Introduction
Microsoft introduced a new Conditional Access Policy for Microsoft Entra a few days ago, on March 13, 2024, which is currently in a public preview. This policy is a security measure related to insider risks.
In this blog post, I would like to delve a bit deeper into these new options. Although they have been shared on various social media platforms in recent days, they have not been extensively described.
Background
To better understand the topic around the Insider risk Conditional Access Policy (CAP), I will provide some background knowledge.
One of the biggest threats to a company are its own employees. Today, it’s relatively easy for employees to leak data without it being noticed in daily operations.
Trust in one’s own employees is crucial, but at the end of the day, you never know if an employee has bad intentions or has even infiltrated the company as a so-called “mole”, trying to gain insider information. In a worst-case scenario, data could even be leaked, modified or deleted.
With the product “Purview”, Microsoft has brought a very good tool to the market, in my opinion, as a countermeasure. Unfortunately, it is not yet very prominent in my view and is less likely to be used in SMEs. In this post, I don’t want to go into detail about Microsoft Purview, but you can find Microsoft’s documentation on it here:
Prerequisites
In order to configure Insider risk in the CAP, the following prerequisites are required:
- Microsoft Entra ID P1 / P2
- Microsoft Purview
Configuration
For the new condition to appear in the CAP, as mentioned above, Microsoft Purview is required and must be active, otherwise the condition will not be visible to you.
Here is a screenshot from the official Microsoft documentation showing what it looks like in the CAP settings.
Source: Insider risk – Microsoft Learn
Recommendation
There is a new cool feature in the CAP’s which Microsoft has now released. However, it should not be overlooked that this is a Public Preview feature, which is not yet GA.
Especially in the environment of large corporations, this new Insider risk option is met with great enthusiasm. In the SME environment, if Microsoft Purview is not in use, it does not come into play respectively cannot be used.
My personal recommendation is, if you have Microsoft Purview active in your organization, then take a closer look at this CAP and depending on that, you may come to the conclusion that this is a value add for your company to protect itself from Insider risk within the company.