Open in app

Sign in

Write

Sign in

Conditional Access exclusion management

Niklas Tinner
4 min readMay 17, 2024

--

Conditional Access in Entra ID is probably the most relevant security technology to control access to your corporate resources and keep identities secure. Policies in Conditional Access should be strict and applied to all equally to follow the Zero Trust approach. However, sometimes we need exclusions from the policies and we still need to differentiate between legit and unauthorized access and allow the good guys and keep the bad ones out.

In this post I want to focus on the topic of access and exclusion management in a secure and controlled manner by using Microsoft security technologies.

Components

  • Entra ID — Microsofts identity & access management solution, a central cloud-based identity provider. All authentications to an organizations resources (such as Microsoft 365 or SaaS with federated IdPs) are evaluated against Entra ID. It verifies the authentication (is someone allowed to access) and authorization (is someone allowed to do something). Read more
  • Conditional Access — Part of Entra ID and Protection is the most relevant feature to control access, based on different conditions and signals. Conditional Access is a rule-based feature to be configured by an IT admin. Every organization that has a Microsoft 365 subscription or Azure should enable Conditional Access to at least enforce MFA. Read more
  • Access Packages — Are part of Identity governance/Entitlement management in Entra. Access packages are a combination of resources that can be requested by an end-user. It gives the capability to define a set of resources such as group memberships, Microsoft 365 content, or Roles that can be requested self-service.

Access Packages

Access Packages are a convenient feature to give end-users interaction capabilities with Entra ID groups (and more) and therefore Conditional Access policies. For this case we can make use of them for exclusion management and they bring a lot of other benefits. As a little reference:

Static exclusion: Exclude user/group in Conditional Access policy

Temporary exclusion + advanced features: Access Packages ✅

Benefits

  • Access Packages are end user friendly and facing
  • Users can request exclusions from policies on their own, without efforts of the IT department
  • Exclusion is only temporary and dedicated; making a good balance between productivity and security
  • Exclusion (time extension) is monitored and must be approved with Access Reviews

Requirements

  • Entra ID Plan 2 license
  • Identity Governance, Conditional Access admin roles in Entra ID at least

Setup of a sample

In this sample I want to create an Access Package that allows users to access Entra ID cloud apps from an extended list of geographical locations in case of remote work.

The setup steps are fairly simple, go to Entra > Identity Governance > Entitlement Management > Access Packages and create a new access package:

Explanation: Users can request this Access Package to be added as member to the group “sg-CAExcludedLocations”. No initial approval is needed. The access and group membership expires after 7 days, but users can extend the time. Access Reviews are in place so that the manager (Entra ID attribute of user) needs to review and decide if the exclusion is still required. If the manager doesn’t respond the access package is removed from the user.

This is how the user can request the access on Microsoft MyAccess:

💡 Tip: Give your end-users training resources and simple guides how to use Microsoft MyAccess.

Conditional Access

To make the exclusion Access Package effective, you need to exclude the group from Conditional Access. First you need to create a named location in Conditional Access that you can later reference to. This includes the list of allowed locations/countries.

The final policy would look something like the following:

Optional, but recommended: At the same time I recommend to create a new Conditional Access policy that only has the exclusion group included assigned and an extended list of allowed locations (but not every country 😉) to bring in further granularity.

Bouns: Notification

As exclusions reveal vulnerabilities to your infrastructure, it is a good idea to notify and alert whenever a user was added to your exclusion group. I already walked through the technologies and setup you need for this, in this post. Here’s the KQL query that detects whenever someone was added to a group that you specify to:

AuditLogs
| where OperationName == "Add member to group"
| where parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)) == "<INSERT YOUR GROUP NAME>"
| project affectedUser = TargetResources[0].userPrincipalName, TimeGenerated, OperationName, Identity, Result
Entra Id
Conditional Access

--

--

Niklas Tinner
Niklas Tinner

Written by Niklas Tinner

81 Followers
15 Following

Founder Oceanleaf & Microsoft MVP

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams