MD-101 Managing Modern Desktops – Implement conditional access and compliance policies for devices Part 1

1. Understanding conditional access policies

Conditional access is a feature that helps monitor the different things users are doing in your environment. The different applications they’re trying to access, different data they’re trying to access. But also it looks at where they’re coming from in regards to those things. So in other words, for example, maybe I have an iPhone Seven and I want to check my Exchange Online email using the Outlook app. Or maybe I’ve decided that I want to download a totally different app that’s not approved by the company and check my email that way, maybe I’m going to do it at 03:00 in the morning. Maybe I’m going to do it over in China. Or maybe I’m a hacker who’s actually broken into somebody’s account and I’m trying to get access to their email.

Okay, the idea of conditional access is setting a bunch of conditions in place that monitors where, when and how somebody is accessing information in your environment. Now, all of this is going to boil down to three main criteria. One being something called a signal. A signal is going to try to help make a decision on what to do if signals are detected. Okay? So signals are going to involve the apps and the things people are doing and the decision has to be made and then based on that decision, some type of enforcement. Okay, let’s take a deeper look at the logic of all of this. Now, why is this important? Well, we call this the dilemma of the modern administration, modern administrators. Modern administration is going to involve the concept that users want to be able to use any apps they want at any time of day, anywhere on the planet. And that’s scary, right? If you think about it.

The problem is our companies a lot of times are enablers. Our companies, they don’t care. They’re like, hey, we want that to happen. We love the idea that employees can work anytime, anywhere, with any app and access their data. But that causes a lot of problems for us, right, because it doesn’t allow us to easily protect our data. The good news is Microsoft has provided us with tools to assist us and all that. And of course, conditional access is one of the tools that’s going to help us. Okay? So we have got to find a way to consider things like our signals, which are the ways they’re being detected, things like user location, the devices they’re using, the applications they’re using, and maybe they’re a real time risk.

There’s somebody who’s trying to break in from a totally different place than a user normally comes in at, and then verify these attempts allow the access, or perhaps block the access based on what’s been discovered by the signals. Or require MFA, which is multifactor authentication, to provide that additional level of checking to see if the person is who they really are. The thing is, all the security that we’re putting in place, we don’t want to hinder everybody. Okay? We want things to be secure, but not hinder everybody. You always got to remember though, that whenever you introduce security into an environment, it is going to affect things a little bit. I always use the analogy. It’s like the fact that I have to unlock my front door before I can go in my house. Does that slow me down a little bit? Yeah, it slows me down a little bit getting into my house.

But am I going to just rip the door off the house and throw it in the trash? Because I don’t want to do that. No, absolutely not. I want that security. So this is a really good security solution. The other problem that we run into is we admins. We can’t be everywhere at all times. But if you’ve got this machine learning artificial intelligence capabilities and you can put policies in place, these machine learning signals can really help you in detecting different types of threats that may be trying to get access to your stuff. So the two things here, you’ve got, you’ve got signals, you got the decisions that are going to be made based on those signals. So here are some of the things that will trigger in regards to signals. The signals are going to be based upon certain rules that you put in place.

The rules can be based on user accounts. It can be on groups. It can be based on IP location. I can have approved places like IP address based subnets where somebody can connect in. Or maybe I block it. I could put in approved IP ranges on the internet here in the United States and block other countries, or require you to be on the TCP IP network at our office. I can base it on devices. So maybe a certain device, like I was talking about having an iPhone seven, maybe there’s a huge risk on iPhone sevens right now. So I could block iPhone sevens. If I wanted cloud app security, that’s going to be the cloud based applications people are using. I could block based on that. Perhaps. Maybe somebody is using Dropbox, which is not a Microsoft app, but they’re using Dropbox to try to share some data in our environment.

I can have a rule that blocks them, okay? Certain applications that people are using to access things, I can block that or allow that. And then real time calculated risk that gets into looking at things like times a day people are connecting and all of that, then the decision that’s going to be made. As you can see, there’s two main decisions. You’re going to block it or you’re going to grant it. But if you’re going to grant it, you can require some additional checking. I can require MFA, multi factor authentication. I can require that your device be what is called a compliant device, which means it’s a certain type of device model device. It’s got to have a certain operating system on it. I could require that you are using a hybrid Azure adjoined computer.

