Allowing unfettered access to your data and systems is asking for trouble. Without ensuring your security is at the highest it can be, you are leaving yourself wide open to breaches and potential data loss.
With the implementation of the EU General Data Protection Regulation (GDPR), in 2018, placing greater responsibility on all organisations that hold customer data, the requirement to tighten up access and security has never been more important.
Fortunately, for users of Azure Active Directory (AD) Premium, this can be achieved by implementing something called conditional access. As the name suggests, conditional access limits access to your data by predefined policies
With conditional access control in place, Azure AD checks for the specific conditions you set for a user to access an application. After access requirements are met, the user is authenticated and can access the application.
What can be controlled?
There are 3 controls that you can use to enforce a conditional access policy:
- Multi-factor authentication – you can use multi-factor authentication (MFA) with Azure MFA, or by using an on-premises MFA provider, combined with Active Directory Federation Services (AD FS). Using MFA helps protect resources from being accessed by an unauthorised user who might have gained access to the credentials of a valid user.
- Block – apply conditions such as a user’s location to block their access. For example, you can block access when a user is not on a trusted network.
- Compliant devices – set conditional access policies at the device level. For example, you might set up a policy so that only computers that are domain-joined, or mobile devices that are enrolled in a MDM application, can access your organisation’s resources. For example, you can use Intune to check device compliance, and then report it to Azure AD for enforcement when the user attempts to access an application.
If you would like to find out more about how conditional access can help your organization protect its data, and how to implement it, please contact us.