Previous Topic Next Topic

Conditional Access

Conditional access (CA) is the process of permitting access to IT resources based on predefined conditions. By creating access policies based on users’ device types, time of access, IP addresses, or geolocation, you can strictly control access to your network and data. CA provides added security and helps prevent attackers from gaining access to IT resources while ensuring a smooth user experience by allowing trusted users to gain access without repetitive security interruptions. Learn more about the benefits of conditional access.

ADSelfService Plus enables you to apply CA across workstations, connected applications, protected endpoints, and various other features in ADSelfService Plus, making sure that access is limited to verified and authorized users.

Understanding how conditional access works in ADSelfService Plus

Conditional access relies on certain criteria, which are put through a logical function to create a condition. Users who meet this condition are given access to ADSelfService Plus under a specific policy, and this is called a CA rule. This rule determines which self-service policy will be applied to a user, which in turn determines the multi-factor authentication (MFA) methods, cloud applications, and self-service features that are enabled for that user.

Conditions

Conditions are user-related factors, such as device type, IP address, or geolocation. Under this section, you can both define your conditions and then select them to define your criteria as needed. You can define and select your conditions based on the following factors:

IP address: If configured, CA will evaluate the incoming connection based on the IP address of the device initiating the connection. You can choose the kind of IP addresses you are configuring the condition for: static IPs, proxy server IPs, or VPN IPs. You can also define whether the IP addresses you specify are trusted or untrusted IPs.

Device: You can configure this condition to evaluate the incoming connection based on the type of device it is originating from: specific computer objects and/or the platform (Windows, macOS, Linux, mobile web app, or native mobile app) they run on.

Business hours: You can define business and non-business hours, and choose to evaluate the incoming connection based on whether it occurs during business (or non-business) hours.

Geolocation: Configure this condition to evaluate incoming connections based on the country of origin.

Criteria

Once you have defined and enabled the conditions based on your requirement, you can combine the enabled conditions using AND, OR, and NOT operators to formulate a criteria, which will determine how the different conditions are evaluated to determine the access request's result.

For example, assume your users are located all over the world except in some countries. You need to ensure that they access resources only during business hours and from trusted IP addresses alone. In such a case, you need to enable the:

1. IP address condition (with the trusted IPs).
2. Business hours condition (with allowed time).
3. Geolocation condition (with the countries where you don’t have users).

Then, you can use a logical function like the one below to formulate your criteria:

Criteria: 1 AND 2 AND (NOT 3)

CA rule

By associating the criteria with one or more self-service policies, you create a CA rule. A self-service policy allows you to enable the product’s features and configure how it should work for different sets of users based on their OU and group membership.

If you create multiple CA rules, you can choose to prioritize them. So, if a user falls under multiple CA rules, the rule with the highest priority will take effect, and subsequently, the self-service policies associated with that rule will be applied to the user. If a user does not fall under any CA rule, then the self-service policies will be applied based on the priority set to the policies in the Policy Configuration page.

Configuring CA

Rule configuration

1. Log in in to ADSelfService Plus as an admin.
2. Navigate to Configuration > Self-Service > Conditional Access > Rule configuration.
3. Click + Create CA Rule.
4. Enter a CA Rule Name and Description.
5. Select the Conditions based on your requirements: IP Address, Device Type, Business Hours, and Geolocation.

Note: These conditions determine how CA decisions are made. Use this section to define, enable, and apply conditions in your access criteria.

• IP address based



• To include this condition in your criteria, select the types of IP addresses to be evaluated by checking the respective boxes:
• For users who connect to your network directly through their client computers, you can enable Static IPs.
• If your users connect through a proxy server, you can enable Proxy Server IPs.
• If your users connect through a VPN server, you can enable VPN IPs. To ensure that IP-based conditional access works for the VPN MFA feature, refer to this section to make the required changes at the NPS extension.

Note: If you have enabled all three types of IPs, the priority will be decided based on this rule: * (Static IP AND Proxy IP) OR VPN IP.

