Microsoft 365 Conditional Access Policies (Podcast)
Patrick and Dave talk about conditional access policies, and managing who is allowed to access what data, through what applications, and on what devices.
John Maher: Welcome to Tech Tuesday, brought to you by PCG, a managed services and security provider in Portsmouth, New Hampshire. I’m John Maher, and with me today from PCG is CEO and founder, Dave Hodgdon. Welcome, Dave.
Dave Hodgdon: John, always a pleasure to speak to you. Tech Tuesday, favorite day of the week.
John: And our special guest today is Patrick Nichols, senior engineer. Welcome, Patrick.
Patrick Nichols: Thank you, John.
What Are Conditional Access Policies?
John: Sure. So today we’re talking about Microsoft 365 conditional access policies. What are conditional access policies? What do we mean by that?
Patrick: So, in the context of Microsoft 365, conditional access policies define who is allowed to access what data through what applications and on what devices. So conditional access meaning they have to meet a certain set of criteria that you have to define in order to access their email, access their SharePoint or OneDrive data, or access any applications that you might have single sign on turned on through 365 with.
So, things like accessing from company owned laptops and/or mobile devices, versus accessing on a personal computer at home. Those are going to have different, either yes or no, they’re allowed to be, or have different security requirements with them. So if I’m on a company device in the office, I might not have as many hoops to jump through to get access to my email, but if I’m on a personal device at home, or in another country or something like that, I might have to verify two forms of multifactor authentication just to get in, multifactor authentication being things like your authenticator app on your phone, or a SMS message, or an email to a secondary email that you have in order to verify you are who you are and you are accessing the data in a controlled manner.
Dave: John, if I could hop on there. So usually, from the technical side, is Patrick and the team there, but from a business side, when you’re speaking to ownership or C-level people, do you really want 20 people doing what they want, when they want, with zero control? Their machine, they can control their patching, they control what they can access. Or do you want a controlled environment, that your sales team can do X, my accounting team can do X, I know who can access what files, I can determine remotely, if I have a remote workforce, who has access to certain stuff. So you’re really controlling, from a security standpoint, from your HR standpoint, your financial, who has access to what and when, and that is really the direction this whole platform is going, and just allowing anyone to do what they want is not a smart business decision.
John: Right, there’s going to be certain people that you don’t want them to be able to access, say, the financial information of the company or something like that, so you want to be able to keep them out.
Dave: Correct. It’s so much easier, John, from a hiring standpoint, that once these things are in place, if you’re adding someone to the sales group, the marketing group, the finance, they’re in this criteria, they fit these particular policies, they’ve got to follow that track. And then from our side, our team can definitely personalize that as needed.
Do You Need a Certain Microsoft 365 Plan to Use Conditional Access Policies?
John: So, do all Microsoft 365 plans include conditional access policies, or do you have to be on a certain 365 plan in order to get those?
Dave: It’s a good question, John. The key plan, and I feel one of Microsoft’s best products that came out is called the Microsoft Premium package, so that has a cost of $22 per user per month. But the Microsoft Basic, which is the email only — and with email you get access to your Teams, your OneDrive, your SharePoint — most companies are on the Microsoft Standard, which includes the office and the email component, as well as the SharePoint, the Teams, and the OneDrive. But they do not include these policies that we’re talking about, John.
So in the old days you might be connected to a server and these things were in place, but in today’s where a lot of people are doing less things on the server — and we could do a lot more within the Microsoft world, so you’re not having the expense of the server, the operating system, and the uptime — now we can take this with our team and Patrick, now within the 365 Premium, I don’t have all these people doing who knows what, within this 365 plan. Premium, John, you have this solution available to you.
Balancing Security and Convenience
John: So how do you balance security and convenience? Obviously you don’t want to have all these plans be in place in order to enhance security, but then make it difficult for people to be able to do their jobs.
Patrick: So, the one thing I tell all of my clients is I want to make sure you guys are secure, but also, I don’t want to be resented by the employees because suddenly now they have to do something every day when they log in, every time they walk away. I want these policies to be enforceable but fairly convenient in the sense of…For instance, one example I always implement whenever I can is session limits. So when you sign into your 365 account, you might have an unlimited session limit, if it hasn’t been configured properly, that means that every time you open up your laptop or turn on your computer, your 365 account is already signed in for you. Maybe you had to do some sort of MFA the first time you signed in, but nothing after that. Where we can get a little bit more granular with that is I want session limits because if your device gets stolen, if somebody gets remote access to your device, we really want to limit the damage they’re able to do.
One of those ways is by setting the session limits. So hey, if the device is in the office full-time, maybe you only have to do MFA to get into 365 account once a week, or once a month, or something like that, something reasonable. But if that device leaves the office, so your public IP address that’s assigned to your physical office, or offices, if it leaves that, maybe you have to do your MFA once a day.
If a new device gets taken out of the country, or if somebody’s trying to access your account from a potentially malicious place, like we see a lot of attacks out of Russia, out of China, where all day they’re trying to get into whatever account they can. It’s a shotgun approach. It’s not a, “why would these people come after me? I don’t have any data that is worth anything.” They’re trying to get in everywhere. And if not you, they’re going to use your account to try to get into all of your contacts’ accounts, in terms of sending out phishing emails from your account. So if you’re protecting yourself and protecting your account, maybe you have to, if you’re signing in from a IP that is abroad, outside the US, maybe the requirement is you have to do two forms of multifactor authentication just to get into your account, which will thwart a lot of these attacks because most of the time it’s a shotgun method of whatever works, we only have to get a few of these to convert for it to make it worth it for us.
So if you’re making it harder for the attackers in any way, you’re lowering your risk on the platform that you can be attacked on.
