ThirdSpace ThirdSpace
ThirdSpace Contact Us
Close 0 Reset Search Run Search What are you looking for? Type at least three characters to search. Filter Search Results
  • All Content
  • Blog
  • Page
  • Case Studies
  • Event
  • Resources
  • News
  • Careers
  • Access Centre
  • Technologies
  • Workshops
  • Service
  • Solutions
  • People
Load more
28 February 2019

Microsoft Q&A: Sue Bohn on conditional access, MFA and how to get a serious security boost

Profile photo of Mat Richards - Security and Mobility.
Written by Mathew Richards

The number of data breaches involving stolen or weak passwords has gone from 50% to 81% during the past three years.*

This alarming trend clearly illustrates that securing access based on passwords alone is not enough.

Sue Bohn is a Partner Director of Program Management in the Identity Division at Microsoft. She leads the Identity Customer and Partner Success Team, which drives deep engineering relationships with customers and partners.

Sue has spent twenty-five years in various marketing, evangelism, and engineering roles across the Developer, Business Solutions, Windows, and Cloud + AI divisions in Microsoft.

Our Head of Security and Mobility, Mathew Richards, recently sat down with Sue to talk about how deploying conditional access and multi-factor authentication (MFA) can seriously boost security in your organisation.


“We see adaptive authentication as the next stage in maturity for intelligent identity-driven security”

Mat Richards: Hi Sue, thanks so much for joining us today. Can I start by asking you about your experience with the development of conditional access and multi-factor authentication (MFA) from Microsoft?

Sue Bohn: Thanks Mat. So, I work in the Identity division here at Microsoft. We are responsible for several commercial products including Azure AD and Azure AD B2C, on-premises products such as Active Directory and Microsoft Identity Manager, and our consumer-facing Microsoft Account identity services for services like and Xbox Live.

Within the Azure AD cloud service, we’ve built a number of security features including Azure MFA, conditional access and Identity Protection.

“With conditional access we’ve made MFA more user-friendly and created more ways to manage risk.”

MR: It’s a simple question, but one that some of our clients may still want to know – what exactly is conditional access?

SB: To start, conditional access is Microsoft’s name for what the industry refers to as adaptive authentication. Historically, we always had to rely on MFA for strong authentication, so we see adaptive authentication as the next stage in maturity for intelligent identity-driven security. We haven’t abandoned MFA by any means, but we’ve made it more user-friendly and created more ways to manage risk.

Imagine a common scenario where users move through their working week and they trigger different login or access scenarios to their systems – whether it’s accessing different apps, using different devices or working from different places – conditional access ensures that you’re able to continuously verify and re-verify access.

Since a user’s login situation is evaluated each and every time, the feature reduces the overall number of prompts they receive on a daily basis. That’s a good thing for two reasons:

  1. It enhances security
  2. It enhances the user experience

MR: Can you elaborate on some of the typical conditions and controls that are available with the conditional access capability?

SB: In its briefest form, controls and conditions in conditional access work together to form a set of ‘if /then’ statements that are evaluated during the authentication process. The ‘if’ part refers to the conditions and the ‘then’ part is the controls.

For conditions, there are a few main scenarios:

  1. Who is the user? What user groups do they belong to? What level of access?
  2. What apps are they trying to access?
  3. What device or OS are they using?
  4. From what IP address are they logging in?
Sue says the option of hardware OATH tokens used with Azure MFA will allow for strong authentication even when a phone is unavailable or impractical.

For controls, there a number of options based on your risk tolerance. You can approve and allow access, you can challenge the user to provide more information with a multi-factor authentication (MFA) prompt, you could allow some form of limited access, or, finally, you could just flat out block them.

To provide some context on what it allows companies to do, our customer, Korn Ferry, who use conditional access to ensure that data is retrieved only by users, devices, and apps that meet access requirements, told us they really liked the fact that they can treat their employees that work outside the office more strictly than those inside. They didn’t feel like they had to make a choice between mobility and security – they could have both.

MR: What do you see as the most common (typical) conditional access scenarios that most organisations will be using?

