Conditional Access

What is conditional access?

Conditional access is the process of protecting access to IT resources based on predefined conditions. By creating access policies based on users’ device types, time of access, IP addresses, or geolocation, you can strictly control access to your network and data. Conditional access provides added security and helps prevent attackers from gaining access to IT resources.

ADSelfService Plus helps you implement conditional access to ensure only authorized users have access to workstations, applications, and various features that are available in ADSelfService Plus, including Change Password and Directory Self-Update.

Understanding how conditional access works in ADSelfService Plus

To understand how conditional access works in ADSelfService Plus, you need to understand the basics first. Conditional Access relies on certain conditions and criteria, which are used to create a conditional access rule. This rule determines which self-service policy will be applied to a user, which in turn determines the multi-factor authentication methods, cloud applications, and self-service features that are enabled for that user.

Condition

A condition is a user-related factor, such as device type, IP address, or geolocation. You can enable any one or multiple conditions as per your requirement. ADSelfService Plus supports the following conditions:

Criteria

Once you have enabled the conditions based on your requirement, you can combine the enabled conditions using AND, OR, and NOT operators to formulate a criteria. This criteria will determine how the different conditions will be evaluated to determine the access request's result.

For example, assume your users are located all over the world except in some countries. You need to ensure that they access resources only during business hours and from trusted IP addresses alone. In such a case, you need to enable IP address condition (1) with the trusted IPs, business hours condition (2) with allowed time, and geolocation condition (3) with the countries where you don’t have users. Then, you can use a criteria like the one below:

Criteria: 1 AND 2 AND (NOT 3)

Conditional access rule

A conditional access rule consists of enabled conditions and a criteria that is associated with a self-service policy. A self-service policy allows you to enable the product’s features and configure how it should work for different sets of users based on their OU and group membership. By associating the conditions and criteria with one or more self-service policies, you create a conditional access rule.

If you create multiple conditional access rules, you have the option to prioritize them. So, if a user falls under multiple rules, the rule with the highest priority will take effect, and subsequently the self-service policies associated with that rule will be applied to the user. If a user does not fall under any conditional access rule, then the self-service policies will be applied based on the priority set to the policies in the Policy Configuration page.

Configuring Conditional Access

Rule configuration

  1. Login in to ADSelfService Plus as an admin.
  2. Navigate to Configuration > Self-Service > Conditional Access > Rule configuration.
  3. Click Configure New Conditional Access (CA) Rule.
  4. Enter a CA Rule Name and Description.
  5. Select the Conditions based on your requirements.
  6. Note: These conditions are the basis for making a decision. If a user satisfies any of the given conditions, this determines whether to allow or deny access to the conditions according to the configuration.
    • IP Address
      • Select the types of IP addresses by checking the respective boxes.
      • For users who connect to your network directly through their client computers, you can enable Static IP.
      • If your users connect through a proxy server, you can enable Proxy Server IP.
      • If your users connect through a VPN server, you can enable VPN IP. To ensure that Ip-based conditional access works for the VPN MFA feature, refer to this section to make the required changes at the NPS extension.
      • Note: If you have enabled all three types of IPs, the following rule applies: * (Static IP AND Proxy IP) OR VPN IP
      • Select whether to trust or untrust the entered IPs.
      • For Static IPs, enter the range of IP addresses in the IP Range fields. Use the + icon to add more IP ranges. You can also enter individual IPs and use * as the wildcard character for selecting an entire class of IP.
    • Device
      • Select the Computers checkbox and then click on the + icon.
      • In the Select Client Computer dialog box that opens, select the domain and then the computer objects. Click OK.
      • Select the Platforms checkbox and then use the drop-down to select the platforms. You can choose from Windows, macOS, Linux, mobile web app,native mobile app and the application.
    • Business Hours
      • Select the Business Hours checkbox.
      • Select whether you want to configure business hours or non-business hours by clicking on the corresponding radio button.
      • From the Day and Time range provided, configure your business or non-business hours.
      • Note: The time will be applied based on the time zone you have selected in the Admin > Personalize > Time Zone setting.
    • Geolocation
      • Select the Geolocation checkbox.
      • Select the Countries from the drop-down.
  7. A Criteria is automatically created with the conditions you have enabled. If the created criteria matches your requirements, you do not have to make any changes to it. Modify them only if you are sure that they still do not satisfy your requirements. You can use AND, OR, and NOT operators to formulate the logic.
  8. Click Configure.

Rule assignment

  1. Login to ADSelfService Plus as an admin.
  2. Go to Configuration > Self-Service > Conditional Access > Rule assignment.
  3. Select the rule that you want to assign from the drop-down.
  4. Select the policy to which you want to assign this rule.
  5. Note: This refers to the self-service policy that you can configure by going to Configuration > Self-Service > Policy Configuration. To learn more, refer to this page.

    It is important to note that the selected policy will be applicable to a user only if:

    • The user satisfies the rule.
    • The user is included in the selected policy.
    Example: Consider three self-service policies, A, B, and C, and two conditional access rules, 1 and 2. Assume a user belongs to policies A and B. Let's say both policies A and C are assigned to rule 1. If a user satisfies rule 1, then only policy A will be assigned to the user as he belongs only to policy A.
  6. Also, allow or block NTLM single sign-on and ADSelfService Plus portal access. These settings will be applicable wherever the selected rule is satisfied.
  7. Note: The option to allow or block NTLM single sign-on will be enabled only if NTLM authentication is configured in logon settings.

Prioritizing the conditional access rules

If you have created multiple conditional access rules, you can set priority for each rule so that the rule with the highest priority is applied to users who fall under multiple rules.

To prioritize the conditional access rules:

  1. In the Conditional Access configuration page, click on the change priority icon at the top right corner (next to the Configure New Conditional Access (CA) Rule button).
  2. Drag the rules and order them based on your requirements. The rule at the top will have the highest priority.

Modifying, copying, disabling, and deleting conditional access rules

A rule can be modified to change the conditions or condition logic, copied to create a new rule, disabled, or deleted.

  1. Go to the Conditional Access configuration page (Configuration > Self-Service > Conditional Access).
  2. You will see a table containing all the conditional access rules that have been created.
  3. Under the Actions column, click on an icon based on the action you want to perform.
  4. Toggle the icon-enable and icon-disable icons to enable or disable a rule. If there is a ☑ icon, it means the rule is enabled, and if there is a ☒ icon, it means the rule is disabled.
  5. Click on the icon to modify the rule.
  6. Click on the icon-copy icon to copy the rule and create a new rule from it.
  7. Click on the icon-delete icon to delete a rule.

Copyright © 2024, ZOHO Corp. All Rights Reserved.