Overview

The ability to capture and deploy a snapshot across multiple Azure tenants helps maintain a robust, consistent, and efficient security posture while reducing manual effort and potential errors.

Taking a snapshot of your configured conditional access policies from a "golden image" tenant offers several significant benefits:

• Consistency Across Tenants: It ensures that all your Azure tenants have the same security posture by applying a uniform set of policies. This consistency minimizes gaps or discrepancies that could lead to vulnerabilities.
• Simplified Onboarding and Management: When new tenants are added or when you need to reconfigure an existing one, you can quickly apply your pre-approved configuration rather than starting from nothing. This reduces administrative overhead and speeds up deployment.
• Reduced Risk of Misconfiguration: By using a standardized snapshot, you lower the risk of human error during manual policy configuration, which can inadvertently weaken your security stance.
• Improved Compliance: A golden image helps enforce a consistent policy framework across all environments, which is crucial for meeting regulatory and audit requirements. This makes it easier to demonstrate that your security measures are uniformly applied.
• Streamlined Disaster Recovery: In the event of a configuration error or compromise, having a snapshot allows you to restore your tenant’s conditional access policies to a known secure state quickly, aiding in business continuity.
• Efficient Policy Testing and Rollbacks: When policies need updating or testing, having a baseline configuration makes it easier to roll back changes if something does not work as expected, ensuring your security controls remain effective.

Conditional Access Policies (CAP)

Before creating a conditional access policy snapshot, consider the following pre-requisites.

• The organization that will be used to create the conditional access policy snapshot must be connected to Fortify.
• Only snapshots with the configured state of enabled or report-only will be imported. Disabled snapshots will be ignored. If there are conditional access policies you do not wish to include in the snapshot, set their status to disabled.
• If conditional access policies are configured to include or exclude a specific user, these will be removed during the import. Included users will then default to All users. If you wish to configure included or excluded users for a policy this can be done using parameters when assigning the snapshot to an organization.
• The conditional access policy should have the users include assignments set to any of the following options: none, all users, select users and groups. All options for users and groups are supported except user accounts.
• If the policy has a custom control grant selected, you will receive an error during the import process as these are no longer supported. Please consider switching to the recommended external authentication methods. Support for snapshotting custom external authentication methods is coming.

Creating a Conditional Access Policy Snapshot

1. Head over to the Fortify tab and click on Snapshots

2. Click on Import Snapshots

3. Select the Microsoft tenant to import. This tenant must be connected to the organization via the Fortify module. Click next.

4. Provide a Snapshot Name and click on Import Snapshot.

5. The policies screens will open from where you can Remove or Add your custom policies.

After creating the conditional access policy snapshot, all configured options in the policy will show as a global parameter. You can customize these parameter by clicking on the "Edit" icon.

Note: not all parameters are configurable and are visible only to show the configured options detected after the import.

6. Partners can now add organization to the Snapshot template from the imported Microsoft tenant by clicking on the "Modify Organizations" icon under the Snapshots tab.

Customizing your Snapshot policies by adding parameters

1. To modify your Snapshot policies simply click on the "Customize Policies" icon.

2. Parameters can be added or modified by clicking on the "Edit organization parameters" icon.

3. You could also review your global parameters. Note: not all parameters are configurable and are visible only to show the configured options detected after the import.

If your policy includes or excludes targeted groups, they are imported and stored as a global parameter using the group's display name. When applying the snapshot to an organization, groups in the target organization are matched on display name. If the group exists it will be included otherwise it will be ignored. This feature is useful if you have commonality amongst your group naming conventions across multiple organizations.

Custom authentication context if configured as a target resource will be imported. If the custom authentication context does not exist in the target organization, it will be created.

Custom authentication strength if configured as an access control grant will be imported. If the custom authentication strength does not exist in the target organization, it will be created. Ensure you are using a unique name for custom authentication strengths to avoid having the policy use an existing strength in the target organization with the same name.

When network or locations are configured in the policy to be included or excluded the IP ranges & countries will be included as a parameter to the policy. When the policy is applied to an organization, any IP or country named location will be created in the organization named locations using the policy's name.

To prevent issues with creating conditional access policies for assigned organizations ensure either that the policy name is unique prior to importing or enable the parameter to allow for the policy to be created if an existing policy with the same name exists.

Conditional access policies within the snapshot can be enabled or disabled. Only enabled policies will be applied to assigned organizations.

Managing Conditional Access Policy Snapshot Assignments

• Organizations can only be assigned to a single conditional access policy snapshot. To assign an organization to a different conditional access policy snapshot you must first remove them from the existing assignment.
• Organizations assigned must have a Microsoft Entra ID P1 license or above.

To add an organization to the Snapshot template from the imported Microsoft tenant by clicking on the "Modify Organizations" icon under the Snapshots tab.

Organizations that get assigned to a conditional access policy snapshot will have the snapshot immediately applied to them. Every 24 hours a synchronization process will occur for all organizations assigned to the conditional access policy snapshot. The following will occur:

• Determine if the conditional access policy exists and create the policy if it is missing. If this occurs, it will be logged that the original snapshot policy was removed and recreated.
• Determine if the policy was modified externally, the policy will be updated to ensure that it matches the snapshot policy. This can occur if a policy is manually modified and any of its settings are altered. If this occurs, it will be logged that the policy was modified and was updated.
• If the global or organization parameters for the conditional access policy snapshot have been modified and they no longer match the parameters that were configured on the organization policy, the policy will be updated to reflect those changes. If this occurs, it will be logged that the parameters have changed, and the policy updated.
• If the conditional access policy has been unselected from the snapshot, the policy will be removed.

The results of each snapshot synchronization are available for audit purposes. This will include all operations performed for each organization and policy.

When removing an assigned organization from a conditional access policy snapshot, you will have the option to retain the policies applied by the snapshot or have those policies removed. If removing the policies, please be aware that this could potentially leave the organization vulnerable.

Duplicating a Conditional Access Policy Snapshot

To duplicate your Snapshot policies simply click on the "Duplicate" icon.

Duplication of a conditional access policy snapshot allows you to maintain the original while creating an exact copy of all policies and parameters. This can be useful if you want to modify the enabled policies or parameters for the snapshot and test those changes prior to assigning to your organizations. When duplicating the snapshot any assigned organizations will not be copied. When assigning an organization to the new snapshot, ensure they are not assigned to an existing conditional access policy snapshot first.

Deleting a Conditional Access Policy Snapshot

To delete your Snapshot policies simply click on the "Delete snapshot" icon.

Deleting a conditional access policy snapshot will remove the snapshot and offer the option to remove the snapshot from the currently assigned organizations. When choosing to remove the snapshot from assigned organization all policies created by the snapshot will be removed from each organization. Please be aware that this could potentially leave the organization vulnerable.

For audit purposes, the sync history of deleted conditional access policy snapshots will be maintained and viewable in the dashboard.