Category Archives: Conditional Access

HowTo: Ensure your end user are prompted for MFA when enrolling Windows 10 devices. Conditional Access to the rescue

Sometimes you may come across special cases where either your customer or your own organisation might need to implement a solution which increases your security footprint. This post is no different and inspired from the MS-100 exam which I have recently taken and passed.

During the lab question I was asked how you would implement MFA for end user who want to enroll Windows 10 devices. So lets get to it…

Launch http://endpoint.microsoft.com and select Device + Conditional Access

Select New Policy

Provide your policy a “Name”
Select the user(s) or group(s) you want to apply the policy to
Click Cloud apps and actions – Click Select Apps and search then select Microsoft Intune Enrollment.

Under Grant – Select Require multi-factor authentication

Select on to enable the policy

Heres the process I had to go through to join a Windows 10 device to my tenant with MFA.

In the below screenshot is a configuration setting I have in my tenant for defining if devices are Corporate or Personally owned

All my corporate apps are now available for install.

Regards
The Author – Blogabout.Cloud

Preventing unauthorized external access from home to your Microsoft Cloud applications with Conditional Access

Did you know that you could prevent unauthorized access to your Microsoft Cloud applications with Conditional Access? When speaking with a customer recently I had been asked is it possible to prevent external access to their Cloud apps and the answer to that is yes. The customer didn’t want their staff accessing corporate data from their home laptops/desktops so in order to action this we will now switch over to the Microsoft Endpoint Manager Admin Portal.

https://devicemanagement.microsoft.com

Click Endpoint security –> Conditional access
New Policy
Provide name to the Conditional Access Policy
Select All Users
Excluding the Global Admins to the tenant security group, we dont want to chop off our legs now
Select All cloud apps
Conditions –> Client apps –> Browser
Grant –> Block access

Now enable the policy 🙂 and as you can see from below you users is now prevented from login into the Office portal from an internet browser.

Regards
The Author – Blogabout.Cloud

Windows Information Protection with Enrollment

After a bit of recent investigate App Protection policies I have noticed a large chunk of information missing from Microsoft resources and other blog posts. I have recently experienced an issue where network boundaries were not configured correctly and I had to ensure that all applications that were being protected do not experience any issues access corporate resources.

It is recommended to use the following when adding a network boundary.

TypeNameValue
Cloud ResourcesOffice 365portal.office.com|tasks.office.com|protection.office.com|meet.lync.com|teams.microsoft.com
Cloud ResourcesOutlook Onlineoutlook.office.com|outlook.office365.com
Cloud ResourcesAppCompat/*AppCompat*/
Cloud ResourcesSharePointcontoso.sharepoint.com|contoso-my.sharepoint.com|contoso-files.sharepoint.com
Neutral ResourcesNeutrallogin.windows.net,login.microsoftonline.com
Cloud ResourcesYammerwww.yammer.com|yammer.com|persona.yammer.com
Intune App Protection – Advanced settings

This will provide all the required boundaries relevant to most Microsoft deployments.

Regards
The Author – Blogabout.Cloud

Enabling Conditional Access App Control for featured apps

Cloud App Security offers the ability to leverage Conditional Access for Exchange Online and SharePoint Online but how do we configure this functionality?

Let’s start with your Azure Portal and browse to Conditional Access –> New Policy

Conditional Access

So as I previously mentioned this control only works for Exchange Online and SharePoint Online so you will need to select;

– Office 365 Exchange Online
– Office 365 SharePoint Online

Cloud apps

Under Session, you need to select Conditional Access App Control and as you can see below we only have 3 options

– Monitor only (Preview)
– Block downloads (Preview)
– Use custom policy…

Session

For the purpose of this post, I am going to just Monitor what happening their Cloud App Security to discover what’s happening within my tenancy.

Once the policy is enabled, sign into Exchange Online or SharePoint Online and you will be welcome by the below message. This demonstrates that Conditional Access App Control is now in place.

Welcome to Conditional Access App Control

From you Cloud App Security console you will be able to see this activity and all future activities

Conditional Access App Control

Regards,
The Author – Blogabout.Cloud