Practical Conditional Access: The Secure Endpoint
ฝัง
- เผยแพร่เมื่อ 20 ก.ค. 2024
- In this final video on Practical Conditional Access, we'll be sharing our favorite set of policies designed to ensure secure access to your organization's environment. Specifically, we'll be focusing on the "The Secure Endpoint" policy, which is a customizable template that addresses a variety of scenarios. The main goal of which is to limit access from non-managed devices and ensure that our BYOD options limit the extraction of data in our environment.
We've also included some valuable resources to help you customize your own Conditional Access policies, such as an Excel download, a video on device compliance by Matt Soseman, and links to Microsoft's MAM policies and device enrollment restrictions.
If you find this policy helpful, please let us know in the comments!
The Secure Endpoint policy is designed to tackle the following scenarios:
• Secure Access to the Environment using MFA or Trusted devices
• Allow Access to Office 365 From Corporate managed devices without MFA
• Allow Users to access Office 365 using BYOD but require MDM or MAM
• Allow End users to access from unmanaged devices using a Web Browser but block Download from devices
• Block Access to Legacy apps
🔍 R E S O U R C E S
• Excel Download: github.com/dougsbaker/Public-...
• Matt Soseman Device Compliance: • Design a Device Compli...
• MAM Policies: learn.microsoft.com/en-us/mem...
• Device Enrollment Restrictions: learn.microsoft.com/en-us/mem...
📹 C H A P T E R S
00:00 Intro
01:28 Policy Planning
04:23 Policy Pre Reqs and Creating testing Group
07:25 [MFA] Baseline All Conditions
09:00 [Block] Legacy Protocols
10:26 [MDM or Hyb]Windows 10 access
14:15 [MDM] MacOS access
15:54 [MDM or MAM] Mobile Devices
18:33 [MDCA] Block web downloads on unmanaged devices
22:05 [Reset] High Risk User
24:15 [MFA] Risky Sign in
26:03 Testing Experience
31:30 Final Thoughts
After watching your playlist on conditional access policies, I have learned so much, and I am implementing some of them. Your style of teaching is easy to follow and understand.
Thank so much for the kind words Mac! Glad you found it helpful. Let me know what your interested in having me cover next.
Really nice explanation and build out. Think that it is worth noting that for small organizations with just a few devices, device trust settings are a really good way to lock yourself out. Good idea to maybe require EITHER device compliance or mfa from trusted IPs for example.
Absolutely, that is why the process above is designed to support that OR scenario where it will not lock you out if you are not on that device platform.
Great video and document. Quick note, at the MDCA bit where you are doing the exclude filter, you set all of the filters to "AND" but mentioned "OR", guess they should both be set to "OR" rather for each of the options to be validated?
Correct I was trying to work to quick and didn’t move the toggles over. It should be an or
I was just going to say the same.
Great Video, One question, when you filtered on device type phone,windows etc. Isnt it best practice to select all devices and exclude the devices you don't want it to apply to?
As in all things, my feeling is it depends... If you are doing a policy that requires your device to be windows only, then yes that is the best way to handle it. However, if you are putting multiple controls targeting the individual device platforms then I feel its okay. however you may want to include, and i have considered adding to this design, a policy that targets Unkown/Unsupported device types.