Legacy Hardware and Software
John: So what if you have legacy hardware or software that needs to be supported? Can the system handle that?
Patrick: Yeah, so most web applications, as they should have, about…I think it was around October in 2022 is when Microsoft officially said, “Hey, we’re going to stop supporting the security protocols for what they call legacy authentication.” But in a lot of cases it’s still needed because you spent a lot of money on the big copier, and you don’t want to have to buy a whole new one just because you can no longer scan the email. So with conditional access policies, you can still protect those accounts with modern authentication methods and make exceptions for, well, if it’s coming over this protocol – which in the case of a printer in the office, would be coming over SMTP, which is a mail standard — then you can accept this lower authentication method if it’s coming from one of the IPs that is in the office.
So you’re not going to have an enterprise copier sitting at somebody’s house. You know exactly where that is. You can say, “These are the safe places. I trust this account to be able to send emails.” But you still protect that account so if somebody were to try to send email as that account from another IP address, they wouldn’t be able to, or if somebody tried to log into that account through an unauthorized app on an unauthorized device, that would be denied as well.
Auditing Your Conditional Access Policies
John: So, what if my IT person or the company that I’m working with for IT says, “Oh yeah, we’re already doing this. It’s already in place.” How do I audit that and make sure that that’s actually happening?
Patrick: For everything in tech security, it’s the “trust but verify”. You have to be doing some auditing from that. You should be asking your IT department, your IT person, your IT company; you should be saying, “Hey, can I get an admin account that is able to audit our security policies?” And it’s not necessarily, if your IT person gets defensive at that point, you have to reassure them, “Hey, we either may need to know for compliance reasons, I may want to know just because I want to know everything is happening,” and the real method is making sure that, yeah…I have no problem giving the point of contact at any one of my clients read-only access to things that I manage because they’re paying us to be their IT department, but ultimately it’s all their data, it’s their liability, and I want to make sure that they’re comfortable with the jobs that I’m doing.
Dave: John, I also feel from an auditing standpoint, it’s good, you as the company, the person, IT, you hope they’re doing all the right thing, but part of a risk assessment is “inspect what you expect”; it’s always good to verify that the person might not have all the skills that has done the best they can to do it. But you take someone on the PCG side from being at 365, one of the better in our industry, you’d have someone of people that actually understand more about that product and they can actually help them confirm what they’re trying to do.
So I think there’s just huge value and we’re finding more and more companies in this co-managed IT that these people are just supporting so many things. They don’t have the time to know everything about security, everything about 365, everything about SharePoint. They can lean on PCG to help them look better, we can help them with some of these higher technical things to bring to the table, which is only going to help them, which is beneficial to us. So we enjoy working with IT in-house, but they also want to embrace, “I don’t know everything”. I think it’s very difficult when we work with a group of 25 that know a lot of stuff, a person, one, can’t know everything under the sun, John, and it’s nice to know that you can lead on someone to, “This is how I set up, did I do this right?”
The Top Conditional Access Policies to Consider
John: So, what are some of the top conditional policies that your business should consider? If I’m looking at our conditional access policies and I want to make sure that I have the proper ones in place, what are some of the most important ones?
Patrick: So, the big ones I emphasize are ones that focus on the device that you’re on and having conditional access policies that work with mobile device management policies. So if you’ve got sensitive data, sure, you might allow your employees to access it from a web browser on a personal machine using multifactor authentication, but you can set some standards for that saying that device needs to have BitLocker encryption enabled so that if somebody steals that device, they likely cannot break into it easily and access your company data because they’ve stolen a personal device or something like that.
So any policy relating to what device is connected, and then policies that define where your device is connecting from, and then obviously making sure that you’ve got security groups in there that define different access levels. So maybe you’ve got a team that is entirely on-premises, and if Dave’s the CEO of that company, maybe he wants to be able to access things remotely, but maybe the customer service reps don’t need to be accessing all of their data at home because they may work a 9:00 to 5:00 and you may want to enforce that and say, “Hey, I want you in the office working that 9:00 to 5:00. I do not want you working outside of those hours,” and it can be both a work-life balance as well as a security issue.
Final Thoughts On Conditional Access Policies
John: All right. Any final thoughts on Microsoft 365 conditional access policies?
Dave: Well, one thing more from a business process, John, the big picture we’ve seen since the pandemic is that more and more people are working remotely. Is there really a reason to have that server on-premise? A lot of companies now are realizing, “why pay for this commercial space or stuff in there?” So they can now take some of these key applications, put them in the cloud. This big topic called SharePoint, I can take my common files that were commonly on my local share server, put that up into SharePoint with files and permissions. But the big thing that everyone is missing is you, still, in the server world, they call your active director your domain and these policies and procedures are part of that, you need to control, similar to what we talked about, surveillance, other things, who’s got the keys to do what at where? Who can come in? Who can look at what files? When can they look at it? What group are they with? Can they view only? Can they view and write?
And you bring it all back to security, your risk assessment, your compliance, having these policies in place is critical and 365 has made that very easy now to transition from that typical server hardware box environment where your files, your applications are there, and now we’re in the 365 environment, you can put your software as a service. You might be using Salesforce, you’re up there, you might be Sage in the cloud, you might be QuickBooks online, you put all your files in SharePoint. But the big one, which Patrick was just speaking about, your policies and your procedures and who can do what and when is the most important, and this 365 product allows us to do that.
John: All right. Well, that’s really great information. Patrick Nichols, thanks again for speaking with me today.
Patrick: Thank you, John.
John: And as always, Dave Hodgdon, thanks again for talking to me.
Dave: You got it, John.
John: And for more information, you can visit the PCG website at PCGIT.com, or call (603) 431-4121.