Correct me if i am wrong but with CA - the most restrictive takes place? Lets say there are two CAs # one states users must have MFA enabled before accessing a Entra id SSO app # second CA states allow all users to access a entra ID SSO app without any specific authentications - This means when the users access this entra id sso app they will have to use MFA due to the first CA rule being the most restrictive
Andy, thank you sincerely for sharing such valuable knowledge. I genuinely appreciate it. I hope that one day, I will have the opportunity to meet you in person and express my gratitude personally :)
Hello, I just found your video.. it is really interesting and helpful, it solved a lot of my questions, I was recently tasked to use conditional access to block access to onedrive on non company devices, any ideas on how to block one drive only?
With IPv6 you want to make sure you allow unnamed locations. IPv6 doesn't always give a location and you can accidentally lock out your CEO from the calendar when he's trying to plan his mother's funeral.
Regarding the warning about the legacy authentication clients: disable legacy authentication by default (it's a recommendation documented by Microsoft somewhere). Either set a CA policy to block it entirely, or disable it through the Admin center (or both).
Love your content. Been following for a while now. Question for you on MFA/CA policies. As an admin, my phone screen went out on me, leaving me basically without a phone. Couldn't receive calls or texts which is what my MFA was configured for. What's the best way to configure myself so that if I'm ever in this situation again, I can still authenticate and access M365?
This is easy. Go into Microsoft 365 and go into the users account. There is an option to reinforce MFA. This will then force the user to repeat the MFA registration process. It’s well documented, learn.microsoft.com. Good luck
Thanks for the vedio. Could you please let me know what would be the ideal way to configure a policy if i wants to block all the countries and only allow users to login from the country where our office resides I know we can simply create this using named location and CA But what if any of my users travelling and i need to give them access to those countries as well.(only that user) i also dont want that user to get access to any other country than where she is travelling and office locations I tried multiple ways of creating polcies , but none seems to be fitting in. Some or the other flaws Can you please help me here
I would probably create an allow only list which blocks all other countries using location based conditional access. For documentation on this please visit learn.microsoft.com or post a question to the Microsoft tech community 😊
@@AndyMaloneMVPi beleive u probably misuderstood my question I will give you an example. My office resides in india. So i created a names location named office location and selected india . Created a policy excluding office location i.e india . Included any location . Grant acess block for all users. Now for eg if my CEO is travelling to UK , i want to allow him to login to all apps from india as well as UK. So if i exclude him from the main policy , he would be able to login from anywhere. But i only want him to login from uk and india. Secondly if i exclude him from main policy and create a new names location travel country and add UK. And create a new CA policy adding only my CEO and blocking any location excluding travel country. Would he be able to login only from uk or india and uk?? Secondly everytime when user travels we have to add them to secuity group and remove later which is a lot manual work So what would you suggest You help would be much appreciated . Thanks again for the swift response
well done. I want to suggest a more practical approach with examples in a real environment and with a specific set of policies that are basic best practice. not only showing the admin portal but also show a real result on a device. also a minimum security setup with a set of policies and settings would be nice as example. also we want to copy and paste a basic set of policies and settings from one tenant to another, to have best practice minimal settings for all clients. maybe one or more of those suggestions will lead to an update video on this neat features...thanks!
@@Abayomi-Munatech please send me an email via my TH-cam channel or LinkedIn giving me details of where your located and what training your looking for. My schedule is very busy but I can see if I can fit you in.
Just a mention: User Risk and Sign In Risk require P2 licensing. Many NGOs that I handle do not get that in their licensing. Conditional access appears with P1 licensing which my NGOs apparently all have by default. (sigh)
You’re right identity protection requires P2 conditional access P1
หลายเดือนก่อน
Correct me if i am wrong but with CA - Block takes precedence right? lets say i got two CAs # one CA states BLOCK all users from accessing a Entra ID SSO app # second CA states allow all users to access a Entra ID SSO App, this means all users will be BLOCKED from accessing that Entra ID SSO app.
tks a lot.
Hey thanks so much I appreciate that👍🤗😊
Perfect timing. I was just coming to your channel looking for info on this!
Hey that’s awesome😊I hope you’ll subscribe 👍
Correct me if i am wrong but with CA - the most restrictive takes place? Lets say there are two CAs # one states users must have MFA enabled before accessing a Entra id SSO app #
second CA states allow all users to access a entra ID SSO app without any specific authentications -
This means when the users access this entra id sso app they will have to use MFA due to the first CA rule being the most restrictive
Correct
Andy, thank you sincerely for sharing such valuable knowledge. I genuinely appreciate it. I hope that one day, I will have the opportunity to meet you in person and express my gratitude personally :)
Aw that is so kind, thank you so much. I really do appreciate that 😊 and 👍
A great quick crash course, thank you!
Thanks for the wonderful session. Does Azure Virtual Desktop support MFA? Because when i tried it failed, so kindly guide on resolving it?
It does but with a bit of work. Check out the Microsoft documentation on lynne.microsoft.com.
