Create a Conditional Access Policy Design: The Castle Bypass

In the second video in our series on Practical Conditional Access, we are talking about requiring MFA except when you are in a trusted location. This type of policy is common but increases an organization’s risk due to the bypass. So in this video, we will walk through a design called “The Castle Bypass” which fixes some of the issues with using a trusted location.

In this video, we will be focusing on the design of the “The Castle Bypass” policy. The Castle Bypass policy goal is as follows:
• Require MFA for all access except trusted locations
• Block Legacy Auth
• Require Admins to MFA always
• Require Guests to MFA
• Require MFA Registration from on Prem

By the end of the video, you will have a solid CA policy that will keep your environment safe and secure. So if you are looking for a step-by-step guide on creating a Conditional Access Policy, be sure to watch this video, and stay tuned for the next videos in the series. Where we will look at device-based policies.

R E S O U R C E S
https://github.com/dougsbaker/Public-Toolbox/blob/main/Resources/ConditionalAccess/TheCastleBypass.xlsx
https://learn.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access
https://learn.microsoft.com/en-us/azure/active-directory/roles/best-practices#5-limit-the-number-of-global-administrators-to-less-than-5:~:text=Microsoftrecommendsthatyoukeep,accountsinAzureAD.

C H A P T E R S
00:00 Intro
01:15 Policy Design
03:53 Setting Overview & Named Locations
05:43 [MFA] Admin Accounts
07:40 [MFA] Standard Users (Non-Trusted Locations)
10:37 [MFA] Guest Users
11:45 [Block] Legacy Auth
13:20 [MFA] MFA Registration (Non-Trusted Locations)
17:30 Testing / Demo Experience of TAP
2:48 Video Wrap up