What's New in Azure AD Conditional Access

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

this time around is the turn of the all-new features in azure ad conditional access what's new what's cool and more importantly what can it do for you stick around [Music] hi there fellow youtubers andy malone a microsoft mvp as well as a microsoft certified trainer welcome back to the channel i really appreciate it this time i thought we'd take a look at some of the cool new features that are in conditional access and it's been going through one or two few changes and there's some very cool preview features in there that will make a huge difference to you and it also introduces attribute based authentication so how it works and what it does well i think the best thing we can do is have a look at a demo now if you've not subscribed of course please go ahead click on the subscribe button ring the bell and you won't miss out on anything in future okay and as always i love your questions comments and feedback so please go ahead and drop those comments down below so without any further ado let's jump in with the demo and have a look okay so let's have a quick look at the some of the new features in azure ad conditional access so what i'm going to do is i'm going to scroll down i'm going to do a full demo on azure ad conditional access and i will then add on some of the new features so i'm heading to the security node here and the first thing i'm going to do is just a quick reminder about identity protection so identity protection has two core policies a user risk and a sign-in risk policy and this is great for placing your really risky users into a bucket so essentially i'm just placing these guys into a bucket and i'm signing them as a high risk user i can then say if there are any issues with the account i can either block or allow access and then require a password change um the sign in risk policy is great for users again who are dialing in or diving in remote nobody dials in anymore except back in the 1990s um you can go into sign ins again i place them as high risk and in this case because they're signing in remotely i've required multi-factor authentication from these users so i've just gone ahead and set that up now on its own sometimes identity protection can seem a little bit kind of weird but when it's combined with the likes of conditional access then it's really good okay so looking at just a couple of new features we have a feature here called continuous access evaluation and what this does it monitors for anything and i can enable the preview and you can choose a specific group of users and what it's doing is it's constantly monitoring those users for any kind of changes such as a client ip address change or any kind of unusual behavior immediately it will disconnect the user and lock that user out this is a really cool feature okay going into conditional access i want to first of all just prepare conditional access so some of the things that you might want to do in advance you might want to create a terms and conditions so you might have an acceptable usage policy for example and you want your users to be able to accept that the other thing that you might have is you might want users to come in over over your vpn and you can actually create your own digital certificate what i've done here and then once you've done that you can download that on the various users devices and use that as part of authentication very nice um so i'm going to go up to oh the other thing is named locations um used to be known as trusted locations so for example i can you can either add in ip address ranges um mfa trusted ip address ranges multi-factor authentication or a country so you can see in this case i've set up the netherlands and norway as my trusted areas so once i've done that i can then go up to policies and in my policies we've got a few new features so i'm going to go ahead and create a new policy here and i'm going to call this my um i'll call this my it desktop or i'll just call it my it access ca policy okay and i'm going to specify which users and groups so essentially and i've said this before conditional access looks for signals so based on these signals and it then determines whether they meet these certain conditions if it does we then apply an access control and the access control can either grant or deny and you can then determine how that use is going to authenticate you can also control the session as well now just to remind you that you do not need to have a managed device so you can still set um conditional access policies for unmanaged devices including guest access and so on so you can see i can create a conditional access policy for all guests and external users i can do one for directory roles so administrators for example and i can also do them for our users and groups so in this demo i'm going to choose my users and groups and i'm going to say i'm going to choose oslo and i'm going to bring in my oslo sales team so this is my conditional access policy for my oslo sales team so i'm saying here if my oslo sales team are using these apps and this is where things start to change so you can either set rules based on a particular app on a user's actions or something called authentication context which is currently in preview now authentication context really looks at the privacy within the data privacy so how sensitive is the data what's the context that the user is wanting to use that data for all right for the purpose of this demo i'm going to just choose cloud app and am i interested in all cloud apps or just specific apps again for the purpose of this demo i'll choose all cloud apps so basically any members of the sales group using any cloud apps they need to meet these conditions so aha look at that that is that identity management here so i can say yes i want to configure for both high and medium access and i want to set up a sign-in risk yes again high and medium okay now i can say um are they using a particular device so this time you can include all these devices or you can exclude certain devices so i'm going to click on configure and i'm going to say you know i'm going to choose android and iphone devices here all