How to move Conditional Access to the next level.
- How to get a device compliant with Intune
- How to monitoring your login
- What is Baseline policy: Require MFA for admins (Preview) - and why care about it
3. Conditional Access with EMS
Protect the front door - Conditional Access
Baseline policy: Require MFA for admins (Preview)
Monitor you login
Conditional Access rules
5. Require MFA
Allow access
Deny access
Force
password reset******
Limit access
Controls
On-premises apps
Web apps
Users
Devices
Location
Apps
Conditions
Machine
learning
Policies
Real time
Evaluation
Engine
Session
Risk
3
10TB
Effective
policy
6. IF
Privileged user?
Credentials found in public?
Accessing sensitive app?
Unmanaged device?
Malware detected?
IP detected in Botnet?
Impossible travel?
Anonymous client?
High
Medium
Low
User risk
THEN
Require MFA
Allow access
Deny access
Force password reset******
Limit access
High
Medium
Low
Session risk
What if tool
9. What you should know
• Applies to all Azure AD tenant
• Most privileged Azure AD roles
• Managed Service Identity (MSI) or service principals with certificates. As a
temporary workaround, you can exclude specific user accounts from the baseline
policy.
• Disable legacy authentication - POP, IMAP, older Office desktop client.
10. Let’s have a closer look
Baseline policy: Require MFA for admins (Preview)
20. Conditional Access with EMS
Protect the front door - Conditional Access
Protect Admin accounts
Monitor you login and compliance level
Have the right rules that enforce your corporate security policy
About the presenter:
Please do not hesitate to ask questions during the presentation, we will have a Q&A at the end of the presentation but I prefer a open dialog and see where it will take us
About me:
Microsoft MVP - Enterprise Mobility, Solution Architect, Technical Lead Microsoft Enterprise Mobility Suite (EMS) and Microsoft Partner Technology Solutions Professional (P-TSP)
Co-Owner of Everything Windows User Group Denmark
Find me:
E-mail: per.larsen@atea.dk
Phone: +45 3078 1828
Follow me:
Twitter: https://twitter.com/perlarsen1975/
LinkedIn: https://www.linkedin.com/in/perlarsen1975/
Join me:
Everything User Group Denmark: http://ewug.dk
http://aad.portal.azure.com
While managing custom conditional access policies requires an Azure AD Premium license, baseline policies are available in all editions of Azure AD.
The directory roles that are included in the baseline policy are the most privileged Azure AD roles.
Global administrator
SharePoint administrator
Exchange administrator
Conditional access administrator
Security administrator
If you have privileged accounts that are used in your scripts, you should replace them with Managed Service Identity (MSI) or service principals with certificates. As a temporary workaround, you can exclude specific user accounts from the baseline policy.
Baseline policies apply to legacy authentication flows like POP, IMAP, older Office desktop client.