0
0
Azurecloud~5 mins

Conditional access policies in Azure - Commands & Configuration

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction
Conditional access policies help control who can access your cloud apps and data. They add extra checks like requiring a password or a trusted device before allowing access.
When you want to require users to verify their identity with a second step before accessing sensitive apps.
When you want to block access from devices that are not secure or compliant with your rules.
When you want to allow access only from certain locations like your office network.
When you want to enforce multi-factor authentication for all users accessing cloud services.
When you want to protect your cloud resources from unauthorized or risky sign-ins.
Commands
Log in to your Azure account to manage resources and policies.
Terminal
az login
Expected OutputExpected
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code ABCD-EFGH to authenticate. You have logged in. Now let us find all the subscriptions to which you have access...
Create a conditional access policy named 'Require MFA for Admins' that requires multi-factor authentication for all admin users.
Terminal
az ad conditional-access policy create --display-name "Require MFA for Admins" --state enabled --conditions "{\"users\":{\"includeUsers\":[\"AllAdmins\"]}}" --grant-controls "{\"operator\":\"OR\",\"builtInControls\":[\"mfa\"]}"
Expected OutputExpected
{ "id": "/providers/Microsoft.Authorization/conditionalAccessPolicies/12345678-90ab-cdef-1234-567890abcdef", "displayName": "Require MFA for Admins", "state": "enabled" }
--display-name - Sets the name of the conditional access policy.
--state - Enables or disables the policy.
List all conditional access policies to verify the new policy was created.
Terminal
az ad conditional-access policy list
Expected OutputExpected
[ { "displayName": "Require MFA for Admins", "id": "/providers/Microsoft.Authorization/conditionalAccessPolicies/12345678-90ab-cdef-1234-567890abcdef", "state": "enabled" } ]
Show details of the specific conditional access policy to review its settings.
Terminal
az ad conditional-access policy show --id /providers/Microsoft.Authorization/conditionalAccessPolicies/12345678-90ab-cdef-1234-567890abcdef
Expected OutputExpected
{ "displayName": "Require MFA for Admins", "state": "enabled", "conditions": { "users": { "includeUsers": [ "AllAdmins" ] } }, "grantControls": { "operator": "OR", "builtInControls": [ "mfa" ] } }
--id - Specifies the unique ID of the policy to show.
Key Concept

If you remember nothing else from this pattern, remember: conditional access policies let you add smart rules to control who and how users access your cloud apps.

Common Mistakes
Creating a policy without specifying which users it applies to.
The policy will not apply to anyone and have no effect.
Always include user conditions like includeUsers or excludeUsers to target the right people.
Enabling a policy without testing it first.
It can accidentally block legitimate users from accessing needed resources.
Use the policy in report-only mode or test with a small group before enabling for all.
Not specifying grant controls like MFA when creating the policy.
The policy will not enforce any access requirements and won't protect resources.
Always define grant controls such as requiring MFA or blocking access.
Summary
Use 'az login' to sign in to your Azure account before managing policies.
Create conditional access policies with 'az ad conditional-access policy create' specifying users and controls.
Verify policies exist and check their details with 'az ad conditional-access policy list' and 'az ad conditional-access policy show'.