Conditional Access & External Identities
Source: Azure Master Class v3 - Part 2 - Identity by John Savill
Timestamps:01:56:00-02:28:19
Conditional Access Overview
📺 Video Reference: 01:56:07
Conditional Access is the Zero Trust policy engine at the heart of modern identity security.
The Core Concept
Zero Trust Mindset
"Never trust, always verify"
Every access request is evaluated based on:
- Who is requesting access
- What they're accessing
- Where they're coming from
- How they authenticated
- What device they're using
Conditional Access Policy Structure
📺 Video Reference: 01:57:42
Every policy has two parts: Assignments (when to apply) and Access Controls (what to do).
Assignments (Conditions)
Access Controls
| Control Type | Options |
|---|---|
| Grant | Block, Allow with conditions |
| Session | Limit capabilities within apps |
Grant Controls
| Control | Description |
|---|---|
| Block access | Deny authentication |
| Grant access | Allow with requirements |
| Require MFA | Must complete MFA |
| Require device compliance | Intune compliant device |
| Require Hybrid Azure AD Join | Domain-joined + synced |
| Require approved client app | Specific app list |
| Require app protection policy | MAM policy applied |
| Require password change | Force immediate change |
| Require authentication strength | Specific MFA type |
Session Controls
| Control | Description |
|---|---|
| App-enforced restrictions | Limited SharePoint/Exchange access |
| Conditional Access App Control | Route through Defender for Cloud Apps |
| Sign-in frequency | How often to re-authenticate |
| Persistent browser session | Remember vs always prompt |
| Customize continuous access evaluation | Real-time policy enforcement |
Common Conditional Access Scenarios
📺 Video Reference: 02:00:32
Scenario 1: Require MFA for Admins
| Setting | Value |
|---|---|
| Users | Directory roles: All admin roles |
| Cloud apps | All cloud apps |
| Grant | Require MFA |
| Exclude | Break glass accounts |
Scenario 2: Block Legacy Authentication
📺 Video Reference: 02:01:48
Legacy protocols (IMAP, POP3, SMTP) don't support MFA!
Block Legacy Auth First
Legacy authentication is the #1 vector for password spray attacks. Block it immediately!
Scenario 3: Require Compliant Device for Sensitive Apps
Scenario 4: Location-Based Access
Named Locations
📺 Video Reference: 02:03:15
Define locations by:
| Type | Description |
|---|---|
| IP ranges | CIDR blocks (office IPs) |
| Countries | Geographic boundaries |
| GPS | From Authenticator app (compliant network) |
Compliant Network Location
Uses GPS from the Microsoft Authenticator app to verify physical location.
GPS-Based Location
Useful when IP-based detection isn't reliable (e.g., users on mobile networks).
Risk-Based Policies
📺 Video Reference: 02:04:56
Entra ID Protection calculates risk levels in real-time:
Sign-in Risk
"Is this specific authentication attempt risky?"
| Risk Signal | Example |
|---|---|
| Anonymous IP | Using Tor, VPN exit nodes |
| Atypical travel | London → Tokyo in 1 hour |
| Unfamiliar properties | New device, new location |
| Malicious IP | Known attack infrastructure |
| Password spray | Detected attack pattern |
User Risk
"Is this user account compromised?"
| Risk Signal | Example |
|---|---|
| Leaked credentials | Found on dark web |
| Threat intelligence | Account linked to attack |
| Anomalous behavior | Unusual patterns over time |
Risk-Based Policy Example
Continuous Access Evaluation (CAE)
📺 Video Reference: 02:06:30
Traditional tokens: Valid for 1 hour regardless of what happens.
Problem: User disabled? They still have access for up to an hour!
CAE Solution
Critical events that trigger CAE:
- User account disabled
- Password change
- MFA registration change
- Location policy violation (if IP-based)
Near Real-Time Revocation
CAE reduces the "token theft" window from ~1 hour to minutes.
External Identities
📺 Video Reference: 02:09:00
Three scenarios for external users:
B2B Collaboration (Guest Users)
📺 Video Reference: 02:10:15
Invite external users to collaborate within your tenant.