SB: When you think of it in technical terms, there are probably three main scenarios an organisation should look to set up first.

The first scenario is simply to control secure access across multiple devices, especially useful for organisations with a bring your own device (BYOD) policy or organisations that want seamless B2B partner access. In these cases, when a user is trying to access sensitive data from an unknown mobile device, your organisation can use conditional access to stipulate an MFA prompt that bolsters security. This is perfect is you want to promote enterprise mobility without putting your security at risk.

Scenario two is granting access to a distributed workforce. In this instance, organisations want to control access based on where the user is logging in from – are they on the corporate network or logging in from an unfamiliar location? Are there suspicious geographical locations you want to block, or is the user logging in from the UK and then 10 minutes later logging in from China? Again, you can set up the location conditions on your system and stipulate what access controls you want to put in place.

This scenario is used at George Washington University, where they use micro location/geographical conditions to manage students’ access to both digital assets and physical buildings. For example, if a student logged in from one specific campus and then two minutes later tried to enter a residence hall at another campus, the University is able to detect this and challenge that action.

“It’s really important to us that security doesn’t come at the cost of mobility or usability […] we want security tools to be invisible.”

And then finally, the third scenario is for handling risky users and risky sign-ins using a combination of Azure AD Conditional Access and Azure AD Identity Protection. We know that about 80% of all attacks come from compromised credentials, so it’s super important to help customers with that challenge.

When Microsoft learns of customer credentials that we know have been compromised, we immediately issue a high-risk event and move the user to High Risk. If you have an Azure AD Identity Protection user risk policy, such users will be forced to remediate themselves through a secured (MFA challenged) password reset. This automatically closes the risk (user and sign-in) without your IT admin having to do anything. This also brings down your help desk cost since the users automatically remediate themselves.

Similarly, IT admins can define the end user experience around risky sign-ins (e.g. sign-ins from unfamiliar locations or Anonymous IPs). IT admins can choose to allow, block or MFA challenge such risky sign-ins. This can be done in conjunction with Azure AD Conditional Access where sign-in risk (from Azure AD Identity Protection) just becomes one of the conditions within conditional access, allowing IT admins to have even more granular risk-based policies.

MR: You’ve mentioned MFA a lot – is this the most important tool to put in place to boost security in your organisation? If I was the CISO for a large organisation, what should I be asking my IT department to switch on tomorrow?

SB: We know that basically if you use MFA, you can prevent 99.9% of all credential attacks and, as I mentioned earlier, that is the predominant type of attack that we see. It’s relatively straight forward to put in place and control through conditional access, so one of the first things you should do is turn on MFA for all your IT admins.

It’s also worth mentioning the risks posed from legacy authentication, the original form of authentication used by apps like:

  • Older Office clients that do not use modern authentication (e.g., Office 2010 client)
  • Clients that use mail protocols such as IMAP/SMTP/POP

So, for example, if you’re using Exchange, that means your authentication goes back to Exchange, whereas in contrast, modern authentication (MA) is actually performed against the identity provider – in this case, that would be Azure AD.

Password spray attacks (which involve an attacker ‘spraying’ forced password breaches across thousands of accounts) are particularly focused on legacy authentication protocols and our intelligence clearly shows us that bad actors are exploiting the hole in legacy authentication, so we strongly advise this is one of the first things you block through conditional access.

Free watch: Safeguard your data and apps with conditional access and MFA

Free watch: Safeguard your data and apps with conditional access and MFA

81% of breaches are caused by compromised credentials. Watch this free webinar on-demand and discover:

  • Why conditional access and MFA technologies are essential
  • What actions you can take right now to mitigate the risk of a breach
Watch on-demand now

MR: What are the top tips or tricks that may be useful for any organisation currently in the middle of deployment or considering deployment for either conditional access or MFA?

SB: I’d say the most important tips are:

  • Switch on MFA for all your admins – it’s such a fundamental thing that we don’t even require a premium license for admins to have that capability!
  • Block Legacy Authentication (because it doesn’t enforce MFA).
  • Use the ‘what if’ tool to test your conditional access policies before you roll them out to broader groups.
  • Define at least two emergency access (“break glass”) accounts to make sure that you don’t inadvertently lock yourself out of the administration of your Azure AD tenant.
  • Upgrade your global admins’ devices to Windows 10 with Windows Hello for Business – using the most current OS along with a biometric creates a secure and user-friendly experience for some of your more sensitive users.

I’d also strongly recommend reading our recent whitepapers on Azure AD data security.

MR: We know it’s an essential thing for vendors to constantly stay ahead of the game when it comes to cyber security. We see Microsoft doing that a lot, which is great…

Are you able to share any nuggets on the roadmap for where conditional access and MFA are evolving?

SB: Sure. Well, first off, I really appreciate the compliment that you feel we’re producing a lot of value. At Microsoft we always say that we feel like we’re on a moving walkway because you don’t always feel like you’re moving fast enough, but then when you scan off to the distance, you realise you’re moving pretty fast – there’s always more code to write, I guess.

“We have delivered support for hardware OATH tokens for Azure MFA, […] This way we can enable strong authentication from anywhere, from any device.”

In the long-term it’s really important to us that security doesn’t come at the cost of mobility or usability – in fact, we want, as much as possible, for security tools to be invisible. In the short term there are three categories of work that we’re investing in:

  1. More baseline conditional access policies – that’ll allow customers to be able to implement their security measures more easily around common scenarios. We’re continually talking to our customers so that as we uncover new scenarios that go into our backlog, we really understand what customers are looking for!
  2. More simulation capabilities, in addition to our ‘what if’ tool – it benefits our customers to be able to preview a policy and test it before it goes live.
  3. More choices for authentication within MFA, for example, in terms of hardware. Take scenarios like a workforce dealing with hazardous materials: if you’re suited up in the lab on location, you’re not going to be able to get to your smartphone. Another example is retail: workers on the shop floor where organisations don’t necessarily want staff to have their phones with them to authenticate.

To address this, we have delivered support for hardware OATH tokens for Azure MFA, currently in public preview. This will deliver the end user a temporary authentication code that they can use on an additional device or terminal. Users can now have up to five devices in any combination of hardware or software-based OATH tokens and the Microsoft Authenticator app. This way we can enable strong authentication from anywhere, from any device.

MR: Sue, thanks so much for talking to us about conditional access and how organisations can combine it with MFA to provide an immediate security boost. It’s also great to see the roadmap you are putting in place to keep us secure in the future.


Next steps

Watch our on-demand webinar to discover why conditional access and multi-factor authentication are key to securing your organisation’s assets.

Or, take our new Security and Privacy Scorecard to find out how you score on security in your organisation. It takes just a couple of minutes to complete and you’ll receive a free report with expert insights and improvement recommendations tailored to your score.

* Citing the 2017 Verizon Data Breach Investigations Report (DBIR)

Subscribe to the ThirdSpace mailing list and get your free buyer’s guide to Microsoft Enterprise Security

Subscribe to the ThirdSpace mailing list and get your free buyer’s guide to Microsoft Enterprise Security

Submit your business email to join our mailing list and we'll send you 'A buyer’s guide to Microsoft Enterprise Security'.

Profile photo of Mat Richards - Security and Mobility.

About Mathew Richards

Head of Mobility & Security

As head of our Mobility & Security practice, Mat’s responsibilities include ensuring that our technical knowledge and delivery capability are fully up to speed and current, as well as creating a...


You may also like...


Remote working fuels 2022 Cyber Essentials changes – Are you ready to meet the new security standard?


Microsoft 365 licensing: E3 vs. E5 – Which is right for you?


From ‘You’ve been pwned’ to passwordless: Secure access made easy – An interview with Yubico’s Chief Solutions Officer

Recent Blog Articles

View All
Related topics

Watch: Free conditional access and MFA webinar

Find out how conditional access and MFA mitigate the risk of a data breach.

Watch now

Need some help?

Send us your questions or feedback.

Friendly folks are standing by!

Contact Us
Award-winning solutions Award-winning solutions

Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.

ThirdSpace Please upgrade your browser

You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:

Windows Mac

Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.