ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: PV056
  • Created: 25th April 2025
  • Updated: 25th April 2025
  • Platforms: Android, iOS, Windows, Linux, MacOS,
  • Contributor: Patrick Mkhael

Azure Conditional Access Policies

Azure Conditional Access provides organizations with a powerful tool to enforce security policies based on various factors, including user behavior, device compliance, and location. These policies can be configured through the Azure Active Directory (Azure AD) portal and are typically applied to cloud-based applications, SaaS platforms, and on-premises resources that are integrated with Azure AD.

 

To configure Conditional Access policies, administrators first define the conditions that trigger the policy, such as:

  • User or group membership: Applying policies to specific users or groups within the organization.
  • Sign-in risk: Assessing user sign-in risk levels, such as unfamiliar locations or suspicious behaviors, and enforcing additional controls like MFA.
  • Device compliance: Ensuring only compliant devices (those managed through Intune or similar tools) can access organizational resources.
  • Location: Restricting access based on trusted or untrusted IP addresses and geographic locations, blocking risky or suspicious login attempts.

 

Once conditions are set, administrators can then specify the actions to take, such as requiring MFA, blocking access, or allowing access only from compliant devices. For example, an organization could require MFA when accessing Microsoft 365 or other cloud applications from an unmanaged device or high-risk location.

 

Conditional Access policies are configured through the Azure AD portal and can be applied to a variety of platforms and services, including (but not limited to):

  • Microsoft 365 (e.g., Exchange, SharePoint, Teams)
  • Azure services (e.g., Azure Storage, Azure Virtual Machines)
  • Third-party SaaS applications integrated with Azure AD

Sections

ID Name Description
ME007Privileged Access

A subject has privileged access to devices, systems or services that hold sensitive information.

ME024.003Access to Critical Environments (Production and Pre-Production)

Subjects with access to production and pre-production environments—whether as users, developers, or administrators—hold the potential to exploit or compromise highly sensitive organizational assets. Production environments, which host live applications and databases, are critical to business operations and often contain real-time data, including proprietary business information and personally identifiable information (PII). A subject with access to these systems can manipulate operational processes, exfiltrate sensitive data, introduce malicious code, or degrade system performance.

 

Pre-production environments, used for testing, staging, and development, often replicate production systems, though they may contain anonymized or less protected data. Despite this, pre-production environments can still house sensitive configurations, APIs, and testing data that can be exploited. A subject with access to these environments may uncover system vulnerabilities, access sensitive credentials, or introduce code that could be escalated into the production environment.

 

In both environments, privileged access provides a direct pathway to the underlying infrastructure, system configurations, logs, and application code. For example, administrative access allows manipulation of security policies, user permissions, and system-level access controls. Similarly, access to development environments can provide insights into source code, configuration management, and test data—all of which could be leveraged to further insider activity.

 

Subjects with privileged access to critical environments are positioned not only to exploit system vulnerabilities or bypass security controls but also to become targets for recruitment by external actors seeking unauthorized access to sensitive information. These individuals may be approached or coerced to intentionally compromise the environment, escalate privileges, or exfiltrate data on behalf of malicious third parties.

 

Given the sensitivity of these environments, subjects with privileged access represent a significant insider threat to the integrity of the organization's systems and data. Their position allows them to manipulate or exfiltrate sensitive information, either independently or in collaboration with external actors. The risk is further amplified as these individuals may be vulnerable to recruitment or coercion, making them potential participants in malicious activities that compromise organizational security. As insiders, their knowledge and access make them a critical point of concern for both data protection and operational security.