Preventing unauthorized external access from home to your Microsoft Cloud applications with Conditional Access

Preventing unauthorized external access from home to your Microsoft Cloud applications with Conditional Access

Did you know that you could prevent unauthorized access to your Microsoft Cloud applications with Conditional Access? When speaking with a customer recently I had been asked is it possible to prevent external access to their Cloud apps and the answer to that is yes. The customer didn’t want their staff accessing corporate data from their home laptops/desktops so in order to action this we will now switch over to the Microsoft Endpoint Manager Admin Portal.

https://devicemanagement.microsoft.com

Click Endpoint security –> Conditional access
New Policy
Provide name to the Conditional Access Policy
Select All Users
Excluding the Global Admins to the tenant security group, we dont want to chop off our legs now
Select All cloud apps
Conditions –> Client apps –> Browser
Grant –> Block access

Now enable the policy 🙂 and as you can see from below you users is now prevented from login into the Office portal from an internet browser.

Regards
The Author – Blogabout.Cloud

Windows Information Protection with Enrollment

Windows Information Protection with Enrollment

After a bit of recent investigate App Protection policies I have noticed a large chunk of information missing from Microsoft resources and other blog posts. I have recently experienced an issue where network boundaries were not configured correctly and I had to ensure that all applications that were being protected do not experience any issues access corporate resources.

It is recommended to use the following when adding a network boundary.

TypeNameValue
Cloud ResourcesOffice 365portal.office.com|tasks.office.com|protection.office.com|meet.lync.com|teams.microsoft.com
Cloud ResourcesOutlook Onlineoutlook.office.com|outlook.office365.com
Cloud ResourcesAppCompat/*AppCompat*/
Cloud ResourcesSharePointcontoso.sharepoint.com|contoso-my.sharepoint.com|contoso-files.sharepoint.com
Neutral ResourcesNeutrallogin.windows.net,login.microsoftonline.com
Cloud ResourcesYammerwww.yammer.com|yammer.com|persona.yammer.com
Intune App Protection – Advanced settings

This will provide all the required boundaries relevant to most Microsoft deployments.

Regards
The Author – Blogabout.Cloud

Enabling Conditional Access App Control for featured apps

Enabling Conditional Access App Control for featured apps

Cloud App Security offers the ability to leverage Conditional Access for Exchange Online and SharePoint Online but how do we configure this functionality?

Let’s start with your Azure Portal and browse to Conditional Access –> New Policy

Conditional Access

So as I previously mentioned this control only works for Exchange Online and SharePoint Online so you will need to select;

– Office 365 Exchange Online
– Office 365 SharePoint Online

Cloud apps

Under Session, you need to select Conditional Access App Control and as you can see below we only have 3 options

– Monitor only (Preview)
– Block downloads (Preview)
– Use custom policy…

Session

For the purpose of this post, I am going to just Monitor what happening their Cloud App Security to discover what’s happening within my tenancy.

Once the policy is enabled, sign into Exchange Online or SharePoint Online and you will be welcome by the below message. This demonstrates that Conditional Access App Control is now in place.

Welcome to Conditional Access App Control

From you Cloud App Security console you will be able to see this activity and all future activities

Conditional Access App Control

Regards,
The Author – Blogabout.Cloud