Random Musings

Sporadic thoughts on tech, economics, business, finance and trading

Conditional Access policy in Azure to enforce time-based login restrictions

,

In Azure, you can create a Conditional Access policy to enforce time-based login restrictions. This can be achieved using Conditional Access policies in Azure Active Directory (Azure AD) in combination with Named Locations or Sign-in Risk Policies and Conditions. Specifically, for time-based restrictions, you’ll use Custom Controls or configure access during specific hours using Sign-in schedules.

Steps to Implement Time-Based Access:

1. Enable Azure AD Premium Plan

Conditional Access policies require Azure AD Premium P1 or P2.

2. Configure Conditional Access Policy

  1. Go to the Azure portal and navigate to Azure Active Directory > Security > Conditional Access.
  2. Click + New Policy to create a new policy.
  3. Name the policy, e.g., “Work Hours Login Policy.”

3. Assign the Policy

  • Users and Groups: Select the users or groups the policy applies to.
  • Cloud Apps or Actions: Choose the applications where the policy is enforced (e.g., Microsoft 365, Azure Portal).

4. Set Conditions

  • Under Conditions, you can set:
    • Sign-in Risk: Optional for risk-based restrictions.
    • Named Locations: If you need geographic restrictions.
    • Device Platforms: Restrict based on device types.

5. Use Session Controls for Time-Based Restrictions

  • Azure AD does not have native “time of day” restrictions in Conditional Access, but you can achieve this by:
    • Custom Security Attributes: Assign user attributes or roles tied to working hours.
    • Using Microsoft Graph API: Create scripts that activate/deactivate policies based on a schedule.
    • Third-Party Integration: Use integrations that enforce time restrictions.

6. Using PowerShell or Graph API for Time-Based Automation

If Azure Conditional Access lacks direct support for time-based policies, you can use PowerShell or Graph API scripts to automate enabling/disabling Conditional Access policies at specific times:

  • Schedule scripts in an Azure Automation Account or via a Logic App.

7. Testing the Policy

  • Test the policy by trying to log in during and outside of the specified hours to ensure it works as intended.

Native Feature: Sign-In Schedules (Preview)

  • Microsoft has started introducing sign-in schedules for Azure AD users.
  • Navigate to Azure AD > Users > Sign-in Schedules (Preview) and configure the schedule directly for a user or group.

By setting up this configuration, you can enforce access only during working hours, enhancing security and compliance. Let me know if you’d like detailed steps for any specific part!