Hello, I just found your video.. it is really interesting and helpful, it solved a lot of my questions, I was recently tasked to use conditional access to block access to onedrive on non company devices, any ideas on how to block one drive only?
Look at the OneDrive settings in the sharepoint admin centre
Andy, as always, excellent content!
Thanks alot Andy,
a very informative video Thank you!
You can now add some M365 admin portal in the CA. Thanks Andy!
You are quite correct, you always could👍
Great learning, thank you
Glad you enjoyed it
Great explanation
Great Video!
With IPv6 you want to make sure you allow unnamed locations. IPv6 doesn't always give a location and you can accidentally lock out your CEO from the calendar when he's trying to plan his mother's funeral.
Your comment made me laugh
@@BloomerzUK it wasn't a call I wanted at 6AM on a Sunday. Lol lesson never forgotten.
@@brandonw1604 I thought you were joking.. you poor sod!
@@BloomerzUK nope, didn't know about IPv6 and locations.
Odly specific. Poor guy I wouln't want that call.
Regarding the warning about the legacy authentication clients: disable legacy authentication by default (it's a recommendation documented by Microsoft somewhere). Either set a CA policy to block it entirely, or disable it through the Admin center (or both).
Love your content. Been following for a while now. Question for you on MFA/CA policies. As an admin, my phone screen went out on me, leaving me basically without a phone. Couldn't receive calls or texts which is what my MFA was configured for. What's the best way to configure myself so that if I'm ever in this situation again, I can still authenticate and access M365?
This is easy. Go into Microsoft 365 and go into the users account. There is an option to reinforce MFA. This will then force the user to repeat the MFA registration process. It’s well documented, learn.microsoft.com. Good luck
Thanks for the vedio.
Could you please let me know what would be the ideal way to configure a policy if i wants to block all the countries and only allow users to login from the country where our office resides
I know we can simply create this using named location and CA
But what if any of my users travelling and i need to give them access to those countries as well.(only that user) i also dont want that user to get access to any other country than where she is travelling and office locations
I tried multiple ways of creating polcies , but none seems to be fitting in.
Some or the other flaws
Can you please help me here
I would probably create an allow only list which blocks all other countries using location based conditional access. For documentation on this please visit learn.microsoft.com or post a question to the Microsoft tech community 😊
@@AndyMaloneMVPi beleive u probably misuderstood my question
I will give you an example. My office resides in india. So i created a names location named office location and selected india .
Created a policy excluding office location i.e india . Included any location . Grant acess block for all users.
Now for eg if my CEO is travelling to UK , i want to allow him to login to all apps from india as well as UK. So if i exclude him from the main policy , he would be able to login from anywhere. But i only want him to login from uk and india.
Secondly if i exclude him from main policy and create a new names location travel country and add UK. And create a new CA policy adding only my CEO and blocking any location excluding travel country.
Would he be able to login only from uk or india and uk??
Secondly everytime when user travels we have to add them to secuity group and remove later which is a lot manual work
So what would you suggest
You help would be much appreciated .
Thanks again for the swift response
well done. I want to suggest a more practical approach with examples in a real environment and with a specific set of policies that are basic best practice. not only showing the admin portal but also show a real result on a device. also a minimum security setup with a set of policies and settings would be nice as example. also we want to copy and paste a basic set of policies and settings from one tenant to another, to have best practice minimal settings for all clients. maybe one or more of those suggestions will lead to an update video on this neat features...thanks!
Absolutely, come on one of my courses and I’ll show you
Excelent vifdeo, 1.25 speed is the sweet spot for me but I appreciate the original speed
Cool, thanks
Great video very informative Thanks!!!!
Glad you enjoyed it!
Pls,How can I get train from you?
Thanks
Pay me lots of money🤣😂🤗
@@AndyMaloneMVP I'm ready pls
@@Abayomi-Munatech please send me an email via my TH-cam channel or LinkedIn giving me details of where your located and what training your looking for. My schedule is very busy but I can see if I can fit you in.
well done mate :)
Perhaps for an future update on CA with Windows Defender Cloud for Apps?
If you take a look in my Microsoft defender and Microsoft per view playlists, there are sessions on cloud apps here that explain everything
Just a mention: User Risk and Sign In Risk require P2 licensing. Many NGOs that I handle do not get that in their licensing. Conditional access appears with P1 licensing which my NGOs apparently all have by default. (sigh)
You’re right identity protection requires P2 conditional access P1
Correct me if i am wrong but with CA - Block takes precedence right? lets say i got two CAs # one CA states BLOCK all users from accessing a Entra ID SSO app # second CA states allow
all users to access a Entra ID SSO App, this means all users will be BLOCKED from accessing that Entra ID SSO app.
User interface at Entra has changed (of course). Still a good video.
Great Videos! You Add a new Subscriber
Very helpful
I don't have that many options under protect & secure, just authenticaton methods and password reset. How do I unlock conditional access?
This sounds like a licensing issue.
😞 Promo>SM