• Select whether the IPs you've entered are Trusted or Untrusted.
• For static IPs, enter the range of IP addresses in the IP Range fields. Use the + icon to add more IP ranges. You can also enter individual IPs and use * as the wildcard character for selecting an entire class of IP addresses.
• Device-based



• Include this condition in your criteria by checking the Computers box and then click the + icon.
• In the Selected Computers dialog box that opens, select the domain and then the computer objects. Click Save.
• Check the Platforms box and then use the drop-down to select the platform(s). You can choose from Windows, macOS, Linux, the ADSelfService Plus mobile web app, the ADSelfService Plus native mobile app, and ManageEngine applications.
• Business-hours-based



• Check the Business Hours box to configure your criteria with this condition.
• Select whether you want to configure business hours or non-business hours by clicking the corresponding radio button.
• From the day and time range provided, configure your business or non-business hours.

Note: The time will be applied based on the time zone you have selected for the setting found in Admin > Personalize > Time Zone.

• Geolocation-based



• Check the Geolocation box to enable this condition.
• Select the applicable Countries from the drop-down.
• How geolocation-based CA works in ADSelfService Plus

ADSelfService Plus connects to the geolocation server using Zoho Creator. Please ensure that https://creator.zoho.com is excluded from your firewall settings for geolocation-based conditional access to work.

Geolocation-based conditional access relies on the user's IP address to determine the location. This means only access from public IP addresses will be evaluated. This condition will not include users with private IP addresses.

6. A Criteria is automatically created with the conditions you have enabled. If the created criteria matches your requirements, you do not have to make any changes to it. Modify it only if you are sure that it does not satisfy your requirements. You can use AND, OR, and NOT operators to formulate the logic.
7. Click Configure to create the new CA rule.

Rule assignment

Once the CA rule has been set up, it must be assigned to the users who will be assessed for CA. To do so:

1. Login to ADSelfService Plus as an admin.
2. Go to Configuration > Self-Service > Conditional Access > Rule assignment.



3. Select the rule that you want to assign from the drop-down.
4. Select the policy that applies to the users you want to be evaluated.
Note: This refers to the self-service policy that you can configure by going to Configuration > Self-Service > Policy Configuration. Learn more here.

If a user is part of multiple policies, and at least one has CA enabled, they will only be able to perform actions allowed under the policy where the user meets the CA rule.

Example: Consider three self-service policies, A, B, and C, and two CA rules, 1 and 2. Assume a user belongs to policies A and B. Let's say both policies A and C are assigned to rule 1. If a user satisfies rule 1, then only policy A will be assigned to the user, as they have satisfied the CA rule assigned to policy A.
5. You can also choose to allow or block NTLM single sign-on and ADSelfService Plus portal access. These settings will be applicable wherever the selected rule is satisfied.
Note: The option to allow or block NTLM single sign-on will be enabled only if NTLM authentication is configured in logon settings.

Prioritizing the CA rules

If you have created multiple conditional access rules, you can set priority for each rule so that the rule with the highest priority is applied to users who fall under multiple rules.

To prioritize the conditional access rules:

1. On the Conditional Access configuration page, click the change priority icon in the top-right corner (next to the + Create CA Rule button).



2. Drag the rules and order them based on your requirements. The rule at the top will have the highest priority.

Modifying, copying, disabling, and deleting conditional access rules

A rule can be modified to change the conditions or condition logic, copied to create a new rule, disabled, or deleted.

1. Go to the Conditional Access configuration page (Configuration > Self-Service > Conditional Access).
2. You will see a table containing all the conditional access rules that have been created.
3. Under the Actions column, click an icon based on the action you want to perform.
4. Toggle the and icons to enable or disable a rule. If there is a checked ☑ icon, it means the rule is enabled, and if there is an x-ed ☒ icon, it means the rule is disabled.
5. Click the edit icon to modify the rule.
6. Click the copy icon to copy the rule and create a new rule from it.
7. Click the trash icon to delete a rule.

Previous Topic Next Topic