Month: February 2023

In this final video on Practical Conditional Access, we’ll be sharing our favorite set of policies designed to ensure secure access to your organization’s environment. Specifically, we’ll be focusing on the “The Secure Endpoint” policy, which is a customizable template that addresses a variety of scenarios. The main goal of which is to limit access from non-managed devices and ensure that our BYOD options limit the extraction of data in our environment.

We’ve also included some valuable resources to help you customize your own Conditional Access policies, such as an Excel download, a video on device compliance by Matt Soseman, and links to Microsoft’s MAM policies and device enrollment restrictions.

If you find this policy helpful, please let us know in the comments!

The Secure Endpoint policy is designed to tackle the following scenarios:
• Secure Access to the Environment using MFA or Trusted devices
• Allow Access to Office 365 From Corporate managed devices without MFA
• Allow Users to access Office 365 using BYOD but require MDM or MAM
• Allow End users to access from unmanaged devices using a Web Browser but block Download from devices
• Block Access to Legacy apps

🔍 R E S O U R C E S
• Excel Download: https://github.com/dougsbaker/Public-Toolbox/blob/main/Resources/ConditionalAccess/TheSecureEndpoint.xlsx?raw=true
• Matt Soseman Device Compliance: https://www.youtube.com/watch?v=5HxIb5sbjEU
• MAM Policies: https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-ios
• Device Enrollment Restrictions: https://learn.microsoft.com/en-us/mem/intune/enrollment/enrollment-restrictions-set

📹 C H A P T E R S
00:00 Intro
01:28 Policy Planning
04:23 Policy Pre Reqs and Creating testing Group
07:25 [MFA] Baseline All Conditions
09:00 [Block] Legacy Protocols
10:26 [MDM or Hyb]Windows 10 access
14:15 [MDM] MacOS access
15:54 [MDM or MAM] Mobile Devices
18:33 [MDCA] Block web downloads on unmanaged devices
22:05 [Reset] High Risk User
24:15 [MFA] Risky Sign in
26:03 Testing Experience
31:30 Final Thoughts

In the second video in our series on Practical Conditional Access, we are talking about requiring MFA except when you are in a trusted location. This type of policy is common but increases an organization’s risk due to the bypass. So in this video, we will walk through a design called “The Castle Bypass” which fixes some of the issues with using a trusted location.

In this video, we will be focusing on the design of the “The Castle Bypass” policy. The Castle Bypass policy goal is as follows:
• Require MFA for all access except trusted locations
• Block Legacy Auth
• Require Admins to MFA always
• Require Guests to MFA
• Require MFA Registration from on Prem

By the end of the video, you will have a solid CA policy that will keep your environment safe and secure. So if you are looking for a step-by-step guide on creating a Conditional Access Policy, be sure to watch this video, and stay tuned for the next videos in the series. Where we will look at device-based policies.

R E S O U R C E S
https://github.com/dougsbaker/Public-Toolbox/blob/main/Resources/ConditionalAccess/TheCastleBypass.xlsx
https://learn.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access
https://learn.microsoft.com/en-us/azure/active-directory/roles/best-practices#5-limit-the-number-of-global-administrators-to-less-than-5:~:text=Microsoftrecommendsthatyoukeep,accountsinAzureAD.

C H A P T E R S
00:00 Intro
01:15 Policy Design
03:53 Setting Overview & Named Locations
05:43 [MFA] Admin Accounts
07:40 [MFA] Standard Users (Non-Trusted Locations)
10:37 [MFA] Guest Users
11:45 [Block] Legacy Auth
13:20 [MFA] MFA Registration (Non-Trusted Locations)
17:30 Testing / Demo Experience of TAP
2:48 Video Wrap up