Author: dougsbaker

Welcome to Doug Does Tech! In this video, Doug takes you step-by-step through setting up session control policies and conditional access in Microsoft Defender for Cloud Apps. If you’re looking to enhance security and control access to your organization’s cloud applications, this guide is for you.

We’ll start with a demo of session control, showing you how users on unmanaged devices can access Web Based resources and encounter conditional access policies that prevent the download of data.

Then, Doug guides you through setting up Defender for Cloud Apps sessions, configuring conditional access policies, and onboarding Microsoft 365 apps.

Finally, we’ll delve into creating custom session control policies tailored to your organization’s specific needs.

Don’t forget to like, share, and subscribe for more tech tutorials and cybersecurity tips from Doug Does Tech!

00:00 Introduction
00:21 Demo of Session Control
02:43 Setting up Defender Cloud Apps Session
04:10 Setup Conditional Access Session controls
05:59 Onboard M365 Session Control
09:34 Custom Session Control Policy
14:06 Onboard Custom App

Hey everyone, it’s Doug from Doug Does Tech! I’m thrilled to introduce a new video series where we explore various Defender technologies by Microsoft. Today, we’re kicking off with Defender for Cloud Apps.

I like to think of this tool as the Swiss Army Knife of Microsoft security. In this video, I’ll delve into its placement within the Microsoft security stack, highlight its top-level features, and walk you through the setup process.

In future videos, I plan to dive deeper into operationalizing Defender for Cloud Apps, exploring its different components and functionalities.

If you find this content helpful, remember to like, subscribe, and hit that bell icon for more tech insights and tips. Stay tuned for the next video!

L I N K S
MDCA Overview: https://learn.microsoft.com/en-us/defender-cloud-apps/what-is-defender-for-cloud-apps
Connected Apps: https://learn.microsoft.com/en-us/defender-cloud-apps/enable-instant-visibility-protection-and-governance-actions-for-your-apps
NINJA Training: http://aka.ms/MDCANinjaTraining

C H A P T E R S
00:00 Introduction
00:48 Tech Overview
06:03 Setup Defender for Cloud Apps
11:52 Wrap Up

https://www.youtube.com/watch?v=B1mNJ0xbFNc

After a little break, I’m back and ready to dive into some exciting new content. Get ready for deep dives into Microsoft 365 security, Defender, and Purview. Don’t worry, I’ll keep it relaxed and easy to understand, even for beginners.

Thank you for your patience and support. If you have content or questions you would like me to cover put them into the comments and I will do my best to make a video on them.

-Doug

Traditional MFA may no longer suffice as a robust security measure to safeguard your crucial accounts. Hackers have devised new methods to breach your sign-in process, even with MFA in place. Hence, we require stronger forms of authentication. In this video, I delve into the array of options supported by Microsoft for robust authentication and demonstrate precisely how to implement FIDO Keys.

L I N K S
Best Place to Start! Require FIDO for your Admin
https://learn.microsoft.com/en-us/entra/identity/conditional-access/how-to-policy-phish-resistant-admin-mfa

Buy a FIDO Key
https://amzn.to/3Jq75pF (Affiliate Link)

Authentication Strengths
https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-strengths

What is FIDO2
https://www.microsoft.com/en-us/security/business/security-101/what-is-fido2

00:00 Introduction
00:37 Stong Auth Ooptions
02:50 MFA is Good But FIDO Makes it Best!
04:20 Implementing Authentication Strengths
06:21 Setup your Fido Key
06:58 Enforce FIDO with Conditional Access

Weak and easily guessable passwords 🗝️ have been a common pain for an organization’s security. We all have tried to add password complexity, but users just think of easy ways to bypass it with things like CompanyName1! 😝 Or worse helpdesk uses passwords like the common Winter2023! or Fall2019! 🤢

Well in this video I will show you how you can ban those passwords from use in your environment whether that be Microsoft 365 or Active Directory on Prem.

🔗 L I N K S 🔗
Eliminate bad passwords using Azure Active Directory Password Protection
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad

Enforce on-premises Azure AD Password Protection for Active Directory Domain Services
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises

Docusarus, Azure Static Web Apps, Github and Azure Active Directory, Oh MY!

In this video, I’ll introduce you to some exciting new technologies for building and hosting your own website for documentation. We’ll start by creating a local site using Node JS and Docusaurus, followed by deploying it on Azure Static Web Apps. To enable seamless updates, we’ll use GitHub’s pull feature. Lastly, we’ll ensure secure access by guiding you through the process of setting up authentication with Azure Active Directory. Join me and let’s dive into the world of website building with these amazing tools!

L I N K S 🔗
Docusarus: https://docusaurus.io/docs/installation
Azure Static Web App Dev Blog: https://www.azurestaticwebapps.dev/
ASW Routing: https://learn.microsoft.com/en-us/azure/static-web-apps/configuration

C H A P T E R S 🎥
00:00 Intro
03:22 Building Local Docusarus
10:27 Publish to Github and Azure
15:42 Route Azure Static Web App Authentication
20:56 Setup with Authentication with Azure Active Directory

In this final video on Practical Conditional Access, we’ll be sharing our favorite set of policies designed to ensure secure access to your organization’s environment. Specifically, we’ll be focusing on the “The Secure Endpoint” policy, which is a customizable template that addresses a variety of scenarios. The main goal of which is to limit access from non-managed devices and ensure that our BYOD options limit the extraction of data in our environment.

We’ve also included some valuable resources to help you customize your own Conditional Access policies, such as an Excel download, a video on device compliance by Matt Soseman, and links to Microsoft’s MAM policies and device enrollment restrictions.

If you find this policy helpful, please let us know in the comments!

The Secure Endpoint policy is designed to tackle the following scenarios:
• Secure Access to the Environment using MFA or Trusted devices
• Allow Access to Office 365 From Corporate managed devices without MFA
• Allow Users to access Office 365 using BYOD but require MDM or MAM
• Allow End users to access from unmanaged devices using a Web Browser but block Download from devices
• Block Access to Legacy apps

🔍 R E S O U R C E S
• Excel Download: https://github.com/dougsbaker/Public-Toolbox/blob/main/Resources/ConditionalAccess/TheSecureEndpoint.xlsx?raw=true
• Matt Soseman Device Compliance: https://www.youtube.com/watch?v=5HxIb5sbjEU
• MAM Policies: https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-ios
• Device Enrollment Restrictions: https://learn.microsoft.com/en-us/mem/intune/enrollment/enrollment-restrictions-set

📹 C H A P T E R S
00:00 Intro
01:28 Policy Planning
04:23 Policy Pre Reqs and Creating testing Group
07:25 [MFA] Baseline All Conditions
09:00 [Block] Legacy Protocols
10:26 [MDM or Hyb]Windows 10 access
14:15 [MDM] MacOS access
15:54 [MDM or MAM] Mobile Devices
18:33 [MDCA] Block web downloads on unmanaged devices
22:05 [Reset] High Risk User
24:15 [MFA] Risky Sign in
26:03 Testing Experience
31:30 Final Thoughts

In the second video in our series on Practical Conditional Access, we are talking about requiring MFA except when you are in a trusted location. This type of policy is common but increases an organization’s risk due to the bypass. So in this video, we will walk through a design called “The Castle Bypass” which fixes some of the issues with using a trusted location.

In this video, we will be focusing on the design of the “The Castle Bypass” policy. The Castle Bypass policy goal is as follows:
• Require MFA for all access except trusted locations
• Block Legacy Auth
• Require Admins to MFA always
• Require Guests to MFA
• Require MFA Registration from on Prem

By the end of the video, you will have a solid CA policy that will keep your environment safe and secure. So if you are looking for a step-by-step guide on creating a Conditional Access Policy, be sure to watch this video, and stay tuned for the next videos in the series. Where we will look at device-based policies.

R E S O U R C E S
https://github.com/dougsbaker/Public-Toolbox/blob/main/Resources/ConditionalAccess/TheCastleBypass.xlsx
https://learn.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access
https://learn.microsoft.com/en-us/azure/active-directory/roles/best-practices#5-limit-the-number-of-global-administrators-to-less-than-5:~:text=Microsoftrecommendsthatyoukeep,accountsinAzureAD.

C H A P T E R S
00:00 Intro
01:15 Policy Design
03:53 Setting Overview & Named Locations
05:43 [MFA] Admin Accounts
07:40 [MFA] Standard Users (Non-Trusted Locations)
10:37 [MFA] Guest Users
11:45 [Block] Legacy Auth
13:20 [MFA] MFA Registration (Non-Trusted Locations)
17:30 Testing / Demo Experience of TAP
2:48 Video Wrap up

Creating a set of Conditional Access policies on your own without ever seeing how other orgs do it can be hard. In this series, we will be showcasing different policy designs and providing examples of practical deployments to meet various organizational requirements. These policies are designed to be templates that can be easily customized to fit the unique needs of your organization.

In this video, we will be focusing on the design of the “Baseline” policy. The Baseline policy is designed to tackle the following scenarios:
• Require MFA for all Admins, Users, and Guest
• Block Legacy Auth
• Set up separate policies for future growth and additional security

By the end of the video, you will have a solid simple CA policy that will keep your environment safe and secure. So if you are looking for a step-by-step guide on creating a Conditional Access Policy, be sure to watch this video, and stay tuned for the next videos in the series.

R E S O U R C E S
https://github.com/dougsbaker/Public-Toolbox/blob/main/Resources/ConditionalAccess/TheBaseline.xlsx
https://learn.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access
https://learn.microsoft.com/en-us/azure/active-directory/roles/best-practices#5-limit-the-number-of-global-administrators-to-less-than-5:~:text=Microsoftrecommendsthatyoukeep,accountsinAzureAD.

C H A P T E R S
00:00 Start
01:00 Policy Design
04:39 [MFA] Admin Accounts
10:54 [MFA] Standard Users
14:51 [Block] Legacy Auth
16:51 [MFA] Guest Users
18:31 Video Wrap up

In this video, we’ll cover some key points you need to know to secure your Exchange Online environment. We’ll discuss topics such as disabling legacy authentication, identifying risky email overrides, enabling audit logging, blocking outbound forwarding, help users quickly identify external emails, and enabling an easy way for your users to report phishing attacks. By the end of this video, you’ll have a solid understanding of how to protect your organization’s systems and data within Exchange Online.

C H A P T E R S
00:00 Video Intro
01:22 Disabling Legacy Authentication
07:57 Identifying Risky Email Overrides
13:00 Enabling Audit Logging
19:07 Blocking Outbound Forwarding
23:09 External Email Tagging
26:27 Enable Report Phishing Button
29:05 Video Wrap Up

L I N K S
Find EOP – MDO Misconfig with KQL
https://dougsbaker.com/2021/06/16/find-eop-mdo-misconfig-with-kql/

Audit All Mailbox Activity
https://dougsbaker.com/2021/06/21/audit-all-mailbox-activity/
https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-mailboxes?view=o365-worldwide#mailbox-actions-for-user-mailboxes-and-shared-mailboxes

Control automatic external email forwarding in Microsoft 365
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/outbound-spam-policies-external-email-forwarding?view=o365-worldwide

Report Phishing Button
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/submissions-users-report-message-add-in-configure?view=o365-worldwide