L1 BIO 09.04.02 ISO A.9.4.2 CIS 1.x

Voorwaardelijke Toegang Architecture Design

πŸ“… 2025-10-30
β€’
⏱️ 15 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

voorwaardelijke toegang architectuur implementeert nul Trust identity regelt door access beslissingen te baseren op user, device, location, en risk signals.

Aanbeveling
IMPLEMENTEER CONDITIONAL ACCESS
Risico zonder
Critical
Risk Score
10/10
Implementatie
120u (tech: 60u)
Van toepassing op:
βœ“ Azure AD
βœ“ Entra ID

Traditional perimeter security faalt bij cloud en remote work. nul Trust via voorwaardelijke toegang biedt: context-aware Toegangscontrole en authenticatie, MFA enforcement, device compliance vereisten, location-based restrictions, en risk-based beleidsregels. Zonder CA: geen MFA enforcement mogelijk, onbeheerde devices toegang tot bedrijfsdata, risky signins succesvol, en weak identity beveiligingspositie.

PowerShell Modules Vereist
Primary API: Microsoft Graph
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.Identity.SignIns

Implementatie

CA architecture omvat baseline beleidsregels: (1) Require MFA voor alle users, (2) Blokkeer legacy authentication, (3) Require compliant/hybrid joined devices, (4) Blokkeer access van niet-vertrouwde locaties, (5) Require MFA voor admins (always), (6) Blokkeer high-risk signins, (7) Require approved client apps, (8) sessie regelt (app afgedwongen restrictions). beleid layering: foundation beleidsregels + workload-specific + risk-adaptive.

Vereisten

  1. Azure AD Premium P1 (CA basic)
  2. P2 voor risk-based beleidsregels
  3. break-glass accounts
  4. Device compliance beleidsregels
  5. Named locations defined

Implementatie

Gebruik PowerShell-script conditional-access-design.ps1 (functie Invoke-Remediation) – CA baseline deployment.

Implementeer 7 foundation CA beleidsregels in phased approach: Report-only β†’ Pilot β†’ Production. Start met MFA alle users, Blokkeer legacy auth, require compliant devices.

monitoring

Gebruik PowerShell-script conditional-access-design.ps1 (functie Invoke-Monitoring) – Controleren.

monitor: signin logs, CA beleid matches, user/admin feedback, break-glass usage (zou moeten zijn rare), beleid conflicts.

Compliance en Auditing

  1. CIS Azure 1.x - Multiple CA controls
  2. BIO 09.04 - Authentication
  3. ISO 27001 A.9.4.2
  4. NIS2 Artikel 21
  5. NIST nul Trust

Remediatie

Gebruik PowerShell-script conditional-access-design.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Conditional Access Architecture & Policy Design .DESCRIPTION Implementation for Conditional Access Architecture & Policy Design .NOTES Filename: conditional-access-design.ps1 Author: Nederlandse Baseline voor Veilige Cloud Version: 1.0 Related JSON: content/design/identity/conditional-access-design.json #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()] param( [Parameter()][switch]$WhatIf, [Parameter()][switch]$Monitoring, [Parameter()][switch]$Remediation, [Parameter()][switch]$Revert ) $ErrorActionPreference = 'Stop' $VerbosePreference = 'Continue' $PolicyName = "Conditional Access Architecture & Policy Design" $CISControl = "CIS M365 1.x, 2.x, 3.x (All CA-related controls)" $BIOControl = "9.02" function Connect-RequiredServices { # Connection logic based on API } function Test-Compliance { Write-Verbose "Testing compliance for: $PolicyName..." $result = [PSCustomObject]@{ ScriptName = "conditional-access-design" PolicyName = $PolicyName IsCompliant = $false TotalResources = 0 CompliantCount = 0 NonCompliantCount = 0 Details = @() Recommendations = @() } # Compliance check implementation # Based on: Design Document $result.Details += "Compliance check - implementation required based on control" $result.NonCompliantCount = 1 return $result } function Invoke-Remediation { Write-Host "`nApplying remediation for: $PolicyName..." -ForegroundColor Cyan # Remediation implementation Write-Host " Configuration applied" -ForegroundColor Green Write-Host "`n[OK] Remediation completed" -ForegroundColor Green } function Invoke-Monitoring { $result = Test-Compliance Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "$PolicyName" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan Write-Host "Total: $($result.TotalResources)" -ForegroundColor White Write-Host "Compliant: $($result.CompliantCount)" -ForegroundColor Green $color = if ($result.NonCompliantCount -gt 0) { "Red" } else { "Green" } Write-Host "Non-compliant: $($result.NonCompliantCount)" -ForegroundColor $color return $result } function Invoke-Revert { Write-Host "Revert: Configuration revert not yet implemented" -ForegroundColor Yellow } try { Connect-RequiredServices if ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { if ($WhatIf) { Write-Host "WhatIf: Would apply remediation" -ForegroundColor Yellow } else { Invoke-Remediation } } elseif ($Revert) { Invoke-Revert } else { $result = Test-Compliance if ($result.IsCompliant) { Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green } else { Write-Host "`n[FAIL] NON-COMPLIANT" -ForegroundColor Red } } } catch { Write-Error $_ }

Risico zonder implementatie

Risico zonder implementatie
Critical: Zonder CA = fundamentally weak identity security. 99.9 procent account compromises prevented met CA+MFA (Microsoft data). NIS2/AVG vereisen strong authentication = CA mandatory. Het risico is KRITIEK - Zero Trust foundation.

Management Samenvatting

Conditional Access Design: 7 foundation policies - (1) MFA all users, (2) Block legacy auth, (3) Require compliant devices, (4) Block high-risk countries, (5) Admin protection (phishing-resistant MFA), (6) Risk-based blocking (Identity Protection), (7) Approved apps only. Vereist: Azure AD P1 (P2 voor risk-based). Activatie: Phased rollout - Report-only β†’ Pilot β†’ Production. Verplicht CIS, BIO 9.04, NIS2, Zero Trust. Implementatie: 60-120 uur (design + testing + rollout + break-glass procedures). CRITICAL Zero Trust foundation - non-negotiable modern security.