That means your computer is joined to a domain as well as to Azure Ad, Azure Active Directory. And then lastly, I could make it where you’re required to use an approved app. So I was using an example. Maybe I’m trying to check my email from my phone using the Outlook app and that’s approved. But then maybe I decide, oh, I’m going to go and download a cheap little app. Maybe I don’t want outlook. Maybe I want an app called Easy Mail that’s a little bit more user friendly or something. Well, we could block that because that’s not an approved app. It could be a security risk. So again, all in all, conditional access is going to add a lot of security to your environment. Okay? So we’re going to be taking a look at it. We’re going to go and I’m going to do some demonstrations and show you how to create some rules.

2. Implement conditional access policies

We’re now going to take a look at conditional access policies in the Azure Portal. So here we are on Portal Azure. com. Going to click on the menu option here. And then we’re going to go to Azure active Directory. From there, scroll down and click on the security blade and you’ll see conditional access right here. So I’m going to go ahead and click on on that. And right out of the gates you’re going to see that there are some baseline policies. But you’re also going to see that there’s a note saying that the baseline protection policies are considered legacy now. So this is something they’ve sort of deprecated. They’ve built a few policies in place that can be turned on. But what they’re saying now is that you should go through the process of enabling something called security defaults or you can configure your access policies directly, which is what we’re going to do here. All right? So I’m going to go ahead and click on New Policy.

Then you would give it a name. So for example, if I was going to block, let’s say Android devices for, let’s say cloud apps, I would give it a name, all right? And then from there we would do an assignment. So you have users and groups here. So we would select the users and groups that we would want to turn this on for. Maybe I want to turn it on for all users. Okay. Or I could do selected and I can choose guest external users. I can have specific directory roles that I want to allow block, as you can see here. And then users and groups directly if I want. So specific users and groups, all right, click that and I can get my list of users and groups that I usually see whenever I want to add my users to an access control of some sort. So I’m going to go all users.

But also wanted to point out, you can have exclusions as well. Now remember that when it comes to inclusions and exclusions, inclusions are groups that you want to add to something and exclusion is something you want to take away. Right now, exclusions will always override inclusion. So for example, if I had a group called, let’s say receptionists, okay, and then I had another group called Temps, and maybe we’ve got a group called Receptionist, that’s a large group of people. Maybe there’s a user named Jane Doe who’s a member of the receptionist group, but Jane Doe is also a member of Temps. So if I added receptionist here, okay, and then under inclusions or include, and then I added Temps under exclude, then Jane Doe, if she was a member of both groups, then Jane Doe would not be allowed access to whatever it is or would not be included in this.

In other words, again, exclude groups will override include groups if you go the route of using groups. So I just wanted to point that out, I’m going to click on all users here and Done. All right. And then we’ve got our cloud app or Action. So I had said Android cloud apps. So at that point I’ve chosen cloud apps. I’m going to say all cloud apps. But you could click select and you could choose what services. Microsoft has a lot of services here you could choose from, including Office 365, that would be a part of that. But I’m going to choose all cloud apps in my example here. Going to click Done. Then you’ve got conditions. So here are some of these different signals that I was talking about, the different conditions that are looked at. We have sign in risk, so we could say yes.

And if the sign in risk is high, meaning this is considered a high risk based upon Microsoft’s findings, it could be a device, it could be location. This is what is going to be defined on high, medium, low, or no risk at all. We haven’t really gone over risk thoroughly yet, but again, as I said previously, microsoft has a very large, massive team of people that are monitoring for different types of risk involving devices and user locations and all of that stuff. And another thing that can flag something as a high risk is based on travel, meaning somebody’s logged on in Atlanta, Georgia, and then five minutes later they’ve logged on over in China. Okay, that flags the system as a high risk. So maybe I don’t want to allow high risk, maybe medium risk or whatever. I’m going to choose high in this case.

