Getting Started with Conditional Access Policies Flashcards
What is Conditional Access?
Conditional Access is an Azure AD feature that allows you to control access to data or assets based on conditions you specify, such as user, location, device, application, and risk. It provides an additional layer of security.
What signals does Conditional Access rely on?
Conditional Access relies on several signals, including user or group membership, named location information, device state, application, real-time sign-in risk detection, cloud apps or actions, and user risk.
How can the User or Group Membership signal be used in Conditional Access policies?
The User or Group Membership signal allows administrators to create policies that target specific users or groups, providing fine-grained control over access to apps and data.
What is the purpose of the Real-time sign-in risk detection signal in Conditional Access?
The Real-time sign-in risk detection signal enables Conditional Access policies to identify risky sign-in behavior and enforce actions such as password changes or multifactor authentication. It helps mitigate the risk of compromised accounts.
Are Conditional Access policies available in all editions of Azure AD?
No, Conditional Access is a feature available only in the paid editions of Azure AD.
What are the two phases of applying a conditional access policy?
The two phases of applying a conditional access policy are Session Details Collection and Enforcement.
What happens during the Session Details Collection phase?
During the Session Details Collection phase, session details such as network location and device identity are collected for policy evaluation. This phase occurs for all enabled policies and policies in report-only mode.
What happens during the Enforcement phase of policy evaluation?
During the Enforcement phase, the policy is enforced based on the collected session details. If a policy is configured to block access, the user is blocked. Otherwise, the user is prompted to satisfy any additional grant control requirements defined in the policy.
: What is the order of grant control requirements in the Enforcement phase?
The order of grant control requirements in the Enforcement phase is as follows: multi-factor authentication, approved client app/app protection policy, managed device (compliant or hybrid Azure AD join), terms of use, and custom controls.
Can multiple conditional access policies apply to a user simultaneously?
Yes, multiple conditional access policies can apply to a user at the same time. In such cases, all applicable policies must be satisfied for the user to access the protected resources.