WEBVTT 0:00:02.820000 --> 0:00:08.220000 In this video, we're going to take a look at conditional access policy 0:00:08.220000 --> 0:00:10.620000 within Azure AD. 0:00:10.620000 --> 0:00:15.840000 In particular, we're going to talk about what conditional access policy 0:00:15.840000 --> 0:00:21.120000 is, and then I'm going to go ahead and demonstrate conditional access 0:00:21.120000 --> 0:00:26.880000 policy. So let's just dive right in and talk about what conditional access 0:00:26.880000 --> 0:00:31.200000 policy is. First of all, you might as well know that if you want to use 0:00:31.200000 --> 0:00:35.960000 it before we even talk about what it is, you need Azure AD premium level 0:00:35.960000 --> 0:00:38.720000 P1. Simple enough. 0:00:38.720000 --> 0:00:40.920000 So what are policies? 0:00:40.920000 --> 0:00:47.440000 Well, policies are designed to control the way that your Azure AD users 0:00:47.440000 --> 0:00:52.820000 are able to access their cloud-based applications that are authenticated 0:00:52.820000 --> 0:00:54.540000 through Azure AD. 0:00:54.540000 --> 0:00:56.980000 And a policy is a pretty simple concept. 0:00:56.980000 --> 0:00:58.060000 It has two parts. 0:00:58.060000 --> 0:01:02.920000 It has a set of conditions and a set of access controls. 0:01:02.920000 --> 0:01:07.600000 And the conditions are going to define really, well, the conditions. 0:01:07.600000 --> 0:01:11.280000 So the way to put it, that the policy is going to be implemented. 0:01:11.280000 --> 0:01:14.560000 And then the access control is going to define, first of all, whether 0:01:14.560000 --> 0:01:19.660000 or not a user meeting those conditions is even allowed to access a particular 0:01:19.660000 --> 0:01:22.680000 application or set of applications. 0:01:22.680000 --> 0:01:26.480000 And also, if they are allowed, then are they going to be required to use 0:01:26.480000 --> 0:01:30.080000 MFA? Well, let's take a step back and let's talk about the conditions 0:01:30.080000 --> 0:01:34.900000 that we have. And you can see there's a list of them right here. 0:01:34.900000 --> 0:01:39.920000 And so we're just going to go into that just a little bit. 0:01:39.920000 --> 0:01:43.480000 So our conditions are the following. 0:01:43.480000 --> 0:01:47.620000 The first two cloud applications and users and groups, those are both 0:01:47.620000 --> 0:01:51.960000 required. Those are going to be the applications that this particular 0:01:51.960000 --> 0:01:56.300000 policy applies to and those people to whom it applies. 0:01:56.300000 --> 0:01:58.800000 The next condition is risk. 0:01:58.800000 --> 0:02:05.060000 Now, risk, specifying risk is not a requirement and it also requires the 0:02:05.060000 --> 0:02:08.800000 Azure AD identity protection in order for you to use it, because that's 0:02:08.800000 --> 0:02:11.940000 what's going to define your risk. 0:02:11.940000 --> 0:02:14.920000 And there's, it's a pretty simple, low, medium and high risk concept. 0:02:14.920000 --> 0:02:19.800000 There are other policies as well, other conditions. 0:02:19.800000 --> 0:02:22.300000 And what's interesting is the conditions and the access controls kind 0:02:22.300000 --> 0:02:26.940000 of overlap. For example, you've got the device platform that could be 0:02:26.940000 --> 0:02:34.520000 Android, iOS, Win the ever popular Windows phone, Windows, Mac OS. 0:02:34.520000 --> 0:02:36.060000 You've got the device state. 0:02:36.060000 --> 0:02:41.640000 Now, device state is really dependent upon, mostly dependent upon you 0:02:41.640000 --> 0:02:46.460000 having a mobile device management or MDM system, such as in tune. 0:02:46.460000 --> 0:02:53.160000 In addition to that, it can also be associated with hybrid devices. 0:02:53.160000 --> 0:02:55.560000 So if I've got an on-prem device, that will work. 0:02:55.560000 --> 0:03:00.020000 Location, you can define your own locations, which is pretty cool. 0:03:00.020000 --> 0:03:04.860000 We'll see that locations can either be geopolitical locations or they 0:03:04.860000 --> 0:03:05.940000 can be IP address ranges. 0:03:05.940000 --> 0:03:10.340000 So if you know, for example, that a request is coming from your on-prem 0:03:10.340000 --> 0:03:16.020000 environment, you might have a different risk profile, different requirements 0:03:16.020000 --> 0:03:19.820000 for access than you would, maybe if it's coming from another country, 0:03:19.820000 --> 0:03:24.180000 etc. So we have location and then we also have the client app. 0:03:24.180000 --> 0:03:25.940000 And there's a couple of different ways that that applies. 0:03:25.940000 --> 0:03:30.960000 And again, there's overlap between the conditions and the access controls. 0:03:30.960000 --> 0:03:34.460000 On the access controls, you've got grant or block. 0:03:34.460000 --> 0:03:35.100000 That's pretty simple. 0:03:35.100000 --> 0:03:39.640000 And if you are granting, the one kind of standalone option is requiring 0:03:39.640000 --> 0:03:45.160000 MFA. But then on the grant, there's compliant device, there's hybrid join 0:03:45.160000 --> 0:03:49.580000 devices, there's approved client app and app protection policy. 0:03:49.580000 --> 0:03:52.780000 And you'll notice, as I said, there's a lot of overlap there. 0:03:52.780000 --> 0:03:56.520000 And it's really, frankly, a little bit up to you if you're going to use 0:03:56.520000 --> 0:04:00.080000 those, where you're going to apply them, because you could kind of get 0:04:00.080000 --> 0:04:03.300000 the same result either way. 0:04:03.300000 --> 0:04:06.920000 And so typically, when I'm looking at this, I'm personally focusing really 0:04:06.920000 --> 0:04:13.000000 not on these, but on the primary ones that I've got identified. 0:04:13.000000 --> 0:04:14.360000 What are your cloud apps? 0:04:14.360000 --> 0:04:15.320000 What are your user apps? 0:04:15.320000 --> 0:04:18.180000 If you've got identity protection, what are your risk levels? 0:04:18.180000 --> 0:04:20.100000 And is this a grant? 0:04:20.100000 --> 0:04:23.580000 And if it's a grant, are you going to require MFA or is it a block? 0:04:23.580000 --> 0:04:27.620000 All right. So I know that's not really giving you much about these, because 0:04:27.620000 --> 0:04:33.320000 I think the best way to see a conditional access policy is to, well, actually 0:04:33.320000 --> 0:04:35.780000 see a conditional access policy. 0:04:35.780000 --> 0:04:40.460000 So without further ado, let's jump right into that. 0:04:40.460000 --> 0:04:46.860000 I have my Azure AD users here. 0:04:46.860000 --> 0:04:52.060000 I've got a couple of users that are replicated from an on-prem and an 0:04:52.060000 --> 0:04:53.460000 on-prem active directory. 0:04:53.460000 --> 0:04:54.500000 And that doesn't really matter. 0:04:54.500000 --> 0:04:57.840000 I'm going to use them not because you have to, but just because I think 0:04:57.840000 --> 0:05:01.780000 it's pretty cool that this applies to my users regardless of where they 0:05:01.780000 --> 0:05:05.760000 come from, whether they're cloud users or whether they're on-prem synchronized 0:05:05.760000 --> 0:05:11.980000 users. And what I'm going to do is I'm going to go back to my actual Azure 0:05:11.980000 --> 0:05:21.320000 AD. And within my Azure AD, I am going to go and find my conditional access, 0:05:21.320000 --> 0:05:23.360000 which I always have a hard time finding. 