Today’s modern security perimeter extends beyond an organization's network to include user and device identity. Organizations can use identity-driven signals as part of their access control decisions. If you are familiar with AAD (Azure Active Directory) Conditional Access, it brings signals together, to make decisions, and enforce organizational policies.
Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. For example, a data engineer wants to access Azure Data Explorer then she is required to perform a multi-factor authentication.
Why is it important?
Nowadays, organizations & governments are increasingly security conscious (for all the right reasons) and are looking for granular controls to secure their business applications & data. As the attackers become more & more sophisticated, there is a constant need for the product teams to provide best in class security controls & stay ahead of the curve.
Consider how the authentication process has traditionally worked - organizations require users to supply a user ID and password. Most of the time, it is the legitimate user typing them in and everything is okay — the user can go on to access all the data, and applications they’ve been granted access to. But sometimes, a malicious entity can steal or guess a user’s credentials and put your organization at risk of ending up in the data breach headlines.
To reduce these risks, organizations can enforce additional authentication hurdles viz. multi-factor authentication (MFA) or enforce access from recognized devices. AAD Conditional Access helps to further strengthen your authentication process based on analyzing certain signals viz user’s location, device platform, device state etc. and enforce policies if necessary.
For example, in the context of Azure Data Explorer -
Organizations can create a policy to require administrators — but not business analysts — to complete an MFA step.
Governments can deny all query requests originating outside its country, allow all requests that come from trusted locations, and require MFA for the rest.
Organizations can allow cluster monitoring only from specific device platforms viz. windows, Mac, iOS, Android etc.
Enterprises can allow ingest data operations only from corporate devices marked as compliant with Microsoft Intune
How does it work?
Azure Active Directory (AAD) is the preferred method for authenticating to Azure Data Explorer (ADX) - ADX is now supported as an app in AAD conditional access allowing to enforce various condition-based policies on top of ADX.
Let’s assume an enterprise wants to apply a data access policy on Azure Data Explorer (ADX) - any data analyst outside Singapore should be prompted for MFA, while not burdening in-country analysts accessing from trusted locations.
Let's configure this scenario -
Go to Azure portal, and search Azure AD Conditional access
Define a named location to filter based on user location. Click on Named locations blade and click Countries location
Define a new location (Countries) singapore& select the country name from the list. Please note typically trusted locations will be specific IP addresses for your corporate network & not the entire country but for simplicity we will use country as an example.
Select the Policies blade, and click on New policy
Select specific users or groups to apply the policy
Select Azure Data Explorer in the cloud apps or actions section (this will apply to all ADX clusters in the tenant)
In conditions, Configure Yes, Include --> Any locations and Excluded-->Selected locations-->singapore
Grant access by mandating a multi-factor authentication
Enable policy by switching it On & click Create
Now if you try performing any data operations via Azure Data Explorer Web UI or Kusto client anywhere outside from Singapore, you will be prompted with a MFA dialogue.
Please note Conditional Access policies are only applied to ADX Data plane operations, it does not affect any Control plane operations, for example – you can still create a cluster or create database via the Azure portal or cli irrespective of your location.