https://nicolasuter.ch/tags/conditional-access/Recent content in Conditional-Access on Nicola SuterHugo -- gohugo.ioen-US© 2026 Nicola SuterFri, 18 Oct 2019 22:06:04 +0000https://nicolasuter.ch/conditional-access-and-azure-log-analytics-in-harmony/Fri, 18 Oct 2019 22:06:04 +0000https://nicolasuter.ch/conditional-access-and-azure-log-analytics-in-harmony/<p>Auditing Conditional Access events and changes is crucial regarding your hygiene in Azure AD for your modern workplace. With the goal that we receive appropriate notifications and alerts if special events occur. Thanks to Azure Log Analytics (also referred to as Azure Monitor) we can easily filter and create alerts based on events. This post starts where most of the others end - giving you practical examples of KUSTO queries to search your Azure AD Audit logs with Log Analytics.</p> <h2 class="relative group">Default log retention in AAD <div id="default-log-retention-in-aad" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#default-log-retention-in-aad" aria-label="Anchor">#</a> </span> </h2> <p>A point which get&rsquo;s raised often is the default log retention in Azure Active Directory (AAD). Azure Active Directory stores all activity reports depending on your license for 7 or 30 days:</p> <ul> <li>Azure AD Free and Basic: 7 days</li> <li>Azure AD Premium P1  and P2: 30 days</li> </ul> <p><a href="https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-reports-data-retention#how-long-does-azure-ad-store-the-data" target="_blank" rel="noreferrer">Source, more Information.</a></p> <p>To retain and further process Azure Active Directory Audit Logs for a longer time period (because a 30 day audit trail is likely too short for most organizations) we can:</p> <ul> <li>Stream to an <a href="https://azure.microsoft.com/en-in/services/event-hubs/" target="_blank" rel="noreferrer">Azure Event Hub</a></li> <li>Archive to Blob Storage</li> <li>Forward them to Azure Log Analytics</li> </ul> <p>With Log Analytics the KUSTO query language can be used to query the forwarded log entries and we can create alert rules based on custom queries.</p>https://nicolasuter.ch/5-ways-to-screw-up-conditional-access/Wed, 28 Aug 2019 08:34:02 +0000https://nicolasuter.ch/5-ways-to-screw-up-conditional-access/<p>Nowadays where cloud services are available from all over the world we cannot (only) rely on trusted networks and on identities protected by usernames and passwords. Conditional access allows you to define granular controls whether an identity can access cloud applications. Based on the positive feedback for my &ldquo;<a href="https://nicolasuter.ch/5-ways-to-screw-up-your-intune-tenant/" >5 Ways to Screw up your Intune Tenant</a>&rdquo; post I felt empowered to get conditional access covered as well.</p> <h2 class="relative group">Chose your platform wisely <div id="chose-your-platform-wisely" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#chose-your-platform-wisely" aria-label="Anchor">#</a> </span> </h2> <p>If you intend to use the device platform filter make sure that you cover all platforms including unknown platforms. Otherwise your might have a lack in your battleship. <a href="https://nicolasuter.ch/bypassing-conditional-access-device-platform-policies/" >Also note that platform detection is based on best effort and can be exploited</a>.</p> <figure><img class="my-0 rounded-md" loading="lazy" decoding="async" fetchpriority="low" alt="Platform" src="https://nicolasuter.ch/content/images/2019/08/conditional-access-device-platform.png" ></figure> <h2 class="relative group">Long live legacy <div id="long-live-legacy" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#long-live-legacy" aria-label="Anchor">#</a> </span> </h2> <p>Mind the client apps configuration to ensure that your conditional access policies also apply to non-modern authentication clients. If you have created your conditional access policies in the early days of the product you didn&rsquo;t have this option available.</p> <blockquote><p>Something that has created some confusion is that conditional access policies don&rsquo;t include legacy authentication clients by default, this means that if you have a conditional access policy enforcing MFA for all users and all cloud apps, it doesn&rsquo;t block legacy authentication clients (or &ldquo;Other clients&rdquo;, as the CA UI refers to them) - Sue Bohn, Microsoft</p>https://nicolasuter.ch/bypassing-conditional-access-device-platform-policies/Tue, 02 Jul 2019 17:12:06 +0000https://nicolasuter.ch/bypassing-conditional-access-device-platform-policies/<p>Recently I read <a href="https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Azure-AD-Mailbag-Conditional-Access-Q-amp-A/ba-p/566492" target="_blank" rel="noreferrer">a great article from the Microsoft IAM Director Sue Bohn</a> concerning a Conditional Access Q&amp;A. One question was about the device platform feature - which let&rsquo;s you apply a policy only to a specific device platform like iOS, Android or Windows 10.</p> <p>The detection of the device platform relies on the user agent string sent by the application or web browser. Because this one can be spoofed easily better configure your Conditional Access policies wisely.</p> <h2 class="relative group">The problem <div id="the-problem" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#the-problem" aria-label="Anchor">#</a> </span> </h2> <p>As soon as you enable the device platform selection there&rsquo;s the chance that a user doesn&rsquo;t catch any Conditional Access policy.</p> <blockquote><p>As a result, you should <u>not rely</u> on the User Agent String to be present or to be accurate. Most browsers have a function to set an arbitrary User Agent String for testing purposes. (Microsoft)</p> </blockquote> <h2 class="relative group">Bypass example <div id="bypass-example" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#bypass-example" aria-label="Anchor">#</a> </span> </h2> <p>To give you an example, here&rsquo;s a little walk-through:</p> <ul> <li>Conditional Access Policy configured for all cloud apps</li> <li>Windows 10 selected as device platform</li> <li>Access control: Block</li> </ul> <figure class="kg-card kg-image-card"><img src="https://nicolasuter.ch/content/images/2019/07/conditional-access-policy.png" class="kg-image"></figure> <p>If we now try to access the azure portal with a Windows 10 app or browser we get the following result:</p>