How to get started with Azure AD Conditional Access

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

you're right it's that time again it's time to learn [Music] hi there andy malone microsoft mvp as well as a microsoft certified trainer welcome back to the channel this time i thought we'd take a look at azure active directory conditional access i realized i've not looked at it for quite some time there's been a few changes in it so we're going to talk about identity protection as well as conditional access i will also mention as i said some of those cool new features now as always i love your comments questions and feedback so please get them down below to me and if you've not subscribed of course then please go ahead click on that subscribe button ring that bell and you won't miss out on any of my future postings okay so without further ado let's get to the demo okay to kick off we're in the azure active directory admin center and what i'm going to go is into azure active directory first of all and in here i'm going to scroll down until we get to the security node or blade as it's known clicking into the security blade i can see i've got conditional access now um before i get into conditional access one of the kind of things that you really want to do is talk about identity protection because identity protection on its own is great but when you combine it with conditional access it's really good so just a quick run-through of identity protection here what i'm going to do is i'm going to click into one of three policies so i've got a user risk policy so how risky is this particular user i can do a sign in risk policy so how risky is the user signing in and i can also do or create a default multi-factor authentication policy as well so what i'm going to do is i'm going to first of all go into the the user risk policy and essentially i'm going to click into my users now here in my users i've selected three of my most important members of staff so for you this could be your managing directory your ceo your it officer your accountant something like that because typically when we talk about threats within an organization phishing attacks and so on spear phishing these are the normal targets so these are the accounts that are going to get hacked more than other regular accounts so you want to protect these accounts as much as possible so what i've done here is i've actually placed these users i've just selected these users and i give them a status of high risk and what we can then do which we can say if there are any issues later it will require a password change and you can see i've enforced that policy now we can also come down to the sign in risk policy here and again i've selected those same users because of course these users could be signing in remotely for example and i can then say yep they're high risk and but this time because they're coming in remote i'm going to say actually i do require multi-factor authentication for these users remember multi-factor authentication can reduce your potential risk surface attack area by up to 95 in fact i would actually argue it's more than that to be honest um so those are the things that i've done that uh we can come back to this a little bit later now there are various reports that you can look at which is great um and and that's great so now what i'm going to do is i'm going to come back to that security node and now i'm going to go into conditional access again just before i go into conditional access i just want to make you aware of this new feature in microsoft 365 currently in preview it's called continuous access evaluation and what this does is it basically says if a user's access is removed or the user's ip address suddenly changes continuous access evaluation will automatically and immediately block access to the account and any applications in real time this is a fantastic security feature again you could select in either individual users or in this case as you've seen i can just do it on a per group basis so that is a really nice very very good feature it's called continuous access evaluation so coming up to the topic of today's chat um this of course is conditional access now conditional access obviously you're aware that you know when you walk into a building or let's say for example i walk into an airport i have my passport and i have my ticket which gets me into the airport now within the confines of the airport of course there are ele there are areas where you can't go and you'll have noticed that members of staff have id badges and they normally punch in a pin key a pin code and these get them into sensitive areas so conditional access is a little bit like that it get you know once you've been authenticated you can then put additional safeguards in place all right so just before we go in and create some policies let me talk about some of the settings so one of the things that you might want to set up is something called a named location now a named location can either be managed by a country location or an ip address range and you can also have a multi let's say multi-factor authentication range of trusted ip addresses ip address locations are quite good so for example if you've got an office in manchester or an office in new york you can add those ip address ranges here and if you're enforcing multi-factor authentication it can bypass for those safe locations and and that makes it a lot more convenient for your users because they're already in a trusted location okay um we also have a new feature here called custom controls so the way that this works is i simply click onto here and you can see that it's offering me a blank jason web token now there are a number of vendors um that are uh integrating with conditional access so what you need to do is find out your security vendor and they will have a conditional access json token so all you do here is simply delete this paste in theirs and click on create and then it will create a conditional access token let's say for sage accounting or cisco firewalls or something like that all right so that's again that's a really nice feature that terms of use um obviously when your users are signing in from outside um it's a really good idea that you have your terms and conditions so before they can get access to your to the resources it pops up on screen just says look you know these are acceptable terms and conditions do you agree and then you would say yes i agree or don't agree okay um if you want your users to come in through a virtual private network then this is really nice you can come in here i can generate a digital certificate so remember when users authenticate with a username and password and if they're using let's say a corporate device this digital certificate you can download this install that certificate on the mobile device so when the device connects it's authentic because it has this digital id and very similar to a let's say a passport yes so it's been issued by a trusted authority and um it's it's very good okay um we also have a new feature called authentication control sorry authentication context here so authentication context is great this is used for applications and actions within um major applications like sharepoint and so on and it deals with let's say sensitive data so what's the context of the data running through that application so you can say right i can say yes you know if i have an application let's say sharepoint and i've got a conditional access policy i can then say yep i'm going to say that this has been authorized this my data is sensitive but it's authorized to run through this sharepoint um application all right so that's the so it means security context and so the for what i've just done here is i've just set one up here so i've just called it um norway authorized and you'll see that in a moment when i create a conditional access policy so coming down then i'm going to go back and i'm going to go that's my basic things that i've set up all right classic policies by the way refers to very old azure policies that you may be created years back okay so what i'm doing now is i'm going into my conditional access policies and i'm going to create a new policy now i live in a place called sterling in scotland so i'm going to say this is my sterling apps policy