Create a Conditional Access Policy Design: The Baseline

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in 2023 my goal is to help as many organizations as possible to deploy MFA using conditional access so to help with that today I'm going to walk through a set of policies that I call the Baseline to help an organization our fictional organization get MFA deployed out the goal of this is so that you can see how another organization would deploy out MFA using conditional access and the set of policies that you can build from it hey everybody I'm Doug does Tech and this video series is going to be all about deploying conditional access policies using several different types of policies so we're going to do a couple different videos on you know different organizational requirements and videos about how to securely deploy MFA for them so that's what this is all going to be about so let's get into it and let's deploy the Baseline MFA policies and we'll walk through that process so let's deploy the Baseline set of policies and every good CA policy every good deployment is gonna need change control and a really good plan for implementation so let's use this expel spreadsheet Excel spreadsheet to walk through how to deploy the Baseline set of policies and you can use this to document these policies and run it through any change that you need to for your organization so policy goal for the Baseline is to require MFA for all admins users and guests we also want to block Legacy authentication and the goal with this policy is to set yourself up for policy growth and additional security layer that you can build on top of in the future so that's one of the goals with the Baseline is a good foundation for deploying MFA but then you can take it and build security later do other Advanced things with it and I'll show you that at the end so here we have the policies and we're going to walk through four set of policies that we need to make this happen we have one policy that's designed to Target your admin accounts that's the policy I'm going to recommend that you turn on today for yourself and for your other admins to make sure that those admins aren't using MFA we have one policy for our standard users one to take care of Legacy authentication and one to take care of guest users so overall a simple set of policies but gives you some flexibility to do it as part of the documentation it will be in here how to set this Paul policy up and I'll recover it in the video when we actually get into the portal and then for all of the apps I'm going to Target all Cloud apps you may want to adjust that to things that are only relevant to you but with a simple set of policies to make sure you're protecting yourself targeting all Cloud apps for MFA is a very strong strategy to start with you might discover there might things that you can't do this with like maybe a SQL Server box for that developer and you need to make an exclusion for them that's okay we're going to use these policies to figure out all those situations and then deploy it out and then if you need to make exceptions feel free to go ahead and do that for almost all of the conditions in this set of policies we're going to use basically nothing in there so it targets the broadest areas we don't want to punch a bunch of holes in our conditional access policies and you know have this Gap that you know might exist these policies are designed to be simple so we're just going to Target a couple of you know key things with the Legacy auth components and Target and and block that essentially and then again in the theme of keeping it simple we're just we're going to reuse the MFA requirement control here so that's the high level plan of what we're going to be doing nothing else in the organization terms and conditions do apply to this deployment I have a set set of policies that I use and overall the tenant is a fairly new tenant if you are concerned about your tenant in if you have every one of the settings uh covered that goes into it watch my last video where I cover kind of the high level other settings that you want to use to make sure that they are you know in alignment with how I do it I'll list here the settings that uh I use and the other areas that you might want to check that influence your MFA policies and the end user experience so use that video and these links here to make sure you're protected in those situations all right that's the high level now let's actually go in and deploy these set of policies so here we are in our fictional contoso organization and let's go ahead and deploy the Baseline set of policies so we're in the conditional access blade and I'm going to go ahead and use a lot of the same content from the Excel spreadsheet to make it work so first policy that we're going to deploy is our MFA admin account policies so simple to design all you're going to do is come into select users and groups and we're going to come in and select the directory roles for our organization most important one to Target is your Global administrator but you should Target the other roles in your organization if the easy way to do it is to actually come in and just check all the boxes I know that maybe a little bit uh cumbersome but that's the best way to make sure you get full coverage of all your admin accounts so we're just going to quickly burn through all of this to make sure we're selecting everything that has a admin role and achieving MFA for them this is a key component for me that I always like to do in organizations any admin should have MFA full stop right if they're an admin account they need MFA in their organization and need that security aspect in so we're going to go ahead and select all of these and a little cumbersome I know I know there's a lot of check box involved with it but it's going to be worth it in the end when your organization is nice and secure almost there all right so we're set that is the policy that we want to do one thing to an important thing to note with this set of policies you may want to do an exclude on this