Session: For app enforced restrictions separate actions should be configured. Users and Groups Exclude: Check if service accounts and/or user accounts in the assigned groups should be excluded. Users and Groups Include: Chose the Azure AD Group which is used to managed Intune Users and/or is used to assign them a license (e.g. You’ll then limit legacy authentication which is better then allow it in Report-Only mode. I would recommend to enable to policy and exclude the identities who are still using legacy authentication. If not, you should investigate the logons and try to get rid of these ASAP! It’s possible to create this CA policy and configure it to be active at Report-Only or exclude the identities who are still using legacy authentication. If your filter shows “no sign-ins found” you’re good to go. Go to Azure AD -> Sign-in Logs ->Select Client app -> Select all Legacy Authentication Clients. Therefor it is important to monitor all authentications first.
Not all environments are ready for this one. Probably the most important one for security reasons. Excluding administrator roles from MFA is maybe not the best idea. The selection above can be modified to your needs. I did not include all available Azure AD administrator roles. The conditional access policy requires Multi Factor Authentication (MFA) most administrator roles. To my opinion trusted locations don’t exist! Require MFA for Admin roles service accounts, scanners, printers) they could be excluded from the policy. As a result all users who are able to use Office 365 are then required MFA. If you assign licenses (Office 365 for example) based on group memberships, these group could also be used for this policy. It’s up to you who’s included and excluded in this policy. With this conditional access policy, users are required to use Multi Factor Authentication (MFA). I cannot promise the CA policies below will work for you but at least they should give you a good starting point on where to improve. Keep in mind that every organization is different and therefor there’s no good or bad. Therefor we can skip the smooth introduction and go into technical depts. If you reached this blog i assume you already know what Conditional Access is and where it’s used for.
0 kommentar(er)
