Conditional Access 101: Understanding and Implementing This Powerful Security Feature

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

multi-factor authentication is the number one way that you can secure your Office 365 environment from a hacker if you only did one security basic out of the entire stack of Microsoft security it would be to deploy MFA it would have the biggest impact in your environment um so why aren't organizations doing it Microsoft cites out that 26 percent of organizations globally that use Office 365 have MFA turned on for their users only 26 percent what's worse is that only 34 of admins globally Global admins have MFA turned on for their account and so today I'm going to walk through how we can deploy MFA using conditional access I'm going to do an overview real quick of what conditional access is and how to take advantage of it and then we're going to go and deploy out your first MFA policy to secure your Global admins and secure your ad accounts so I hope this video helps let's hop into it and let's get to it so high level what is conditional access well it is a setup if this then that conditions at its most basic it's like this graphic right here whereas a user is accessing an Office 365 environment jira your VPN or a website we're basically saying yes or no they can access our environment and that's as simple as an answer of what conditional access is it's set of policies if right an end user has signed in should they be able to access our Office 365 environment or our Salesforce something along that line and so that's what conditional access is but it gets more important than that because as this utility grows we can set up Grant controls to make the authentication stronger so the the most important of the controls that we've talked about or we're going to talk about is secure securing and granting access if the end user is using MFA so as the end user signs in they're trying to access Office 365 we can send them a grant when they have achieved their MFA prompt and that's really a really good way to get your environment and secured it's a simple set of policies in this case Isabella is accessing Azure management and Grant access but require MFA and that's as simple of a policy as you need to get MFA deployed out to your environment when this happens Grant access if the NFA when they're accessing Azure management Grant access if they're using MFA and we can build on those set of policies but that's as simple as you have to go conditional access gets us way more than that though because we're able to take advantage of all sorts of signals from the end user where they're signing in the sign-in risk of their environment the device the location and take that as a count of our sign-in process so if I wanted to I could come in and say Grant access to Isabella as long as she mfas and is coming from her iPhone Grant access to Isabella as she is mf8 and coming from a trusted location or in this case block access if they're coming from a risky sign-in something about their sign-in risk is uh risky and we can take that policy and extend and out we can take all those signals and inform our decision-making comp to it and so when we start looking at some of those Advanced conditions we got a lot of different good stuff that we can take advantage of so I mentioned device platform we can Target specific device platforms across the board in our environment and say yeah because they're accessing from an Android iOS or Windows phone I don't know who still has Windows phone but Grant access in that scenario or maybe you don't support Windows phone or support Android you can say block access in any of those conditions so really good power here I really like all the options that Microsoft gives you it lets you be very flexible that's the big takeaway from conditional access is it's a very flexible solution that lets you achieve your MFA when you want in all those set conditions right so a simple one would be when an end user is accessing from a trusted location allow them through with out MFA but if they're accessing from a non-trusted location you're not your corporate iip address that's when you want to MFA them and so we can do a lot of that type of stuff filter on device platforms and get really specific about a device that an end user is allowed to access on or excluded from accessing on right so we can do that type of thing so if you wanted to do like a privileged access to workstation well we can do it with this policy we can come in and say the end user is blocked from accessing except for from this Lenovo registered device that's managed by M365 and is azure 80 joined right so we can get really specific and really granular with our conditional access policies so that is great from the condition standpoint but we can also get really granular on our decision-making complex of what they're accessing and how that they're allowed to access it so we can come in and say okay only allow access if they're coming from a compliant device or compliant app from InTune we can take advantage of that we can come in and say if we discover their credentials leaked on the internet well require them to change their password if we discover that they're assigned in and they're a guest and they haven't signed our terms of use agreement before but let's have them before they access our environment sign in and do that and then we can get even cooler features we can use conditional or Cloud app security and proxy someone's connection and say you can only access Salesforce if you're blocked from downloading from it so a lot of cool capabilities that we can do in here the grant is really where you're going to spend a lot of the time deciding what sets of access policies you want to do and again there's very cool things so multi-factor authentication that's the number one one that you should deploy out but there is other Advanced things that you can do like require the device to be marked as compliant or require a hybrid Azure adjoin device um and then for like mobile device we can require the use of an MDM or an app protection policy as part of the access signed and so when we start deploying this we can get really granular with a lot of cool things that we can take advantage of eventually your policies might get so Advanced that you're going to build out a set of overlapping policies to cover this condition this condition in this condition and it's important to understand when we start talking about MFA or conditional access and having all of these items available conditional access is a everything