In the comment below share your Azure AD Conditional Access Policies. Key Links in the video: ✦ Intro 01 ✦ Require MFA for administrators 00:53 ✦ Require MFA for all users 3:24 ✦ Block legacy authentication 6:10 ✦ Next Steps 8:50
when you mentioned MFA for specific locations you had "Include" selected while talking about it. In that scenario where I want to only prompt for MFA off my corporate network then the I need to "Exclude" my corporate network from the MFA prompt rule. just something that caught my eye watching your vid!
Thanks for catching that! You’re absolutely right. If you want to exclude your corporate network from the MFA prompt, you need to select “Exclude” for that network in your Conditional Access policy settings. This way, users on your corporate network won’t be prompted for MFA, but they will be when accessing from other locations. I appreciate you pointing that out and helping improve the accuracy of the content!
Yes, you can apply Data Loss Prevention (DLP) policies to all files in a selected folder in Microsoft Office 365. You would do this by configuring the DLP policy to target specific locations, such as a SharePoint site or a OneDrive account. Here’s a quick overview of how to do it: 1. Go to the Microsoft 365 compliance center. 2. Create a new DLP policy or edit an existing one. 3. In the Locations step, choose the specific sites or folders in SharePoint or OneDrive that you want to apply the policy to. 4. Define the conditions and actions for your DLP policy, such as what sensitive information to look for and what actions to take when such information is found. This way, the DLP policy will monitor and protect all files within the specified folder. Let me know if you need more detailed steps or additional help!
We set a location based login. Deny all logins from outside the US. (we are a Defense contractor and cannot have any Non US users anyway so its a huge risk reduction, as most phishing attempts come from outside the US anyway.)
Check out this link it covers legacy apps and clients docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-conditions Modern authentication clients Browser These include web-based applications that use protocols like SAML, WS-Federation, OpenID Connect, or services registered as an OAuth confidential client. Mobile apps and desktop clients This option includes applications like the Office desktop and phone applications. Legacy authentication clients Exchange ActiveSync clients This selection includes all use of the Exchange ActiveSync (EAS) protocol. When policy blocks the use of Exchange ActiveSync the affected user will receive a single quarantine email. This email with provide information on why they’re blocked and include remediation instructions if able. Administrators can apply policy only to supported platforms (such as iOS, Android, and Windows) through the Conditional Access Microsoft Graph API. Other clients This option includes clients that use basic/legacy authentication protocols that don’t support modern authentication. Authenticated SMTP - Used by POP and IMAP client's to send email messages. Autodiscover - Used by Outlook and EAS clients to find and connect to mailboxes in Exchange Online. Exchange Online PowerShell - Used to connect to Exchange Online with remote PowerShell. If you block Basic authentication for Exchange Online PowerShell, you need to use the Exchange Online PowerShell Module to connect. For instructions, see Connect to Exchange Online PowerShell using multifactor authentication. Exchange Web Services (EWS) - A programming interface that's used by Outlook, Outlook for Mac, and third-party apps. IMAP4 - Used by IMAP email clients. MAPI over HTTP (MAPI/HTTP) - Used by Outlook 2010 and later. Offline Address Book (OAB) - A copy of address list collections that are downloaded and used by Outlook. Outlook Anywhere (RPC over HTTP) - Used by Outlook 2016 and earlier. Outlook Service - Used by the Mail and Calendar app for Windows 10. POP3 - Used by POP email clients. Reporting Web Services - Used to retrieve report data in Exchange Online.
Here's one I cannot find anywhere - I want one particular user to log in only if they are behind one particular IP. Nobody anywhere understands this. We have an MFA requirement in my firm. However, we have an integration app that does not support MFA. We need to lock down one particular user so they can only log in if they are behind the integration server public IP. Of course, as is usually the case, the Skykick techs "have never had that request before." If you can assist, please let me know. I am not sure what grant or session access control to put in to achieve this. Thanks.
Hey Sly. AWESOME content, liked and subscribed! question - so this is doable on Azure roles as well correct? and not just Azure AD roles .......? I do see users and groups, but dont see Azure roles like Owner/Contributor, hence needed a clarification Thanks!
i have some random question as i haven't really been able to find a satisfactory answer elsewhere... i'm been looking at our CA polices the last couple of weeks but i'm still not 100% sure how they are ordered and processed...for example if you apply a policy to all users does a policy applied to a group override that in the same way that Group Policy works... is the default permission "allow" - eg "out of the box" is everything allowed unless you restrict it? for example i've been trying to put in a policy to block all users unless they match certain criteria (say from a certain country) and another to allow allow users that are members of an AD group and the policies were not quite interacting the way i was expecting...the only way i could get it work was to exclude the AD group from the block all users policy.
Thanks for the great questions! Let me test these questions in my lab. I will get back to you with answers. Check out this link and think it my help with execution order. docs.microsoft.com/en-us/azure/active-directory/conditional-access/best-practices Check this document out as well docs.microsoft.com/en-us/azure/active-directory/conditional-access/plan-conditional-access
