Unlock Advanced Security: Configuring Conditional Access Policies with Custom Security Attributes

Organizations can apply Conditional Access policies to all or individual apps, but managing numerous applications with multiple policies can be challenging.

Application Filters

To simplify management, application filters in Conditional Access allow organizations to tag service principals using custom attributes. These attributes serve as references in Conditional Access policies. Filters are evaluated during token issuance runtime, addressing the common question of whether apps are assigned at runtime or during configuration.

In a previous blog, I detailed how to create and assign custom security attributes to users. You can find that guide Exploring Custom Security Attributes in Microsoft Entra ID.

 This blog focuses on applying a custom security attribute to an application and creating a Conditional Access policy to enhance security.

Assigning Roles

Custom security attributes are security-sensitive and can only be managed by delegated users. Ensure the appropriate roles are assigned to users managing or reporting on these attributes. The following roles are applicable:

• Attribute Assignment Administrator
• Attribute Assignment Reader
• Attribute Definition Administrator
• Attribute Definition Reader

Assign the appropriate roles to users at the directory scope to enable management or reporting of these attributes.

Create Custom Security Attributes

Follow the instructions in the article Add or deactivate custom security attributes in Microsoft Entra ID to:

Create an Attribute Set:

• Name: AppCustomAccess
  
  
  

Create New Attributes:

• Name: PolicyRequirements
• Allow multiple values to be assigned.
• Only allow predefined values to be assigned.

Predefined Values: This is for my example, you can define your own

• legacyAuthAllowed
• blockGuestUsers
• requireMFA
• requireCompliantDevice
• requireHybridJoinedDevice
• requireCompliantApp
• requiresigninfrequency
• requiresessioncontrol

Note: Conditional Access filters for applications only work with custom security attributes of type "string." While Boolean data types are supported for custom attributes, Conditional Access policies only support "string."

 Assign a Custom Security Attribute to an Application

If you already have a application utilizing a service principal, will proceed with that. it’s important to note that if the service principal is not listed in your tenant, it cannot be targeted. For instance, the Office 365 suite represents a service principal of this kind.

Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator and Attribute Assignment Administrator.

Navigate to Identity > Applications > Enterprise applications.

Select the service principal to apply a custom security attribute.

Under Manage > Custom security attributes, select Add assignment.

In my example, I configured the following settings for my test application, named identity-client-daemon-app, with the attributes listed below:

Attribute set: AppCustomAccess

Attribute name: PolicyRequirements

Assigned values: requireCompliantDevice

In this example, I am configuring a business application that requires compliant devices, using this custom security attribute.

Save the configuration.

I have added the same attributes to Graph Explorer for testing as another application that also requires a compliant device.

Create a Conditional Access Policy

Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator and Attribute Definition Reader.

Navigate to Protection > Conditional Access and select New policy.
Provide a meaningful name for the policy.

Under Assignments:

Select Users or workload identities > Include > All users.

Exclude your organization’s emergency access or break-glass accounts.

Under Target resources, configure the following:

Select Resources(Formerly Cloud apps) and include specific resources.

Edit filter settings: 

Configure: Yes
Attribute: AppCustomAccess  and choose policyRequirements
Operator: Contains
Value: requireCompliantDevice (Which we assigned to our 2 Test Applications)

If we expand the Value tab, we can view all the custom security attributes created under the PolicyRequirements attribute set. However, we need to select the specific attribute assigned to the application to create the Conditional Access policy. Additionally, more expressions are possible within the attribute set, as shown in the example below.

Under Access controls > Grant, select:

Grant access and Require Device to be marked as compliant.
Confirm settings and set Enable policy to Report-only.
Select Create to enable the policy.

Once the settings are confirmed using report-only mode, administrators can toggle the policy from Report-only to On.

Test the Conditional Access Policy

Sign in as a user to whom the policy applies and verify that Device Compliance is required when accessing the application.

Open the identity-client-daemon-app test application, which is integrated with Microsoft Entra ID.

The app will redirect to the Microsoft Entra ID authentication page.

We will use our Microsoft Entra ID account to sign in to the application.

The user will enter their Microsoft Entra ID password.

The user will be prompted for MFA due to another Conditional Access policy enforcing multi-factor authentication.

Once the sign-in is successful, the Conditional Access policy targeted for the custom security attribute will be triggered. Since we are accessing the application from a non-compliant device, the action will be blocked, and an error code will be displayed.

Lets check our Graph Explore Application Experience.

Access to Graph Explorer is also blocked because the device is not compliant with the requirements to access that particular application.

Now Lets check the Entra ID sign-in logs for the reason for access block.

The sign-in logs clearly indicate that the device does not meet the required compliance state.

When we check the Conditional Access policy processing status, it shows as failed.

When we review the Conditional Access policy status, both the user and application meet the policy criteria. However, the grant action requirements are not satisfied, resulting in access being blocked.

Other Scenarios

Conditional Access policies with custom attributes can also support scenarios such as:

• Blocking legacy authentication.
• Blocking external access to applications.
• Requiring compliant devices or Intune app protection policies.
• Enforcing sign-in frequency controls for specific applications.
• Requiring privileged access workstations for specific applications.
• Enforcing session controls for high-risk users and specific applications.

Conclusion

Custom security attributes provide a powerful mechanism to enhance Conditional Access policies, enabling organizations to implement precise and dynamic access controls. By tagging service principals and integrating these attributes into policies, IT administrators can effectively secure applications and streamline policy management. With the detailed steps outlined in this Blog, you are equipped to configure and test custom security attributes, ensuring a robust security posture for your organization.