Conditional access with Multifactor authentication (MFA)

Microsoft Entra Conditional Access brings signals together, to make decisions, and enforce security policies. Multifactor authentication (MFA) protects customers identity by prompting them for a second verification method. In this demo a Conditional Access policy that's targeted to all users when the sign-in risk level is medium or high, prompts for MFA.

Prerequisites

Before you start make sure you have configured the following:
  1. Create a tenant and add admin accounts
  2. Register a web application
  3. Create a user flow

Start by creating a Conditional Access policy to secure the application. Sign in to the Microsoft Entra admin center and browse to Protection > Conditional Access. Then, select New policy.

Give your policy a Name, for example sign-in risk.

Under Assignments, select the link under Users. Then, on the Include tab, select All users. On the Exclude tab, you can select users and groups for your organization's emergency access or break-glass accounts.

Under assignments, select Target resources. Then, On the Include tab, choose the Select apps option and click on the Select button. Find your app, select it, and then choose Select.

Select the link under the Conditions and select the link under the Sign-in risk. Then, for the Configure select Yes and select the High and Medium checkboxes.

Under Access controls > Grant, select Grant access. Then select Require multifactor authentication. With this grant type, users must complete additional security requirements like email, phone call, or text message.

Confirm your settings and set Enable policy to On. Select Create to create your policy.

Create conditional access policy

The following example creates a conditional access policy. This policy targets risk sign-ins for all users (excludes tenant global administrator). In the JSON below, replace the {App-ID} with your web or mobile application (App ID, not object ID). Note, you can add more applications.

POST https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"
{
    "templateId": null,
    "displayName": "Woodgrove demo - sign in risk",
    "state": "disabled",
    "sessionControls": null,
    "conditions": {
        "userRiskLevels": [],
        "signInRiskLevels": [
            "high",
            "medium"
        ],
        "clientAppTypes": [
            "all"
        ],
        "platforms": null,
        "locations": null,
        "times": null,
        "deviceStates": null,
        "devices": null,
        "clientApplications": null,
        "applications": {
            "includeApplications": [
                "{App-ID}"
            ],
            "excludeApplications": [],
            "includeUserActions": [],
            "includeAuthenticationContextClassReferences": [],
            "applicationFilter": null
        },
        "users": {
            "includeUsers": [
                "All"
            ],
            "excludeUsers": [],
            "includeGroups": [],
            "excludeGroups": [],
            "includeRoles": [],
            "excludeRoles": [],
            "includeGuestsOrExternalUsers": null,
            "excludeGuestsOrExternalUsers": null
        }
    },
    "grantControls": {
        "operator": "OR",
        "builtInControls": [
            "mfa"
        ],
        "customAuthenticationFactors": [],
        "termsOfUse": [],
        "authenticationStrength": null
    }
}
New-MgBetaIdentityConditionalAccessPolicy -BodyParameter $params

PowerShell script

The following PowerShell script create or update an existing conditional access policy. Replace: the {App-ID} with a web or mobile application App ID (not object ID) that the policy will apply to.

function Add-ConditionalAccessPolicy {

    param (
        $PolicyName,
        $AppId
    )

    # Define the conditional access policy
    $params =  @{
        templateId =  $undefinedVariable
        displayName = $PolicyName
        state = "enabled"
        sessionControls =  $undefinedVariable
        conditions =  @{
            userRiskLevels =  @()
            signInRiskLevels =  @(
                "high"
                "medium"
            )
            clientAppTypes =  @(
                "all"
            )
            platforms =  $undefinedVariable
            locations =  $undefinedVariable
            times =  $undefinedVariable
            deviceStates =  $undefinedVariable
            devices =  $undefinedVariable
            clientApplications =  $undefinedVariable
            applications =  @{
                includeApplications =  @(
                    $AppId
                )
                excludeApplications =  @()
                includeUserActions =  @()
                includeAuthenticationContextClassReferences =  @()
                applicationFilter =  $undefinedVariable
            }
            users =  @{
                includeUsers =  @(
                    "All"
                )
                excludeUsers =  @()
                includeGroups =  @()
                excludeGroups =  @()
                includeRoles =  @()
                excludeRoles =  @()
                includeGuestsOrExternalUsers =  $undefinedVariable
                excludeGuestsOrExternalUsers =  $undefinedVariable
            }
        }
        grantControls =  @{
            operator = "OR"
            builtInControls =  @(
                "mfa"
            )
            customAuthenticationFactors =  @()
            termsOfUse =  @()
            authenticationStrength =  $undefinedVariable
        }
    }

    # Try to find the policy by name
    $ca = Get-MgBetaIdentityConditionalAccessPolicy -Filter "displayName eq '$PolicyName'"

    # Create or update the conditional access policy
    if ($null -ne $ca ) {

        # Check the existence of multiple policies with the same name.
        if ($ca.Count -gt 1 ) {
            $policyCount = $ca.Count
            Write-Error -Message  "The operation could not be completed because $policyCount '$PolicyName' policies found in the directory."
            return    
        }

        Write-Host "Updating policy " $ca.Id
        Update-MgBetaIdentityConditionalAccessPolicy -ConditionalAccessPolicyId  $ca.Id -BodyParameter $params
        Write-Host "The conditional access policy has been successfully update"
    } else {
        Write-Host "Creating new policy"
        New-MgBetaIdentityConditionalAccessPolicy -BodyParameter $params | Format-List
        Write-Host "The conditional access policy has been successfully created"
    }
}

# Connect to Microsoft Entra tenant with the required scope
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"

# Run the script
Add-ConditionalAccessPolicy -PolicyName "Woodgrove demo - sign in risk" -AppId {App-ID}


        
Loading...