specifically if you had a break glass account in your organization or you had a permanent exclude list so I don't think I have a break glass in here but you know it's a very common practice to have for instance a break glass and Microsoft even recommends a break glass account that is global admin secured Cloud only and excluded from MFA so that might be something that you want to consider in your organization and it's important at this point as doing this to have a way to get back into your organization so uh and for me I'm going to come introduce this standard admin account that we use for uh backups and we'll put that one nope as the brake glass for this organization right Next Step all Cloud apps we're targeting everything in our Organization no exclusions admins need MFA for everything I'm not going to exclude any apps by default unless I have to conditions no conditions I know there's a lot of uh you know desire to get really granular with your ca and only affect your accounts in certain situations but this is going to be something that we hold off on and you know really to avoid putting a gap in where there's a scenario where you might not have an MFA so keep it simple stupid that's the goal of this set of policies Grant what's the grant control that we want to use this one specifically we want to use when it loads the MFA prompt Grant so that's slow there it goes so we want to use the the standard multi-factor authentication one and what's the one we're going to use across our organization but you as an organization I'm going to recommend you begin switching to a stronger form of authentication specifically for your admin accounts and the one I'm going to recommend every or get is the phishing resistant MFA this is going to require a 502 security key for your admin accounts right they're not terribly expensive but this is the strongest form of authentication and I would love to see every org out there use this for their Global admins but you might not be over there yet start here as the Baseline and then as you grow switch over some of your accounts to that strong or off and then once you have some 502 experience turn on this set of policies and you can come in and really make sure you're securing your accounts so that's the admin policy let's leave it in a report only for right now uh and go ahead and create it after you got your admin policy created in report only you can use your audit logs to check to see if this account is going to be affected you can use the report only status to see how many things that this might hit on and analyze those results I'm not going to do that for today the important thing to do is before you enable your admin policy go in and register your admin account for MFA so to do that we're going to go to AKA dot Ms slash MFA setup and you need to go through the process of enrolling your own admin account in the MFA experience that Microsoft has I've already done this for this uh account but let's just go ahead and verify the MFA that we have done here and here you can see my oh iPhone is currently enrolled in MFA so I am good to go if you wanted to add a secondary backup method which is always a good you know idea whether that be a phone or a security key you can do it at this time I always like to have for my admin accounts two forms pre-registered of supported methods so if you lose your phone you can still get in and I would highly recommend that so before you turn on that policies make sure your admin account is registered for MFA so it just doesn't cause any issues once you've registered let's go ahead and turn that on right again you should check to see if there's any break glasses or exclusions that you need to make before turning this on like service accounts that might have Global admin or something like that but go ahead and Target this and then turn that policy on so that's policy one we are now set so let's go ahead and move on to policy two the policy that's going to affect our standard set of users in our organization so we're going to go ahead and copy that name one note you will see in here is that I have a specific format that I use for my name classification and this is just a me thing right to make it easy for me to read kind of what's going on there's lots of different recommendations from Microsoft on different ways to format your conditional access names to make it easier to read but what I do is I just make it simple I put the the control that we're going to do in the front and then just a little descriptor for this so if I'm looking at a lot of different policies I can see CR fairly quickly the control or grant that this policy does and then a little descriptor of it that's just my thing that's helps me you can do of course whatever you want all right so in this case what we're going to do is we're going to come in and Target all users in your policy this is where I want you to get to when you set up the standard users if you need a slow rollout of your policies that's fine because you can do that right so just Target some user groups that are maybe like a HAPO group like a through you know X or a through you know whatever um you know a through G and then you know G on or something like that create some HAPO groups or create some departmental groups that you're going to Target to Slow Roll people in but the end goal is to get it into this all user State as part of that deployment right and so lots of different ways to roll it out if you need to roll it out slow great just come in and you know set some groups in there as the the target all user groups but once you're done you really want to get to this all user status here excludes on this set of all the standard user policies we're going to do a couple of different excludes here we're actually going to exclude guests from these set of policies because we're going to do that with a separate policy we're also going to exclude directory roles in this and again come into your set of directory rules and check the boxes for it again I'm going to you know really clear out my Global administrator