conditional Access > Rule Assignment.
3. From the Choose CA rule drop-down, choose the specific CA rule you wish to assign.
4. Under the Access Controls section, you must choose how this rule will be applied. You have the following options:

   Assign Policies

   • Enable this option to link the selected CA rule to one or more existing self-service policies. These policies are configured under Configuration > Self-Service > Policy Configuration (refer to this page for more details).
   • If a user satisfies the conditions of this CA rule, the associated self-service policy will determine the available MFA methods, accessible enterprise applications, and enabled self-service features for that user.
   Note Conditional Access rules configured with policy assignments take precedence over standard self-service policies defined in the Policy Configuration section.
   Example Consider a user belonging to two self-service policies, Policy A mandates MFA for ADSelfService Plus login and Policy B does not require MFA for ADSelfService Plus portal login. If Policy A has a higher priority than Policy B in the Policy Configuration, but your CA rule is assigned only to Policy B, and the user satisfies this CA rule, then MFA will not be prompted for the user because the CA rule's assignment to Policy B overrides the standard policy priority.

   NTLM SSO

   • Use this option to either allow or deny connection requests made via NTLM Single Sign-On (SSO) if they satisfy the selected CA rule.
   Note This option will only be enabled if NTLM authentication is configured in your logon settings.

   Grant Access

   • Choose to either allow or deny general connection requests to the ADSelfService Plus portal for users who satisfy the selected CA rule.
5. Click Save.

Important: By default, CA rules are designed to allow requests. To specifically deny connection requests and prevent users from accessing the ADSelfService Plus portal, you must create a rule with the required conditions and explicitly select the Deny option under Grant Access.

Prioritizing the conditional access rules

If you have created multiple conditional access rules, you can set their priority. The rule with the highest priority is applied to users who fall under multiple rules.

To prioritize conditional access rules:

1. On the Conditional Access configuration page, click the change priority icon at the top-right corner (next to the Configure New Conditional Access (CA) Rule button).

   

2. Drag and drop the rules to order them based on your requirements. The rule at the top will have the highest priority.

Modifying, copying, disabling, and deleting CA rules

A rule can be modified to change the conditions or condition logic, copied to create a new rule, disabled, or deleted.

1. Go to the Conditional Access configuration page (Configuration > Self-Service > Conditional Access).
2. You will see a table containing all the conditional access rules that have been created.
3. Under the Actions column, click on an icon based on the action you want to perform.
4. Toggle the and icons to enable or disable a rule. If there is a ☑ icon, it means the rule is enabled, and if there is a ☒ icon, it means the rule is disabled.
5. Click the icon to modify the rule.
6. Click the icon to copy the rule and create a new rule from it.
7. Click the icon to delete a rule.

Use cases

• Remote access control: Only allow users to reset passwords or unlock accounts from trusted IPs or during business hours when accessing remotely.
• Sensitive data access: Restrict access to specific applications (e.g., HR portal, finance dashboards) to only compliant devices within specific geographies.
• Privileged account management: Require multiple conditions (e.g., trusted IP, business hours, compliant device) for administrative accounts to access ADSelfService Plus features.
• Mobile access restrictions: Allow mobile app access only from compliant mobile devices or during business hours, disallowing web app access from non-compliant mobile browsers.
• Event-based access: During specific events, temporarily adjust access based on location or time, e.g., enabling access from a conference location's IP range for a limited time.
• Blocking risky regions: Automatically deny access from countries known for high cyber threats.