How It Works
Guest Object in Your Tenant
| Property | Value |
|---|---|
| User Type | Guest |
| Source | External Azure AD (or other IDP) |
| UPN | user_fabrikam.com#EXT#@contoso.onmicrosoft.com |
| Authentication | At their home tenant |
| Authorization | At your tenant (Contoso) |
What Guests Can Do
| Access Type | Configurable |
|---|---|
| Read directory | Yes - can limit |
| Access shared resources | Yes - per resource |
| Join Teams | Yes |
| Access SharePoint | Yes |
| Use internal apps | Yes - via assignment |
Invitation Settings
| Setting | Options |
|---|---|
| Who can invite | Admins only / Members / Guests |
| Allow self-service sign-up | Yes / No |
| Allowed domains | Any / Specific list / Block list |
Cross-Tenant Access Settings
📺 Video Reference: 02:14:20
Fine-grained control over B2B relationships.
Inbound Settings
Control access from other organizations to your tenant.
| Setting | Options |
|---|---|
| Users | All / Specific groups |
| Applications | All / Specific apps |
| Trust MFA from partner | Yes / No |
| Trust device compliance | Yes / No |
Outbound Settings
Control access from your tenant to other organizations.
| Setting | Options |
|---|---|
| Users | All / Specific groups |
| Applications | All / Specific apps |
Trust Settings
The most powerful part of cross-tenant access:
| Trust Setting | Effect |
|---|---|
| Trust MFA | Accept partner's MFA (no double MFA!) |
| Trust compliant device | Accept partner's Intune compliance |
| Trust Hybrid Azure AD join | Accept partner's domain-joined status |
Eliminate Double MFA
If you trust MFA from Fabrikam, a Fabrikam user who completed MFA at home won't be prompted again in your tenant!
B2B Direct Connect
📺 Video Reference: 02:17:00
For Teams shared channels—direct federation without guest objects.
Key difference from B2B:
- No guest user object in your directory
- User stays in their own tenant
- Access via shared channel trust
External ID for Customers (CIAM)
📺 Video Reference: 02:18:30
Build customer-facing applications with identity:
Use Cases
| Scenario | Solution |
|---|---|
| Consumer mobile app | External ID with social login |
| Partner portal | B2B Collaboration |
| Customer web app | External ID with branding |
| Contractor access | B2B with Cross-Tenant Access |
CIAM Features
| Feature | Description |
|---|---|
| Custom branding | Company look and feel |
| Self-service sign-up | No IT involvement |
| Social identity providers | Google, Facebook, Apple |
| Progressive profiling | Collect info over time |
| Custom user attributes | Store app-specific data |
Global Secure Access
📺 Video Reference: 02:20:45
Microsoft's SASE (Secure Access Service Edge) solution.
Two Components
Microsoft Entra Internet Access
Replace traditional proxies with cloud-delivered security:
| Feature | Description |
|---|---|
| Web content filtering | Block categories of sites |
| Threat protection | Malware, phishing protection |
| DLP integration | Data loss prevention |
| Universal tenant restrictions | Control which tenants users can access |
Microsoft Entra Private Access
Zero Trust replacement for VPN:
| Feature | Description |
|---|---|
| App-level access | Access specific apps, not entire network |
| Conditional Access | Apply CA policies to on-prem apps |
| No network-level access | Cannot lateral move |
| Identity-based | User must authenticate |
Replace VPN
Private Access provides identity-based, app-specific access instead of network-based VPN that exposes your entire network.
Security Defaults
📺 Video Reference: 02:24:00
For organizations without Entra ID P1/P2:
What Security Defaults Enable
| Protection | Description |
|---|---|
| Require MFA registration | All users must register |
| MFA for admins | Always required |
| MFA for users | When risky (heuristic-based) |
| Block legacy authentication | Blocked entirely |
| Protect privileged operations | Extra verification |
Security Defaults vs Conditional Access
If you have P1/P2, use Conditional Access for fine-grained control. Security Defaults is all-or-nothing.
Policy Evaluation Order
📺 Video Reference: 02:26:00
All applicable policies are evaluated, then combined:
Key rules:
- If ANY policy blocks → Blocked
- ALL grant requirements from ALL policies must be satisfied
- Exclusions override includes
- More specific conditions win
Quick Reference
Conditional Access Policy Checklist
- [ ] Block legacy authentication
- [ ] Require MFA for all admins
- [ ] Require MFA for all users
- [ ] Block high-risk sign-ins
- [ ] Require password change for high-risk users
- [ ] Require compliant device for sensitive apps
- [ ] Create named locations for offices
- [ ] Exclude break-glass accounts from all policies
- [ ] Enable CAE for supported apps