Reduce clicks in Conditional Access and obtain full visibility

Sciber focus heavily on Microsoft, and as such, a big part is around passwordless. This leads us very fast to Conditional Access. In this post, we explain how we target the problem by using our knowledge of Microsoft 365.

Many organizations struggle with visibility for Conditional Access, the single biggest component that govern all your access to Microsoft 365 data. To solve this, Sciber has developed tools to help organizations visualize the relationship between users and their access. This is necessary due to limitation in the GUI in the portal where administrators govern access. 

Conditional Access GUI briefly explained

To explain the current situation we have shown an example of the effort required to answer the questions that many customers struggle with. To begin with an administrator is faced with a simple list of policies, the amount of policies can be 50 or more in large organizations and will require a lot of clicks to find what you are looking for.

image (3)

List of policies in Conditional Access

The next step once you are in a policy you need to click through everything and manually note down what you find. Who has access on what? Who has MFA? Who is excluded from a policy?

image (2)

Overview of a policy

We understand that many customers struggle with this, and if we instead turn this around to a use case based approach we had to develop our own technology to help customers with answers.

Use cases

Our use cases focus on what security risks we have to address. We understand in complex environments will not be able to click around in many different policies because there is no way one can understand how everything is glued together. 

Some of the use cases we address are:

  • Lists all excluded users and excluded groups and group members and from what policies
  • Policies that targets ALL apps (You should at least have one of these to make sure everything is covered)
    • Users and groups excluded from these policies
  • Policies that includes ALL users (You should at least have one of these to make sure everyone is covered)
    • Users and groups excluded from these policies

How it is tailored to you:

  • If you don't have and can't implement policies that covers ALL apps and ALL users. We will go through every user in Entra ID and check if they are included in any policies, and towards what apps (it only checks against apps listed in CA policies). 
    • It will also list if you have any user that can access a certain app through a specific platform

How it is presented

In the below visualization we show how users that are part of a specific azure group is excluded in a Conditional Access policy, thus bypassing any security that is stipulated in that policy. We can use this to try to identify other gaps and identify other weak points of missed parts of the configuration. Basically to visualize how the different use cases are identified.

image

When we gather the data from a customer and show them these visualizations we offer a much easier way to gain control over the one thing that govern all your access. Even in the most complex environments this offers you a shortcut to get in control much faster.

Customer value

We offer administrators of Conditional Access insight into gaps and potential security risks by leveraging graphing technologies and data directly from your environment. This provides you with clear actions on complete oversight of how your policies are set up.

Sciber has engineered tooling that specifically covers this area and we are ready to use the data in your environment to help you with the current state and let you take the next step of increasing your security around access.

What is Conditional Access

Are you interested

Customers can take part of this by leveraging Microsoft 365 competence from Sciber using our services: