Contents
Understanding Security Defaults
When you first setup your M365 tenant there are number of security defaults put in place automatically. This is a set of basic identity security mechanisms recommended by Microsoft.
EG: turn on MFA for Global Administrators
These security defaults are in:
- Azure AD -> Properties
- At the bottom of the page there is a link that says “Manage Security Defaults”
- From here you can disable the Security Defaults if you wish (only if you are setting up your own security settings for the tenant)
- Click on the “Learn More” link to get more details on the Security Defaults. It brings you to the following website:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults
Using Conditional Access Policies
The Dilemma of Modern Administration
Administrators today must allow users to be productive anywhere, at any time and from a massive selection of devices and applications.
Administrators are also expected to protect data and assets at all times.
Conditional Access Policies
Conditional Access is a tool in Azure that brings signals (how they are logging, from where, which apps etc…) together for access decision making.
Signals help in decision making on whether to allow access or enforce certain policies (block access, send an alert ,force MFA etc…).
The Conditional Access policies make sure a number of requirements are met and makes decisions on this.
Signals:
- User or group membership
- IP location
- Device type(OS version etc…)
- Microsoft Cloud App Security
- Application (EG: using official Outlook app to check email, not an unsupported or legacy app)
- Real time and calculated risk detection (EG: are they blocking their IP address?)
Decisions:
- Block Access
- Grant
– require MFA
– Compliant device
– Require Hybrid Azure AD Joined
– Require approved app
Implementing Conditional Access Policies
There are a few different places you can administer this:
- Endpoint manager
- Azure AD
The master is Azure AD and the Endpoint Manager changes are stored there.
Administering Conditional Access Policies
- Go to Azure AD _> Security -> Conditional Access
- Click New Policy
- Set a name for the policy
- Assign policy to specific users and groups or roles.
- Conditions that this policy will apply to:
– User Risk: has the account been compromised (low med or high)
-Sign in risk: entering bad passwords, logging in from different country (low, med, high)
– Device platforms
– Locations: you need to create locations to use this
– Client apps: see later section on Cloud Apps
– Filters for devices: this is based on a query like manufacturer, model number etc… This is a pretty new feature. - Access Controls: this is where you choose what happens if user meets these conditions
– block access
– grant access
– require MFA/Azure AD joined device/Approved Apps
– Force Password Change - Enable Policy:
– Report only: just logs the attempted access, but doesn’t do anything
It can take some time before policy takes effect.
Implementing Application Controls within Conditional Access Policies
To create a policy related to Apps:
- Go to Azure AD _> Security -> Conditional Access
- Click New Policy
- Set a name for the policy
- Assign policy to specific users and groups or roles.
- Go to “Cloud apps or actions”:
– User Actions: you can force users to register security information or register devices
– Authentication Context: This is the method a user has authenticated. EG: you can only access a certain SharePoint site if you are on a certain type of device
– Cloud Apps: Control user access based on all or specific apps. In this example we will select “Office 365” - Conditions:
– Client apps: Control user access to target specific client apps that are not using modern authentication. EG: Legacy Apps (Outlook 2010 etc…). You can select the category of apps you want to apply this policy to - Access Controls: choose to grant or block access (require MFA etc…)
Implementing Session Management within Conditional Access policies
You need to be dealing with Cloud apps for these options to be available to you
- Go to Azure AD _> Security -> Conditional Access
- Click New Policy or edit a policy
- At the bottom of the options screen you see “Session”
- Options:
– Use App enforced restrictions: this looks at restrictions that may be in place in the app itself. EG: restrictions that may be in SharePoint
– Use Conditional Access App Control: This is probably the most powerful. If you select the check box you have 3 actions-
— Monitor Only: log what the user is doing involving this app within the session
— Block downloads: prevents any kind of downloads within the app
— Use Custom Policy: this brings you to the “Cloud App Security” console. Here you can set policies to things like stopping users deleting items in the app, or copying data in the app. You need to have a licence to use Cloud App Security - Sign in frequency: you can set the number of days/hours before a user is asked to sign in again and reauthenticate
- Persistent browser session: NOTE this options only available if you select all apps.
– always persistent: the session token they have will always be available
– never persistent: they have to get a new session token every time they access the app
Testing and Troubleshooting Conditional Access Policies
Microsoft has a useful What If tool that allows you to test what will happen with a Conditional Access policy as a specific user
- Go to Azure AD -> Security -> Conditional Access
- Click on the “What IF” button
- Select the user you want to test with.
- There a number of options you can select here that will simulate the users scenario and what will happen with the policy:
– IP address
– Country
– Device platform
– Client apps
– Device state (Hybrid Ad joined, compliant device etc…)
– Sign in risk level - Click on What If
- It will show you the policies that will apply to the user and may affect their access. It will also show the policies that are not applied