It should never be enough that a user that has a user name & a password immediately gets to access to resources in your infrastructure.
- Should we require MFA?
- Should they be working from a IT-managed device?
- Do they need to be in the United States? Can they be connecting in from Russia or North Korea?
- Does their PC have to have the latest anti-malware on it?
- Can they have an unpatched computer to connect in?
Enterprises with Azure Active Directory have great power over whether or not authenticated users get access to resources. Here are some common Conditional Access policies set by Azure AD administrators.
Note: Conditional Access policies requires at least Azure Active Directory Premium P1 licensing for all users in your organization.
- Identities
- Require multi-factor authentication for admins*
- Securing security info registration
- Block legacy authentication*
- Require multi-factor authentication for all users*
- Require multi-factor authentication for guest access
- Require multi-factor authentication for Azure management*
- Require multi-factor authentication for risky sign-in Requires Azure AD Premium P2
- Require password change for high-risk users Requires Azure AD Premium P2
- Devices
- Require compliant or Hybrid Azure AD joined device for admins
- Block access for unknown or unsupported device platform
- No persistent browser session
- Require approved client apps or app protection
- Require compliant or Hybrid Azure AD joined device or multi-factor authentication for all users
- Use application enforced restrictions for unmanaged devices
Read more about Common Conditional Access policies here:
- Common Conditional Access policies in Azure Active Directory
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common
kurtsh
Kurt Shintaku's Blog 