right i'm going to click on done and so if the users using these devices and i'm going to say locations but this time instead of including a location i'm going to exclude all trusted locations so what this policy is going to do i'm going to enforce mfa for all cloud apps except where my users are coming in from trusted locations so now we choose the client apps and what kind of client apps are they browser-based apps are they mobile apps and do i want to exclude any kind of apps so for example legacy authentication clients don't support multi-factor authentication so i'm going to go ahead and remove those because that's a massive security hole by the way once you've done that you can also bring in the device state so i can say yeah i want to include or exclude any domain joined or hybrid joined devices in my organization all right and this is brand new this rocks by the way and this is filters for devices uh check this out this is really powerful so i'm going to say yes do you want to include the filtered devices in the policy or you can exclude them so i'm going to say include them and look at this i can go in here and you could you can filter by a specific id um the owner ownership whether the device is compliant but look i could say i want to ban huawei uh iphone or phones i want to ban samsung phones or i want to allow hp laptops look at that that's really granular okay and you can even do it by model or operating system so i could say only allow windows 10 so equals windows 10 or later than a particular version do you understand this is such a cool feature the fact that you can now include or exclude and it's extremely granular so you can then do and or so you could say a particular device and an operating system or this operating system or this particular version so this is absolutely amazing this is attribute-based authentication and this is a is a sign of things to come in my opinion all right so um as i said you can uh bring in those filters if you want to all right um okay so once you've done that that they are the conditions so now you can say all right are you going to allow access or deny access well i'm going to grant access but in this case i want to require multi-factor authentication and you can also choose do you require that the device is hybrid is the app that the user is using is it on a list of approved apps for example does it require an app protection policy so again you could set up a protection policy which specifies hey look that's fine they're allowed to use the app but they're not allowed to open this document on that app because it's sensitive and so i'm going to go ahead and click on require multi-factor authentication now remember when we set up the conditions and i said exclude trusted locations so this won't interfere with that now the other thing that you can also control is the session policy and you can basically say do you want and this depends on the app that you're using by the way this is great so conditional access app control and i could say i want them to get access to let's say a team site or a a microsoft office document but they're not allowed to download it okay so they can view it on screen but they're not allowed to save copies of it and you can also customize that as well now as you can see if you need any help with anything any of the blue links will take you directly to a support page at docs.microsoft.com now the other thing that we've got here is the sign-in frequency so here is where you can specify that the user must resign in x you know whatever so if i said every 30 days i want the user to to be able to stay signed in so in other words it caches the user's browser or the user's cookie their token for 30 days and then the user needs to re-log in again again it's a convenience thing the other thing that's quite nice as well is something called a persistent browser session and and you can make it always persistent or never persistent this is great in a bank because if you choose never persistent when the user closes the browser they would need to re-log in again again for security reasons so that you can't use somebody else's session tokens all right um okay so once you have got your conditional access and you want to switch it on all right so yes i want to go ahead and create my policy you can choose for report only and again i'm going to click on create now one of the cool things that we have here now is we've got this what if tool so i can go into the what if tool and i can say what if what if this user is using this app from this ip address with this device platform and what would happen yeah that is really nice by the way okay um other things that we've got here and you can also have a look at this a number of reports that you can view so insights and reporting will give you a nice um conditional access report so again you can follow this and there's some scripting that you can do here which allows you to pull out a really nice um generic or detailed report rather i should say okay so there we go just a couple of things a few new features which are really exciting in conditional access so there you have it azure ad conditional access isn't that cool there's some really nice features there that i think will make a huge difference to your business so i hope you enjoyed the session as always if you did please go ahead put your comments in down below and uh any questions that you have i would love to hear from them okay now if you've not subscribed go ahead click on the subscribe button up there ring the bell and you won't miss out on the good stuff in the future and as always give me a big thumbs up if you enjoyed the video so until next time you stay safe and i'll see you soon take care thanks for dropping by hope you enjoyed the video go ahead and click on the subscribe button and ring that bell and you won't miss a thing see you next time [Music]

Info

Channel: Andy Malone

Views: 456

Rating: 5 out of 5

Keywords: What's new in Azure AD Conditional Access, M365, Azure AD, Microsoft Azure, Microsoft 365, Getting started with Azure AD, Azure AD Identity Protection, Microsoft MVP

Id: CJtiPSMwxfM

Channel Id: undefined

Length: 17min 4sec (1024 seconds)

Published: Thu Sep 30 2021