And then I’m going to hit select. Then we have device platform. So this is where I would choose which platform that I want. So I’m going to go with Android, since, of course, I did name this block android Devices for Cloud Apps. We’re going to hit Done, and then I can choose Location. Now you have to create some locations, and you can create some locations back over on this previous screen before you get here. There’s a locations area that you can define what your locations are. So I could say yes to that and I could any location, trusted locations or selected locations that I’ve created locations for. Again, haven’t done any trusted locations other than having this default one here, MFA trusted IPS. I’m not going to do a location in this policy. So I’m going to click done.

Then I’ve got client apps. So these are some of the different apps. Notice it’s in preview. Anytime you see that word preview, that means Microsoft has not completely finalized it yet. The feature hasn’t been finalized yet. So at that point I can click yes, and I could configure browser apps, mobile apps, and desktop modern authentication clients, exchange Active Sync. It gets back into good old Exchange synchronizing email and all that if I want. I’m not going to do client apps in this case. And then you have device state. Okay, so the state of device, you have to define what is considered a device state in another area of this. So depending upon the state of the device that gets into conditional access policies, compliance policies, sorry.

And what your device state is currently in which we haven’t gone over compliance policies. But I’m going to go ahead now I’ve defined the things that I wanted. I’m going to click done and then from there I can choose the access control. So access control if I want, I can say block, of course, that’s exactly what I want this policy to do. However, as I said previously, you can also if you were to grant access, you could require some of these dependencies here. So multi factor authentication we talked about that, require a certain device to be compliant. Again that gets into compliance policies, like a certain version phone operating system or tablet operating system or desktop operating system you have. Or the require hybrid Azure adjoin. Require an approved app to be on a list here.

Require app protection policies, which is another thing that’s actually set in intune. We’re going to be talking about intune in a later video. So clarify some of this stuff. But I’m going to click on Block because that’s what I’m wanting to do in this case. I’m going to hit select and then I’m going to go to session. I’m not going to do anything here on session, but I’ll explain the idea here. So with concession or session you are going to be configuring conditional access app control. If you want you can turn that on. If you turn that on it’s going to do monitor only, which means it’s just going to create an alert, create a logged event for you that you can view when somebody’s connecting in.

You can say block downloads. As you can see, these two are preview, but Block Downloads is going to make it where the user can use the app, but they can’t download anything through the app if you want. And then of course you’ve also got a custom policy here that you can click on and it’ll give you a few other little options there that you can use. You’ve got sign in frequency. Now sign in frequency is going to default to 90 every time somebody’s signed in 90 times. It’s going to require things like MFA. You can set the frequency here though based on hours or days.

The default is days. So every 90 days it’s going to try to force conditional access policies whether you set this or not. By default it’s going to force them to use MFA if you’ve got MFA enabled. So you can customize that here though by setting this to whatever you want. And then persistent browser session. This is just going to require them to stay persistent. If this is a web based thing they’re accessing through a web based app, it’s going to mean that you have to have persistent packets traffic basically flowing back and forth between the client side and the cloud side. Okay, so those are your different options under session. I’m not going to set anything under session, so I’m going to go ahead and go down here and we’re going to go with enforced policy.

I can say report only, which means it’s not actually going to enforce anything. It’s just essentially going to be reporting and logging what’s going on. I can turn this on, which means it will do that. Notice you get this little warning message. It says, don’t lock yourself out. We recommend applying a policy to a small set of users. In other words, not everybody. Okay, now in my case, it isn’t everybody. I said just Android users, right? Plus you can also add exclusions if you want. Okay. And then you can also say, okay, well, I understand, and all of that. If I want. Let’s see, select and then at that point, I’m going to click to create. So again, in a lab scenario, possibly on the test, they would tell me which options they want me to select, and I just have to go through and select those.

In this case, I just wanted to block Android devices for cloud apps. Right. By the way, second, I was talking about locations. This is where you can go through the process of creating locations that will be available when you create these policies. This is one of many places actually, where Microsoft will let you create what are called named locations, which will involve things like IP ranges and all that good stuff stuff. So that’s how you go through and you configure a conditional access policy. Obviously, there’s a lot of features there to play around with, a lot of things that you can look at.