In this article I want to give an overview about benefits and existing solutions to automate management of Conditional Access Policies.
Benefits of automation of CA Using DevSecOps
There are some real advantages in the implementation by a DevOps operating model. This includes:
- Using approval workflows and repository/branch policies for advanced governance
- Version control which includes backup/restore and track changes of configuration items
- Deploy and manage multi-tenant environments at scale and staging process
- Compare configurations between staging or multi-tenant environments
- Using standardized configuration or policy sets as default templates for new Azure AD tenants
- Roll-out of resilient access controls
- Technical documentation by “Policy As Code”
- Continuous improvement by analyzing telemetry from audit and sign-in logs to improve coverage and efficiency
- Reduce manual efforts, backups, and costs
- Restore your policy design in case of faulty configuration
- Rapidly roll-out parallell policy designs for testing
Azure AD Conditional Access Automation Solution (CA as a Code)
All of the following solutions are using Microsoft Graph API. CRUD operations are available under the resource type “conditionalAccessPolicy”.
Microsoft Ignite Logic App and Onedrive, Teams
Microsoft has published documentations to build “programmatic access” to manage CA policies as code. This includes a tutorial to build a lifecycle management of “Conditional Access Policies” which was published on GitHub. This sample contains a full lifecycle management solution which is build on Logic Apps, OneDrive, Teams and Azure KeyVault. More details are available in the GitHub repo.
Details and the benefit of this solution was also shown during the “Ignite” session “managing your Conditional Access policies at Scale”.
Using Logic Apps allows to deploy policies without any investments in infrastructure. Furthermore, managed identities and integration of Microsoft Teams works natively.