Configure Azure AD Conditional Access in Under 10 minutes? Let's try it

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey friends today we're going to look at some new capability within the enter portal or the Azure active directory admin Center whichever you prefer either way it's an Azure ad premium feature called conditional access now conditional access is not new by any means most organizations are using it to protect their Azure radio user identities and Cloud connected apps if you're not you absolutely should be the new thing is that Microsoft have made it a load easier to get started with conditional access they've created some common templates that cover important scenarios with these templates I'd say you could get up and running within I don't know a few minutes let me give it a go so from the Azure active directory admin Center or the Android portal you head down into Azure actual directory and then down to protect and secure and then conditional access now one of the annoying things about the Microsoft enter admin Center is that it doesn't seem to let you close this oh there it does it does they've hidden the button okay fine so we're back on track we've got these on the left hand side this isn't particularly useful for me right now it's going to limit my space that I've got to start editing these policies so I'm going to just close that down and we're ready to go I've almost already used a whole minute talking about that so first we're going to go into the new policy now if you start with new policies you can see you've got to configure everything from scratch and it will enable the policy and Report only mode by default but I don't want to do that I want to go back and from here I'm going to choose new policy from template now here you can see we've got two options with template category we've got identities or devices we're going to start out with identities now we've got to select a template there are eight is that eight eight policy to choose from and the first one is require MFA for admins this will require multi-factor authentication for privileged administrative accounts to reduce risk of compromise this policy will Target the same rules as security defaults so uh what do we choose next and we check what it's going to do it's going to call it ca001 require MFA for admins put it in report only target all of these roles excluding the current user and it's going to require MFA for all apps okay done next securing security info registration so when a user tries to register for MFA or self-service password reset they will need to be what in a trusted location or require MFE which is interesting it's a bit circular but so if they're registering MFA stuff then they're going to need to be in a trusted location if they aren't in a trusted location they'll need to have already registered MFA I guess that'll work for secure for self-service password reset anyway try it next block Legacy auth simple yeah makes sense do that all the time next requirement say for all users bit of a bigger deal let's take a look sort of Target all users excluding the current user for all apps require MFA no exclusions there at all interesting I would probably take a look at that and add some exclusions later on but let's go next requirement say for guest access definitely if my users need MFA then why wouldn't my guests next require MFA for Azure management well we've already got that configured for uh for our admins but I guess yeah can't hurt can it next now these two here are for uh for uh Azure 80 premium P2 which I do actually have in this environment but I'm not going most people don't have it most organizations don't have it if you do have Azure 80 premium P2 which comes with E5 security or Microsoft 365 E5 or Enterprise ability and security E5 sure click that take a look at these policies and off you go for now I'm going to go back take a look at devices choose next we are going to require compliant or hybrid Azure ad joined device for admins that makes sense okay so in order for an admin to do some Administration they need to be using an Azure ID joined uh a hybrid azureated your own device or domain joint device or a compliant device okay that makes sense next devices block access for unknown or unsupported device platforms definitely a lot of people who are trying to hack into environmental user device platform that isn't supported so it doesn't have any policies applied to it prevent users from having a persistent browser session including protect user access on unmanaged devices by preventing browser sessions for remaining signed in I'll start again protect user access from unmanaged devices by preventing browser sessions from remaining signed in after the device after the browser is closed and setting a sign-in frequency to one hour on unmanaged devices let's take a look at how it knows thank you so if oh so if it's not um domain joined and see I would think that means that if it is domain join it is compliant then it will apply these rather than not hey let's test it next devices require approved client apps and app protection yep definitely both of those are good things for IOS and Android require an improved Client app or app protection okay that's not what it says never mind require a compliant or hybrid joint device or MFA for all users um we already have that but these policies are going to be handed so that will mean that people need MFA or this or this let's take a look at how that actually Blends together later on next devices use application Force restrictions for unmanaged devices so if with this policy you use the external application like the Cloud app for SharePoint or OneDrive or exchange to specify what those app enforce restrictions are but then this actually enforces those restrictions using conditional access as well so to use next and create now you'll see all of these have been created in report only mode which means they won't actually be affecting any users at all uh there is one important call out there whilst they are in report only mode and they want to actually enforce the policy that we just created on the user that are targeted if they're on iOS or an Android device then they might be prompted to choose a device certificate and that would be super confusing for them let me just show you what I mean by that uh where is a policy that calls it out let's go with block Legacy oauth and see if it mentions it not mentioning it here crime fa for all users probably because it's already on choose report only not mentioning it interesting if I go into the Azure portal and do it from here it's a different way to get to it in the Azure portal let's go down to security and conditional access now in this portal which looks exactly the same I'm sure I've seen a call out when you enabling report only mode and it doesn't appear to be there anymore so that's good maybe is because we are not targeting anyway not a problem be aware that if you are targeting this on IOS and Android devices users on those devices may be prompted for a device certificate which would be as I say very confusing for them but this is for testing so let's give it a test firstly I'm not going to go in and test all of these scenarios right now that would obviously take much longer than the few minutes I suggested it would take but let's jump in and see what we can do if we use the what if this is the best way to initially test this to see how it's going to affect you so you would choose your user or workload you would choose your Cloud app you would choose every bit of condition that you want to select about this user and then you would choose what if and what happens there is it tells you what policies would apply let's very quickly go through that in the few minutes that I've got I'm going to choose a user and uh let's go with Alex Wilbur we'll choose any Cloud app he will be using uh iOS device using a browser and Michigan user risk aren't relevant we'll choose what if and then just at the bottom there you can see what happens so he has to have multi-factor authentication he isn't able to use a persistent browser session and will be required to sign in every hour he also needs an approved Client app or app protection so if he's using a browser then he'll need to switch to Edge on IOS and Android and use app and false restrictions so whatever policies are applied to the Cloud app he's trying to access he will need to the browser will automatically enforce that so that's it those are now in place in report only we can see the effect of those by going through these policies and seeing the what if once you're happy with the concept enable it in on mode see what happens 11 minutes 11 and a half minutes and we've done what used to be days of work I think that's pretty good see you next time

Info

Channel: CloudManagement.Community

Views: 12,784

Rating: undefined out of 5

Keywords: Azure AD Conditional Access, Azure AD, Conditional Access, AAD Conditional Access, CA, CA policies, MFA, multi factor authentication, azure active directory, azure ad conditional access policies, conditional access in azure active directory, conditional access

Id: nSoAnFhDm9s

Channel Id: undefined

Length: 11min 59sec (719 seconds)

Published: Wed Oct 26 2022