Practical Conditional Access: The Secure Endpoint

by dougsbaker
General

In this final video on Practical Conditional Access, we’ll be sharing our favorite set of policies designed to ensure secure access to your organization’s environment. Specifically, we’ll be focusing on the “The Secure Endpoint” policy, which is a customizable template that addresses a variety of scenarios. The main goal of which is to limit access from non-managed devices and ensure that our BYOD options limit the extraction of data in our environment.

We’ve also included some valuable resources to help you customize your own Conditional Access policies, such as an Excel download, a video on device compliance by Matt Soseman, and links to Microsoft’s MAM policies and device enrollment restrictions.

If you find this policy helpful, please let us know in the comments!

The Secure Endpoint policy is designed to tackle the following scenarios:
• Secure Access to the Environment using MFA or Trusted devices
• Allow Access to Office 365 From Corporate managed devices without MFA
• Allow Users to access Office 365 using BYOD but require MDM or MAM
• Allow End users to access from unmanaged devices using a Web Browser but block Download from devices
• Block Access to Legacy apps

🔍 R E S O U R C E S
• Excel Download: https://github.com/dougsbaker/Public-Toolbox/blob/main/Resources/ConditionalAccess/TheSecureEndpoint.xlsx?raw=true
• Matt Soseman Device Compliance: https://www.youtube.com/watch?v=5HxIb5sbjEU
• MAM Policies: https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-ios
• Device Enrollment Restrictions: https://learn.microsoft.com/en-us/mem/intune/enrollment/enrollment-restrictions-set

📹 C H A P T E R S
00:00 Intro
01:28 Policy Planning
04:23 Policy Pre Reqs and Creating testing Group
07:25 [MFA] Baseline All Conditions
09:00 [Block] Legacy Protocols
10:26 [MDM or Hyb]Windows 10 access
14:15 [MDM] MacOS access
15:54 [MDM or MAM] Mobile Devices
18:33 [MDCA] Block web downloads on unmanaged devices
22:05 [Reset] High Risk User
24:15 [MFA] Risky Sign in
26:03 Testing Experience
31:30 Final Thoughts