okay oops would help if i spelt it correctly right okay this is my sterling apps policy and i can go ahead and select um either all users and i can say users and groups i can create a policy for just guest and any external users this is particularly useful and if you're using things like microsoft 365 groups or let's say microsoft teams you can also create policies for various directory roles as well so for example if you're a a user administrator then you might want the user administrator to use multi-factor authentication and so on and i can also do it for specific users and groups here as well so i can either go through specific users or i can just type in a group name so in this case i'm going to connect to the sales team i'm going to create an access policy for the sales team so um so that's the who so i've selected the users and the groups here now um what i'm going to do is i'm just going to come down into conditions now well actually just before i do that um so first of all my users and groups i've selected my users and groups here and now it says okay what applications okay so conditional access is for what now you can do this in one of a couple of ways i can say all cloud apps so i'm creating a policy that impacts all cloud applications or maybe it's just selected applications so in this case you can see i now get a list or i will get a list in a moment of the various applications okay so you can see i've got a list of various apps here so for example i could say box yes i want to create conditional access or maybe i can say i'll create one for linkedin okay so i'm going to create a policy for linkedin now now please note that you can select either applications or cloud apps but check this out you can also create conditional access policies based on user actions and authenticate or application context so remember what i said here's my norway authorized so i can create a application or a policy for and let's say sharepoint and i know that this is running let's say sensitive data through that so that's the new authentication context so when we talk about user actions um i can say okay select the action i can say register the user's security or the devices security information and i can also this device or user needs to join um a device okay register or join a device to the organization all right so for the purpose of this demo i'm going to use cloud apps and i'm just going to stick with linkedin so we've got the who so the sales group using linkedin and they must meet these conditions the user risk remember that the identity protection so if i click into this i'm going to say hi and i'm going to say configure and i'm gonna say um in fact will i say you know i'm gonna say excludes um medium and high okay so i'm gonna say medium and high or i'm including medium and high risk in my policy um sign in risk so again i can say yes if my users have a high or medium sign-in risk and if they're coming in on a particular platform so for example i could include any device or specific devices or i can exclude a specific device as well so i'm going to say you know i'm going to include these device platforms so i'm going to say android and ios devices um i'm going to say exclude a trusted location so i can actually choose a trusted location here now you'll notice that i'm excluding the trusted location so i'm having my users come in on conditional access if they're using linkedin the condition is that they must be using these apps but it excludes the trusted location i bet you know what's gonna happen next right okay so uh client apps um in this case i'm only going to allow browser and mobile apps but i'm not going to allow older clients the reason being is these older clients don't require multi-factor authentication and and actually that's a real major security risk um so these particular users if they meet these specific actions let's say this particular app so i've got my sales group who are using linkedin they must meet these conditions and if they do i'm going to either grant or block access so in this case i'm going to block access but it requires multi-factor authentication now remember what i said it excludes that condition so remember the condition of the trusted location so my users would not be prompted if they were in a trusted location all right so again there are a number of other options here as well that you can also do all right you can either have multiple controls or you can have individual ones and in this case i've chosen just an individual one so the who the what the how the where and again finally you can control the session as well so do you want to use what we call conditional access app control so in this case um conditional access app control you might say if they're using box or linkedin they're not allowed to download any files so they can only view the files online so that's what we mean by that and you can also control the sign-in frequency as well so for example if you were in a bank um you might not want the browser to remember you so i'm sure that you know you've logged into your browser recently you've gone to microsoft 365 and it's automatically logged you in if you were in a bank you might not want that you might want the user to be logged in so i could say you know after 30 minutes uh so you can either do it for days or hours there as well the other thing that you can also do um you can do something called a persistent browser session now you'll notice that the persistent browser session here is actually grayed out and the reason for that is because the apps option that i've chosen if i just go to this you'll notice i'm only choosing one app it's because it's a browser cookie so you're controlling the cookie lifetime within a browser and the problem is the browser cannot differentiate between um one app or all apps so in this case you would need to do all cloud apps for this to work so if i go back into this policy and if i scroll down to session controls you can now see that this is now active so it means do you want me to always retain the cookie or never retain the cookie so in other words and this is again an additional security feature so that's the difference between the um frequency and persistent browsing okay fantastic so there you have it um a little bit of conditional access now if i just head back to my conditional access policy here you'll notice that it says report only so that policy is set to report only which is great and this is almost like a try before you buy type scenario but what i'm going to do is i'm going to go ahead and switch this policy on bearing in mind of course it's only for that group of users so you can have many conditional access policies for both users groups and devices so once the policy is set up another thing that you can use is this what if option at the top here and what if is exactly as it says on the tin so i can select a user from that group and say hey if this user is using this particular app from this particular ip address using this particular device etc i'm sure you get the idea what if so what would the conditional access policy look like and how would it affect that user so that's a really really cool feature actually i love that what if um option so there you have it ladies and gentlemen just a little bit about conditional access so there you have it azure active directory conditional access very cool now if you've got questions comments feedback or if you've got suggestions about future topics that you're interested in then please get them down below and i'll do my best to answer them for you and of course if you've not subscribed to the channel i would really appreciate not only that you hit that subscribe button ring that bell but also please like and share the videos as well all right thank you so much for dropping by and i will see you next time all right you stay safe take care thanks for dropping by hope you enjoyed the video go ahead and click on the subscribe button and ring that bell and you won't miss a thing see you next time [Music]

Info

Channel: Andy Malone

Views: 603

Rating: 5 out of 5

Keywords: Microsoft Azure, Microsoft 365, Conditional Access, Microsoft MVP, Andy Malone MVP, MVPBuzz, MCTBuzz

Id: zFyXTA7o7J4

Channel Id: undefined

Length: 23min 21sec (1401 seconds)

Published: Mon Aug 09 2021