Skip to main content

Implementing Conditional Access Policies

Conditional Access policy management is now automated via code, improving reviewability, traceability, and reducing manual effort.


Key Points

  • IaC Approach: All policies managed using Terraform and the AzureAD provider.
  • Repository: hmcts/conditional-access-policies-terraform
  • Code Review: GAs set as CODEOWNERS for PR approvals.
  • Import: Existing policies imported to Terraform state.
  • API Limitations: Deployment parallelism set to 1 request/sec to avoid throttling.

Step-by-Step Implementation

1. Repository Setup

  • Repo: hmcts/conditional-access-policies-terraform
  • Includes: README, contributing guide, and CODEOWNERS listing GAs.

2. Pipeline and Pre-checks

  • Azure DevOps pipeline uses a pre-built Terraform pre-check template:
    • steps/terraform-precheck.yaml@cnp-azuredevops-libraries
  • Runs linting, validation, and formatting before plan/apply.

3. Service Connection and Permissions

  • Azure Service Connection in DevOps using Service Principal: GA-Prod-Tenant
  • API permissions granted:
    • Policy.ReadWrite.ConditionalAccess
    • Policy.Read.All
    • Group.ReadWrite.All
    • User.Read.All
    • Application.Read.All
  • Admin consent provided for all permissions.

4. Terraform Configuration

Each policy is defined using the azuread_conditional_access_policy resource.

Example:

resource "azuread_conditional_access_policy" "example_policy" {
  display_name = "Example Conditional Access Policy"
  state        = "enabled"
  conditions {
    client_app_types = [
      "browser",
      "mobileAppsAndDesktopClients",
      "easSupported",
      "other"
    ]
    applications { included_applications = ["All"] }
    locations    { included_locations = ["All"] }
    platforms    { included_platforms = ["all"] }
    users        { included_users = ["All"] }
  }
  grant_controls {
    operator          = "OR"
    built_in_controls = ["block"]
  }
}

5. Importing Existing Policies

  • Import with: sh terraform import azuread_conditional_access_policy.existing_policy <policy_id>
  • Policy IDs retrieved via Azure CLI.
This page was last reviewed on 1 June 2025. It needs to be reviewed again on 1 June 2026 by the page owner platops-build-notices .
This page was set to be reviewed before 1 June 2026 by the page owner platops-build-notices. This might mean the content is out of date.