During the Microsoft Ignite conference in November 2021 Microsoft made several announcements related to Azure AD conditional access. You can read those announcements in the following article: “Identity at Ignite: Strengthen resilience with identity innovations in Azure AD“. And this morning Thomas Naunheim, tweeted that he saw the announced functionality appear within his tenant. Time for a quick look. It’s strange though to notice that even though the functionality is available and can be seen, no clear documentation can be found yet, and also no mention of the functionality in the What’s new in Azure Active Directory? documentation. (at time of writing)

In this post I will have a look at the following new functionality:

  • Conditional Access Dashboard
  • Conditional Access pre-build Templates
  • Conditional Access for Workload Identities

The also announced Filters for Devices have already been covered on my blog before, see:

The conditional access dashboard has been revamped and now identifies opportunities to strengthen policies based on analysis of your organization’s sign in patterns.

New Conditional Access overview page

The Overview page provides the following information:

  • The amount of policies and their status, which click through to the Conditional Access policies
  • The amount of users which have no policies applied, which click trough to the Monitoring tab
  • Sign-ins from devices which are either managed or unmanaged, which clicks through the Monitoring tab
  • Applications, which clicks through the Coverage tab
  • Recommendations, with severity, description and link to Policy template mitigating the issue.

The Monitoring tab gives an overview of the Sign-ins by Conditional Access result

Monitoring tab

The Coverage tab provides the following information:

  • Top accessed applications
  • Top accessed applications not protected by Conditional Access
Coverage tab

When creating a new policy, we now have a new option called “Create new policy from templates (Preview)

Create new policy from templates (Preview) option

When selecting the option you’ll end up in a wizard which allows you to choose whether the template is based on Identities or Devices. Once selected you can select the template from a list of templates.

The following templates (at time of writing 14) are available

Under Identities:

  • Require multi-factor authentication for admins
  • Securing security info registration
  • Block legacy authentication
  • Require multi-factor authentication for all users
  • Require multi-factor authentication for guest access
  • Require multi-factor authentication for Azure management
  • Require multi-factor authentication for risky sign-ins
  • Require password change for high-risk users

Under devices:

  • Require compliant or hybrid Azure AD joined device for admins
  • Block access for unknown or unsupported device platform
  • No persistent browser session
  • Require approved client apps and app protection
  • Require compliant or hybrid Azure AD joined device or multi-factor authentication for all users
  • Use application enforced restrictions for unmanaged devices

Each policy can also be configured with a state (Off, On or Report Only) and a default naming is provided which you can modify as well. See the following article for more information about what the templates do: Conditional Access templates (Preview)

We now have the option to assign certain policies to service principals only, for this a new selection item was created which allows you to switch between “Users and Groups” or “Workload identities (Preview)”. Once Workload Identities is selected you can either select All owned service principals, or select service principals from a list.

Conditional Access policy with Workload identities selected

Once a service principal is selected, a lot of the other configurable options in the Conditional Access policy are not available anymore, you cannot select individual cloud apps, you cannot select any conditions and the only option you have is to block access as a grant control.

Some welcome additions to the Azure AD Conditional Access functionality has been added, especially giving insight on which sign-ins are not covered by your CA policies is very helpful. I do also have some remarks though:

  • Adding extra options to Conditional Access makes it more complex
  • The templates cover some good scenario’s but lack the option to exclude your break glass accounts

If you want to know more about conditional access, I want to suggest that you read my Whitepaper on the subject, for which the latest version can be found below:


Previous articleCollaboration in the Metaverse: Mesh for Microsoft Teams
Next articleMicrosoft Endpoint Manager and the issue of the tattooing Block write access to removable data-drives not protected by BitLocker setting
I started my career in 1995 as a System Engineer in the broadcast industry, building and maintaining video editing suites and television studio's and later specializing in Telecine equipment. In 1998 I switched to a first line support function within the Information Technlogy on the dealing room of a large bank, working my way up to a 3rd line support engineer. From this position i started to work on projects, which eventually resulted in projects where I worked across the border. In this period I implemented and designed several deployment solutions for mass rollout of workstations, laptops and servers. Since 2009 I switched to a consultancy function mainly focusing on but not limited to System Center design and implementation projects, besides that I became a Microsoft Certified Trainer (MCT) and currently teach System Center Related Classes (SCCM, SCOM and SCSM). In Januari 2010 I received the Microsoft MVP award with the expertise Setup & Deployment which was extended in 2011 and 2012. In 2013 and 2014 I was awarded the VMware vExpert award. In october 2014 I received the Microsoft MVP award with the expertise System Center Cloud and Datacenter Management (SCCDM).

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.