Hey Andy this is great, thank you. I have a question: Isn't Network section in CA policy same as Named Locations IP ranges? Can we set private IP ranges in Network section?
Hi Andy, thank you for sharing the new features. Can the token protection protect users who are not using MFA due IOT device in the store that can't work with a user who is signing in with MFA on their profiles?
A short answer is no. Token protection only works in a limited format at the moment but is currently being rolled out by Microsoft. At the moment you can use it on the Microsoft 365 portals and apps as well as the admin portals. The idea of being that it can protect admin accounts from token replay attacks. For more information visit Microsoft learn and take a look at the various documentation. Good luck and thanks for tuning in Andy
Thanks for the information. On a slightly separate note, does anyone know of a way admins can create a temporary sandbox tenant for exploring various features without using a production environment?
That’s what trial accounts were for they were great. However, Microsoft are really cutting back on these and making it difficult to take trial subscriptions without the requirement of a credit card.
Device Code Flow - is this the same as when you're logged into or using Safari on one device, then continue to use it on another? Authentication Flow - logged in onto O365 on one device, then use on another with the same creds? Have I understood this right?
Thanks for the informative content as always. Regarding the authentication methods: in the case for SSPR, what would be your recommendation? SSPR can be setup with either 1 or 2 factor MFA. 2-factor MFA sounds the most secure to me, but the 2nd factor for SSPR can only be a phone number (office phone or SMS) or a secondary emailadress. Both of those secondary SSPR methods are quite unsecure. So my question would be: Is it more secure to enable SSPR with just 1-factor MFA (which would be the Authenticator App), or would it be better to enable SSPR with 2-factor MFA (Authenticator App + Phone Number OR Emailaddress)?
In my opinion, SSPR is a potential back door into your active directory. Personally, I’m not a fan of it and it encourages retaining passwords when really we want to get rid of them. Consider. Phishing resistant credentials instead instead for example pass keys.
![Why Your Conditional Access Policies Are Failing [5 Major Pitfalls]](/img/n.gif)
This is fantastic. Thank you for taking the time to show us. I`m going to spend my weekends with your videos :-)
Thanks, well presented
Can you do a video showcasing MFA whenever an eligible role is activated ?
Thanks Andy. Great Video
Hey Andy this is great, thank you. I have a question: Isn't Network section in CA policy same as Named Locations IP ranges? Can we set private IP ranges in Network section?
Not that I’m aware of
Hi Andy, thank you for sharing the new features. Can the token protection protect users who are not using MFA due IOT device in the store that can't work with a user who is signing in with MFA on their profiles?
A short answer is no. Token protection only works in a limited format at the moment but is currently being rolled out by Microsoft. At the moment you can use it on the Microsoft 365 portals and apps as well as the admin portals. The idea of being that it can protect admin accounts from token replay attacks. For more information visit Microsoft learn and take a look at the various documentation. Good luck and thanks for tuning in Andy
Thanks for the information. On a slightly separate note, does anyone know of a way admins can create a temporary sandbox tenant for exploring various features without using a production environment?
That’s what trial accounts were for they were great. However, Microsoft are really cutting back on these and making it difficult to take trial subscriptions without the requirement of a credit card.
I pay for two licenses just to test things out.
Hi Andy, is it possible with CA to block office apps like word, excel and outlook, but keep onedrive and teams working everywhere ?
You can select the apps option on user account properties and deselect apps that you don’t want the user to see
Device Code Flow - is this the same as when you're logged into or using Safari on one device, then continue to use it on another?
Authentication Flow - logged in onto O365 on one device, then use on another with the same creds?
Have I understood this right?
You got it 😊
Great Video cheers 🙂
Thanks for the informative content as always. Regarding the authentication methods: in the case for SSPR, what would be your recommendation?
SSPR can be setup with either 1 or 2 factor MFA. 2-factor MFA sounds the most secure to me, but the 2nd factor for SSPR can only be a phone number (office phone or SMS) or a secondary emailadress. Both of those secondary SSPR methods are quite unsecure.
So my question would be: Is it more secure to enable SSPR with just 1-factor MFA (which would be the Authenticator App), or would it be better to enable SSPR with 2-factor MFA (Authenticator App + Phone Number OR Emailaddress)?
In my opinion, SSPR is a potential back door into your active directory. Personally, I’m not a fan of it and it encourages retaining passwords when really we want to get rid of them. Consider. Phishing resistant credentials instead instead for example pass keys.
@@AndyMaloneMVP Thanks Andy, we're already working on going passwordless asap :)
Risk related data activities - Timestamp 12:37 - what does this mean? under Insider Risk?
For this to work, you need to set up an insider risk policy in Microsoft purview
please i really want to join the class am really interested
We’d love to have you just click on the book button and you’re all set
@@AndyMaloneMVP where can i find the boook button please
@@Bigapps1Zwww.quality-training.co.uk/book-online
Hero!