Another professional from the Entra ID group shared this video and I'm subbed! Excellent video! As an aspiring Cybersecurity Analyst, I appreciated the multi-layered approach to conditional access, especially where the principle of Least Privilege was illustrated. Also found the Conditional Access for Zero Trust Framework exciting, particularly where he addressed the multiple exclusions by naming conventions thru 'personas'. Thanks for sharing! 👍
Amazing video Ru. Just a question about the VPNs, are you saying consumer VPNs are not evaluated or considered in location based CA policies? And so, in your UK example, if a user from the UK was connected to a VPN to access streaming video from the USA for example, they wouldn't be blocked by the CA policy? Hence the MDA policy requirement. Or are you saying a bad actor can use a VPN to appear to come from Ireland for example, when they are in fact in the far east and without the MDA policy would be able to sign in?🤕
Hey Matt, it's the latter. For example, if I have a CA policy that only allows Irish IPs, CA will accept IPs of VPNs, data centres, VPSs, etc, as long as their IP matches Irish geo data. Using MDA, you can refine it by saying "also block if the category - not just location - of the IP is XYZ".
![Why Your Conditional Access Policies Are Failing [5 Major Pitfalls]](/img/logo.svg){kind=logo}
