Azure AD Conditional Access Automation Overview

Eray ALTILI
4 min readMar 8, 2023

In this article I want to give an overview about benefits and existing solutions to automate management of Conditional Access Policies.

Benefits of automation of CA Using DevSecOps

There are some real advantages in the implementation by a DevOps operating model. This includes:

  • Using approval workflows and repository/branch policies for advanced governance
  • Version control which includes backup/restore and track changes of configuration items
  • Deploy and manage multi-tenant environments at scale and staging process
  • Compare configurations between staging or multi-tenant environments
  • Using standardized configuration or policy sets as default templates for new Azure AD tenants
  • Roll-out of resilient access controls
  • Technical documentation by “Policy As Code”
  • Continuous improvement by analyzing telemetry from audit and sign-in logs to improve coverage and efficiency
  • Reduce manual efforts, backups, and costs
  • Restore your policy design in case of faulty configuration
  • Rapidly roll-out parallell policy designs for testing

Azure AD Conditional Access Automation Solution (CA as a Code)

All of the following solutions are using Microsoft Graph API. CRUD operations are available under the resource type “conditionalAccessPolicy”.

Microsoft Ignite Logic App and Onedrive, Teams

Microsoft has published documentations to build “programmatic access” to manage CA policies as code. This includes a tutorial to build a lifecycle management of “Conditional Access Policies” which was published on GitHub. This sample contains a full lifecycle management solution which is build on Logic Apps, OneDrive, Teams and Azure KeyVault. More details are available in the GitHub repo.

Details and the benefit of this solution was also shown during the “Ignite” session “managing your Conditional Access policies at Scale”.

Using Logic Apps allows to deploy policies without any investments in infrastructure. Furthermore, managed identities and integration of Microsoft Teams works natively.

--

--

Eray ALTILI

I am passionate about Technology, Cloud Computing, Machine Learning, Blockchain and Finance. All opinions are my own and do not express opinions of my employer.