all at once evaluator right so there's not like a firewall firewall priority where it's going down the list one two three four conditional access is everything all at once right so if I met this policy I'm going to then require MFA if I met a block policy I'm in an MFA and right but if I met both a MFA policy and a block policy it's going to enforce all of them at the same time right so as end user goes in they'll be required to MFA to find out that they're blocked and so what you want to do is you want to have some really good planning that goes in place for deploying really complicated rules now we don't need all that a simple policy will do just fine we don't have to get super granular with it and it's really not even always recommended if you actually deploy the Microsoft security baselines it's a very simple set of policies that you can do to deploy it out so let's go in and do that let's deploy out a your first policy to secure your admin accounts and require them to achieve MFA all right so let's deploy our first MFA policy and to do that we're going to go to portal on azure.com we're going to go to Azure active directory and then on the left hand side we're going to go to security and conditional access that's going to be the place that we're going to create our first conditional access policies and admin policies but before we actually turn it on I want you to actually be extra careful and we're going to go ahead and register for your MFA with your admin account at this time so let's go ahead and do that we're going to go to AKA dot Ms slash MFA setup and this is where we can set up our MFA so if you're deploying this out globally in your organization you may want to send a link to this to have people pre-register ahead of time in my case I'm going to set up the authenticator key authenticator app option because I like to use my phone for all that sign in and it's to me the best option uh for setting up MFA so I'm going to go ahead and open that up real quick while we wait and I'm going to scan a QR code in this case it's going to prompt me and I'm just going to go ahead and do that iPhone setup in here and away we go so now I am set for it and I'm just going to go ahead and approve my prompt just to verify yes I am in fact registered for MFA in this environment perfect we are set so now let's go and create our policy to protect our Global admins or just generic admin accounts so what we need to do is first put new policy we're going to give it a name I like to use the bracket and control that I'm going to do in the first half of this so as I'm reading a bunch of policies and I'm confused about what they do it's really easy for me to see oh this one does MFA or this one blocks um that kind of stuff and we're going to call this admin accounts next who are we going to Target for this we need to Target our Global admins or generically our admin accounts so instead of targeting a specific user let's use directory role and so we're going to come into this and Target our Global administrators that's the number one role that we really need to secure in our environment that's there is always a global administrator that starts out but a couple of the other ones that you might want to secure are some of the other high privilege accounts you don't have to do them if you don't use them but I'll put a list right here on the the left hand side to say hey these are the other high privilege roles that we would want to do but like privilege role administrator the ability to give someone Global administrator that should also be MFA authentication administrator that should also be a MFA uh Security administrator that's a high powered role that should be also in a fade into an administrator so you can just go down the list and select the ones that are important to you the ones that you can secure uh in your environment next what app are we going to secure for your claims to your Global admins I'm going to select or suggest that you secure all your Cloud accounts you can get really granular with and say oh adjust if they're accessing Office 365 or just accessing Salesforce but as an admin you really should get MFA when you're accessing any of your environment okay simple as that conditions again we're going to do a simple policy here we don't need to make it complicated we're not going to do any conditions in here that make this happen what we're going to do is we're just going to Simply come into the Grant and say require multi-factor authentication and we are set um it's important to note that this will turn on and by default turns on in report only mode we need to switch it over to on and then by default Microsoft is trying to make sure that you don't accidentally lock yourself out and so you'll notice here it automatically tries to exclude the user you're using and that's no good we need my account protected all right it's just as easy for me to get hacked as an end user as anybody else so we want to secure our account by making sure it's a part of the MFA policies and we're going to go ahead and create and we are now set our first MFA policy is deployed out I might get kicked out here in a second because I haven't mfa'd yet to my environment but that's to be expected as soon as you create create this policy and turn it on you might get a prompt immediately after this and say well yeah you're supposed to be I'm afade you have an MFA yet let's go do it okay that's as simple as you need it to be all right so I hope this video helps explain what CA is and how to get started with creating those policies to enforce MFA so the next step is go and do it you got to turn on MFA for your Global admin accounts still again number one way the number one recommended way to help secure your accounts from well uh you know from a hacker trying to compromise your 365 environment I'm going to cover a couple other topics in other videos such as building a more robust policy going and setting up uh you know a baseline set of policies to help secure your environment I'll walk through some of the best practices there and I'll try to make a couple different videos on achieving different forms of authentication how to use CA really and make a very robust set of policies so hope this helps if there's questions uh you know where to put them in the chat thanks and have a good one

Info

Channel: Doug Does Tech

Views: 684

Rating: undefined out of 5

Keywords: MFA, Conditional Access, Azure MFA, Microsoft MFA, CA Policy Overview

Id: TUEcsuA5Q10

Channel Id: undefined

Length: 13min 46sec (826 seconds)

Published: Fri Dec 23 2022