0:05:23.360000 --> 0:05:26.080000 There we go. Conditional access. 0:05:26.080000 --> 0:05:27.960000 Now there are already four policies. 0:05:27.960000 --> 0:05:30.040000 We'll get back to these at the end. 0:05:30.040000 --> 0:05:34.860000 These are default baseline policies that you can enact if you want. 0:05:34.860000 --> 0:05:35.860000 You can enable if you want. 0:05:35.860000 --> 0:05:39.780000 But I'm going to go ahead and create a new policy. 0:05:39.780000 --> 0:05:47.340000 And I'm going to give this policy the name, very, very descriptive name 0:05:47.340000 --> 0:05:50.640000 of demo policy. Please create better named policies. 0:05:50.640000 --> 0:05:53.720000 But what's important here is not the name, but what I'm actually going 0:05:53.720000 --> 0:05:57.500000 to do. So I've got assignments and access controls. 0:05:57.500000 --> 0:06:01.560000 First, I'm going to go to assignments and remember the first two are required. 0:06:01.560000 --> 0:06:04.220000 I'm going to find who this applies to. 0:06:04.220000 --> 0:06:06.040000 It can apply to no one. 0:06:06.040000 --> 0:06:10.620000 It can apply to everyone or I can differentiate. 0:06:10.620000 --> 0:06:14.120000 And for example, I could say all guests and external users. 0:06:14.120000 --> 0:06:18.820000 I can specify directory roles or I can specify users and groups. 0:06:18.820000 --> 0:06:23.080000 And I'm going to be really mean to sue. 0:06:23.080000 --> 0:06:26.780000 I wouldn't suggest doing this on an individual basis, but it works very 0:06:26.780000 --> 0:06:29.500000 well for demonstration. 0:06:29.500000 --> 0:06:32.980000 And I could, of course, add in the other ones as well. 0:06:32.980000 --> 0:06:35.000000 Notice I could also exclude. 0:06:35.000000 --> 0:06:38.680000 So I could, for example, essentially whitelist this, include everyone 0:06:38.680000 --> 0:06:43.260000 and then just exclude certain accounts. 0:06:43.260000 --> 0:06:47.040000 Right next are the cloud apps. 0:06:47.040000 --> 0:06:48.860000 And I've got cloud apps. 0:06:48.860000 --> 0:06:53.260000 There's also user actions, register security information, which you can 0:06:53.260000 --> 0:06:55.280000 notice is just in preview. 0:06:55.280000 --> 0:06:58.840000 But the cloud apps, it could be none all or select. 0:06:58.840000 --> 0:07:01.120000 And notice also I have the ability to exclude. 0:07:01.120000 --> 0:07:05.420000 So again, I could select all and then just exclude certain apps. 0:07:05.420000 --> 0:07:10.760000 But I am going to go ahead and say that I want Microsoft Azure management. 0:07:10.760000 --> 0:07:15.980000 And this is great for demonstrations because this applies to the portal. 0:07:15.980000 --> 0:07:20.340000 It also applies to the command line, whether you might be using the CLI 0:07:20.340000 --> 0:07:25.240000 or PowerShell. Go ahead and take that one. 0:07:25.240000 --> 0:07:29.380000 And we're going to go ahead and hit done. 0:07:29.380000 --> 0:07:32.420000 Next are my conditions. 0:07:32.420000 --> 0:07:36.180000 And you'll see there's a number of conditions that I went through. 0:07:36.180000 --> 0:07:38.040000 First of all, sign in risk. 0:07:38.040000 --> 0:07:39.660000 I can turn that on. 0:07:39.660000 --> 0:07:41.900000 I've got high, medium, low, or no risk. 0:07:41.900000 --> 0:07:45.100000 So no risk, I mean it would apply to everybody. 