because I'm handling that in another policy so I want to make it easy to make sure that I only have one set of policies affecting that and then plan for exclusions your help desk and you might need some exclusion so I have some groups pre-created usually for that situation that's going to come up inevitably in your deployment that I you know a end user might need to be excluded I usually do two sets of groups so I'll do a permanent exclude group from MFA and that's for service accounts things that may you know you may not want existing in your environment or uh and then a temporary you know uh user group so this is a hey you know XYZ end user called instead of having to modify your ca policies you can come in and just add a user to this existing exclude or help desk and add a user to the existing include and secure it so let's let's plan for that inevitable situation so that we have a good quick easy way to fix the scenario before it's a big one also highly recommend using Cloud groups for these MFA exclude so it's Instant versus is an AV synced group that you know make take 15 minutes for it to sync up that the end user is a member of that group so uh you know just a note there all right again on cloud apps we're going to select all Cloud apps conditions no conditions again for this policy and the new Grant this is where we're just going to use that simple require multi-factor authentication again go ahead and create it in report only and enable it when you are ready to deploy that out again the nice thing about the report only policies is you can check your sign in logs and see how much this would affect your organization and there's some nice graphing and insights and reports that you can take advantage of third policy let's get that block on Legacy authentication going uh at this point you have secured your organization from your set of you know main set of policies right once you have that other depauls you devoid you want to get the Legacy authentication protocols that don't support MFA and we want to block them from use in our organization again in this case we're going to select all users uh as part of the policy you may want to exclude if you know in advance that hey we have this one application that uses Legacy auth feel free to exclude it at this point otherwise let's just build it out standard because eventually you should be moving away from that Microsoft wants to get rid of all those protocols anyways and I'm you know if they're not already disabled in your tenant you know you're going to want to remove them anyways just because they're so weak and so targeted for hacks other conditions that we want to do in this one is the targeting of the specific client apps so here you can see under client apps we have browser and mobile apps and then we have these set of Legacy authentication protocols that are in use and those are the ones that we want to Target for blocking in our organization now in the policy once we have that up and running we're going to go into this and switch it to a block command all right so you're set there nice thing about how Microsoft designs this is that it is going to inform you if your policy is going to affect your user account in this case the admin policy of this will be affected and it wants you to say I understand that in my account I don't use Legacy often for anything and so we're going to go ahead and create that and at this point again you can create it in report only to check that audit log or if you know you already don't use that or you've told users you don't want to move it you can come in and just mark it to on all right so fourth policy that we want to deploy as part of this Baseline is guest you probably have B2B guests in your organization so let's go ahead and Target those users specifically and also require them to have to MFA to get into our environment so final policy here we're going to set this up I am a big believer that if your end users are requiring MFA we should definitely require any B2B guests that access your tenant they are just as dangerous to your organization as a end user so let's target all of them and put this in place um all right pretty simple there again you may need to set up and exclude every once in a while and in this case you know we can come in and set up that exclude option in there uh right and Target that as part of this deployment and we're good to go so all Cloud apps again no conditions and then the control in this one is Grant multi-factor authentication Market is on and go ahead and create it at this point you're like admin your guests are going to be required to MFA and your admins are going to be required to MFA and that is a great set of policies you need to do again for the deployment of the MFA policies it may be prudent in your organization to switch it over to a group that you're going to include and roll in everybody into this and so you can certainly do that I I made a mistake here this was supposed to be my include group and that's my exclude group but you can come in and you know deploy that out and turn that on so you can start Slow Rolling end users in after you get your admin accounts up and running so there we go that's the Baseline set of policies um that you know I really highly recommend every org rule out the most important of these is your admin accounts again I can't state it enough if you don't have MFA on your admin accounts please deploy this set of policies out to your organization it will make a huge impact in securing your accounts and your whole organization so what questions do you have please put them in the chat I would love to help you with deploying this MFA if you deploy MFA deploy with this set of baselines please let me know if it helps I would love to support um that's it for today um good luck out there and stay safe

Info

Channel: Doug Does Tech

Views: 567

Rating: undefined out of 5

Keywords: Conditional Access, CA Policy, MFA Policy, Azure AD MFA Policy

Id: IM3_fNZdNiI

Channel Id: undefined

Length: 19min 19sec (1159 seconds)

Published: Sat Jan 21 2023