Access control using Microsoft Entra Conditional Access

In WorkZone, it is your organization's security policies that control the access. When a user logs in, the request is sent to your tenant, where Conditional Access policies determine whether access should be granted. This means that your organization has full control over which devices, locations, accounts, and log in methods (for example, multifactor authentication) are allowed.

To ensure effective and secure access management, we recommend utilizing your organization's existing Conditional Access policies to define specific rules for who can log in and how. For example, you can restrict access to only approved devices, preventing employees from inadvertently logging in from personal devices or external networks. This approach is also used in other systems, such as Office 365.

We do not recommend a whitelist-based solution for access management due to its complexity and ongoing maintenance requirements for both your organization and KMD. A whitelist-based solution presents several challenges:

  • Mobile devices: To secure mobile access, it requires routing through the organization’s network, which can slow down the experience and require setup of mobile VPN solutions.
  • Guest access and external consultants: External users, such as KMD consultants, will not be able to access the system outside your network, which can complicate remote support and setup.
  • Third-party integrations: Integrating with external systems require access to your network or continuous whitelisting, which can lead to administrative challenges.

Instead of whitelisting, we recommend using Conditional Access to achieve the desired security control in a flexible and maintenance-friendly manner.

We also advise against using geographic IP filtering as a security measure. Hackers often use VPN solutions to hide their true location. VPNs can bypass geo-blocking on streaming services and mask a user’s actual location providing a false sense of security and creating access issues for legitimate users working from abroad or via changing networks.

We support using the organization’s existing security setup, but we are not specialists in setting up Conditional Access policies. Therefore, we recommend involving your IT managers or security advisors to ensure that access policies fulfill your needs and security requirements.

Read about Microsoft Conditional Access in Microsoft Entra Conditional Access documentation.