0:07:45.100000 --> 0:07:47.640000 I've got device platforms. 0:07:47.640000 --> 0:07:49.560000 And again, notice including exclude. 0:07:49.560000 --> 0:07:54.920000 And if I configure that, any device or by platform, Android, iOS, Windows 0:07:54.920000 --> 0:07:58.220000 Phone, Windows, or Mac OS. 0:07:58.220000 --> 0:08:06.880000 Locations. Now the locations is actually pretty cool. 0:08:06.880000 --> 0:08:13.540000 I've got, yes, I can go all trusted locations or selected locations. 0:08:13.540000 --> 0:08:17.100000 Now right now I don't have any locations defined. 0:08:17.100000 --> 0:08:19.860000 I'm going to show you that after I go through here, but this would be 0:08:19.860000 --> 0:08:21.640000 where I would add them in. 0:08:21.640000 --> 0:08:23.240000 I don't want to add any. 0:08:23.240000 --> 0:08:26.100000 Then any client apps. 0:08:26.100000 --> 0:08:31.100000 And right now I've got the browser, mobile apps and desktop clients. 0:08:31.100000 --> 0:08:38.400000 And you see the ones that are available. 0:08:38.400000 --> 0:08:43.160000 And finally, the device state, which right now, the only thing I have 0:08:43.160000 --> 0:08:44.420000 here is all device states. 0:08:44.420000 --> 0:08:48.000000 So that's not really particularly limiting. 0:08:48.000000 --> 0:08:51.160000 All right, now I'm going to go to my access controls. 0:08:51.160000 --> 0:08:51.960000 Pretty straightforward. 0:08:51.960000 --> 0:08:55.460000 I've got block access or I've got grant. 0:08:55.460000 --> 0:08:58.200000 And you can see the conditions under grant. 0:08:58.200000 --> 0:09:02.480000 So require multi-factor authentication, required device to be marked as 0:09:02.480000 --> 0:09:08.000000 compliant, require hybrid Azure AD, require approved client app, and there 0:09:08.000000 --> 0:09:10.200000 are a list of approved client apps. 0:09:10.200000 --> 0:09:11.640000 There's also a protection policy. 0:09:11.640000 --> 0:09:14.900000 These are both maintained by Microsoft currently. 0:09:14.900000 --> 0:09:16.360000 And I can choose those. 0:09:16.360000 --> 0:09:18.220000 Notice of course they are in preview. 0:09:18.220000 --> 0:09:20.160000 And I always want to be careful with that. 0:09:20.160000 --> 0:09:24.800000 And I can say that someone has to have all of these selected requirements 0:09:24.800000 --> 0:09:26.380000 or just one of them. 0:09:26.380000 --> 0:09:30.640000 So I could, for example, either have multi-factor authentication or a 0:09:30.640000 --> 0:09:32.440000 device that is marked as compliant. 0:09:32.440000 --> 0:09:36.700000 We'll go ahead and have multi -factor authentication. 0:09:36.700000 --> 0:09:40.060000 And last, I want to go ahead and enable the policy. 0:09:40.060000 --> 0:09:44.440000 Pretty straightforward process. 0:09:44.440000 --> 0:09:46.440000 And I now have demo policy. 0:09:46.440000 --> 0:09:49.460000 And demo policy is marked as enable. 0:09:49.460000 --> 0:09:52.720000 I want to take a look at these other built-in policies. 0:09:52.720000 --> 0:09:57.760000 And these, you don't have options because by definition, they are built 0:09:57.760000 --> 0:10:01.080000 in. But you can see exactly what they do. 0:10:01.080000 --> 0:10:04.400000 It requires multi-factor authentication for these roles. 0:10:04.400000 --> 0:10:08.440000 And if I want that, I can use a policy or I can continue to not use a 0:10:08.440000 --> 0:10:12.360000 policy. And again, this is something to keep an eye on. 0:10:12.360000 --> 0:10:15.120000 That one is actually in general availability. 