Conditional Access & Zero Trust Architecture

Engagement Overview

Cybernerds was engaged to design and implement a Conditional Access framework based on Zero Trust principles for a healthcare organization managing both corporate and personal (BYOD) devices. The engagement followed the PDS framework to deliver layered access controls that protect patient data while supporting clinical workflows across multiple access scenarios.

Initial State

The organization had deployed Microsoft 365 and Intune but relied primarily on username and password authentication with minimal access controls. Key conditions included:

• ✓No Conditional Access policies — any authenticated user could access any resource from any device
• ✓MFA not enforced — available but optional for most user accounts
• ✓BYOD devices accessing corporate email and SharePoint with no app protection or compliance requirements
• ✓No differentiation between corporate-managed and personal devices in access decisions
• ✓Clinical staff sharing devices without session isolation or scoped access
• ✓Legacy authentication protocols still enabled, bypassing modern authentication controls

Key Challenges

• ✓BYOD Support: Clinical staff required mobile access to email and scheduling from personal devices without full device enrollment
• ✓Shared Devices: Workstations shared between clinical staff needed session-scoped access controls
• ✓Legacy Protocols: Several line-of-business applications relied on legacy authentication that Conditional Access could not evaluate
• ✓User Impact: Access controls needed to be invisible to clinical workflows — no additional friction during patient care
• ✓Compliance: HIPAA requires access controls appropriate to the risk of the data being accessed
• ✓Phishing Risk: Password-only authentication left the organization exposed to credential theft

Solution Design — PDS Framework

• ✓Policy Architecture: Tiered Conditional Access policies — baseline (all users), elevated (sensitive data), administrative (privileged roles)
• ✓MFA Enforcement: Mandatory for all users with passwordless authentication (Windows Hello, Authenticator) for clinical staff
• ✓Device Compliance: Corporate devices must meet Intune compliance policy to access tenant resources
• ✓BYOD Protection: App Protection Policies (MAM) enforcing data containment on personal devices without device enrollment
• ✓Shared Devices: Entra ID shared device mode configured for clinical workstations with automatic sign-out
• ✓Legacy Block: Basic authentication disabled across all protocols with named exceptions for approved LOB apps during migration
• ✓Risk-Based Access: Entra ID Protection sign-in risk integrated into Conditional Access — MFA challenge on medium risk, block on high risk
• ✓Session Controls: Defender for Cloud Apps session policies for web-based access from unmanaged devices

Implementation — PDS Execution

Policies were deployed in report-only mode first, analyzed for impact over two weeks, then enforced in phases — baseline first, then elevated controls.

• ✓Deployed baseline Conditional Access policies enforcing MFA for all users across all cloud applications
• ✓Configured Windows Hello for Business and Authenticator passwordless sign-in for clinical staff
• ✓Created Intune compliance policies defining minimum security requirements for corporate devices
• ✓Built App Protection Policies for Outlook, Teams, and SharePoint on iOS and Android BYOD devices
• ✓Configured Entra ID shared device mode on clinical workstations with automatic session cleanup
• ✓Disabled legacy authentication protocols with monitored exceptions for two LOB applications
• ✓Integrated Entra ID Protection risk signals into Conditional Access evaluation
• ✓Deployed Defender for Cloud Apps session controls for browser-based access from unmanaged devices
• ✓Created emergency access (break-glass) accounts excluded from Conditional Access with monitoring alerts

Validation — PDS Validation Phase

• ✓All users successfully authenticating with MFA — passwordless adoption at 78% among clinical staff
• ✓Corporate devices evaluated for compliance before accessing tenant resources
• ✓BYOD devices accessing email and Teams through protected apps with no data leakage to personal apps
• ✓Shared workstations correctly enforcing session isolation and automatic sign-out
• ✓Legacy authentication blocked — two LOB exceptions operating under monitored policy
• ✓Risk-based policies correctly escalating MFA challenges on suspicious sign-in attempts
• ✓Defender for Cloud Apps session controls enforcing download restrictions on unmanaged browser sessions
• ✓Zero clinical workflow disruptions reported during two-week post-enforcement monitoring period

Outcome

• ✓Zero Trust access model enforced across all users, devices, and access scenarios
• ✓Passwordless authentication reducing phishing risk for clinical staff
• ✓BYOD access secured without requiring full device enrollment
• ✓Shared clinical workstations operating with session isolation and automatic cleanup
• ✓Legacy authentication protocols blocked with a managed migration path for remaining exceptions
• ✓Risk-based access decisions dynamically responding to threat signals
• ✓HIPAA-appropriate access controls documented and demonstrable for compliance
• ✓Full policy documentation and administrative training delivered