0:10:15.120000 --> 0:10:18.300000 The others are in preview and then there is mine. 0:10:18.300000 --> 0:10:24.440000 Now, the only other thing that we have here that kind of played in is 0:10:24.440000 --> 0:10:26.860000 named locations. 0:10:26.860000 --> 0:10:33.440000 I am going to go ahead and add a new name location. 0:10:33.440000 --> 0:10:39.760000 And this name location is going to be, we'll say HQ. 0:10:39.760000 --> 0:10:42.580000 And there's two different ways that I can define HQ. 0:10:42.580000 --> 0:10:43.780000 I could have the IP ranges. 0:10:43.780000 --> 0:10:47.980000 So if I know the public IP ranges, assuming I'm probably in a matted environment, 0:10:47.980000 --> 0:10:49.300000 I can put that there. 0:10:49.300000 --> 0:10:52.080000 Or I could specify countries and regions. 0:10:52.080000 --> 0:10:56.700000 And within countries and regions, it's a list like you would expect. 0:10:56.700000 --> 0:11:00.300000 A whole lot of countries and regions that you can select. 0:11:00.300000 --> 0:11:06.000000 And if I go to IP ranges, I can specify IP range and I can mark as trusted. 0:11:06.000000 --> 0:11:10.920000 Now remember, this is actually a location that can be used in a policy. 0:11:10.920000 --> 0:11:14.740000 And I could have, no, of course, this is not actually, I know this is 0:11:14.740000 --> 0:11:17.960000 not a public IP address range. 0:11:17.960000 --> 0:11:21.420000 I'll just put that one in there because I know that no harm will come 0:11:21.420000 --> 0:11:26.060000 of that. All right. 0:11:26.060000 --> 0:11:33.780000 And so now I've got my trusted location and I could use that in policies. 0:11:33.780000 --> 0:11:37.000000 There's also down here a couple things. 0:11:37.000000 --> 0:11:38.660000 There's a terms of use. 0:11:38.660000 --> 0:11:42.800000 You can add your own terms of use that somebody would have to agree to. 0:11:42.800000 --> 0:11:45.740000 There is VPN connectivity. 0:11:45.740000 --> 0:11:50.000000 You can upload VPN certificates so that if somebody's coming in through 0:11:50.000000 --> 0:11:55.220000 a VPN, that gets recognized and can be integrated into your policy. 0:11:55.220000 --> 0:11:58.920000 But for now, we have what we need for our policy. 0:11:58.920000 --> 0:12:03.580000 And what I'm going to do is I'm going to log in. 0:12:03.580000 --> 0:12:08.060000 I'm going to log in a SU to whom this policy applies. 0:12:08.060000 --> 0:12:11.080000 I'm going to my apps. 0:12:11.080000 --> 0:12:32.260000 And I'm going to log in a SU. 0:12:32.260000 --> 0:12:38.760000 And at this point, SU just logs in because she is logging in to my apps 0:12:38.760000 --> 0:12:44.360000 where I do not have any kind of policy. 0:12:44.360000 --> 0:12:47.740000 Let me go ahead and we'll just log her in again. 0:12:47.740000 --> 0:12:53.060000 But this time, we're going to log her into the portal. 0:12:53.060000 --> 0:13:12.160000 Go to portal.azure.com. 0:13:12.160000 --> 0:13:17.400000 And put in her password. 0:13:17.400000 --> 0:13:21.420000 But now notice she is required to put in more information. 0:13:21.420000 --> 0:13:29.080000 So now we have multi-factor authentication because she's going to an app, 0:13:29.080000 --> 0:13:33.760000 in this case, the portal that is protected by multi-factor authentication. 0:13:33.760000 --> 0:13:35.840000 I am not going to go through this. 0:13:35.840000 --> 0:13:39.580000 There are other demonstrations with multi-factor authentication. 0:13:39.580000 --> 0:13:42.740000 But the point is I've now triggered multi-factor authentication for a 0:13:42.740000 --> 0:13:46.060000 user by using a conditional access policy.