Browsed by
Category: Conditional Access

Conditional Access: The Day of the Joining Device

Conditional Access: The Day of the Joining Device

This blog will be about a new User action in conditional Access and how to deploy this setting. I will also show you how to deploy this rule among all other rules in conditional access with the use of PowerShell. When you join/register a device you will need to require MFA in my opinion. It’s also a part of our Baseline tenant enrollment. I guess you don’t want someone outside your company joining a device with stolen credentials? Otherwise requiring…

Read More Read More

Gmail: King of the monsters

Gmail: King of the monsters

Different week, different use case. This blog will be about the impossibility of having GMAIL as your Email client in combination with android work profiles and Conditional Access. Why not using Outlook? That’s indeed a very good question, as Gmail is also not an approved app. I guess users are just used to work with the Gmail app. They prefer the Gmail calendar notifications instead of the Outlook calendar notifications. Of course, we advised to start using Outlook, but the…

Read More Read More

Zero Trust Security Flow

Zero Trust Security Flow

Everything is about Zero trust security, you will need to implement it.  There are a lot of articles written about zero-trust security the last few months. Some examples: Zero Trust Security (microsoft.com) Take the Zero Trust Assessment (microsoft.com) How to best explain zero trust? It’s like the quote of Ronald Reagan but just with one additional word: Never trust, but verify Zero trust ensures, identities are verified and devices are safe before you can access your corporate apps and data….

Read More Read More

The book of Non-Managed Shared Devices

The book of Non-Managed Shared Devices

This blog will be about what options you have when you got a lot of non-managed shared devices that need to run the Teams desktop app. Imagine the next scenario:  Just right before the first Covid19 wave, a company made the decision to transform their organization to a modern zero trust company. Before this decision was made, everyone was working on a remote desktop cluster which was placed inside a datacentre and none of their (shared) on-premise devices were managed….

Read More Read More

The Conditional Access Experiment

The Conditional Access Experiment

Some time ago I was inspired to check something out.  Of course, almost all schools are working with Teams nowadays and so is my son’s school. After installing teams and logging in with my son’s office365 account, I was asked the famous question if I’d wanted to “allow my organization to manage my device”. Okay… So the school allows anyone to register a device to their tenant? I guess the school has a lot of devices to manage. If it…

Read More Read More

Fantastic PowerShell and where to find the CA Rules

Fantastic PowerShell and where to find the CA Rules

Automating your tenant deployment is crucial in preventing human mistakes. This is one example from my own experience when working in the field with PowerShell and JSON. When automating your conditional access deployments as I did, you can run into some very weird situations… So, what did I do? I fired up a PowerShell session from a special Win10 VM (created for deployments) and logged in with my admin user within the customer (test)tenant WVDCLOUD: admin@wvdcloud.nl. I checked once again…

Read More Read More

Continuous Access Evaluation: Rise of the Claim challenge

Continuous Access Evaluation: Rise of the Claim challenge

Hi, Refresh tokens, Hi lag when Terminating users or setting a new password. Welcome continuous access evaluation (CAE), bye lag (1 hour refresh token) Claim challenge is a mechanism to indicate the token was rejected and a new token needs to be issued. So what are the benefits: User termination or password change/reset: User session revocation will be enforced in near real time. Network location change: Conditional Access location policies will be enforced in near real time. Token export to…

Read More Read More

Basic Authentication and the Last Crusade

Basic Authentication and the Last Crusade

In this blog I’ll show you a new option to disable basic authentication protocols. Like most of you probably know, Microsoft is going to disable basic authentication for ActiveSync, PowerShell, Exchange Web Service, POP3 and IMAP4. You should especially disable POP3 and IMAP basic authentication as soon as possible. Of course, implementing conditional access rules is the way to go. Read my other blog to learn how to automate your conditional access deployment. When not having the proper licensing for…

Read More Read More

The curse of the IPV6 and conditional access.

The curse of the IPV6 and conditional access.

Imagine this scenario:  Your customer who wants to migrate to Office365, but without compliant devices. You still want to protect their data. One of the conditional access rules you’ll probably implement: blocking access from foreign countries. It’s not the best conditional access policy out there, but hey… It creates another barrier. Beware of the IPV6 curse though. Conditional access and IPV6 don’t go well together. When you implement this policy without your devices being compliant, there is a possibility users…

Read More Read More

Conditional Access, the good, the bad and the ugly

Conditional Access, the good, the bad and the ugly

What do I mean by this?  Conditional access is a powerful tool within the Microsoft 365 environment. Even when you implement just the basics it provides your tenant with a security baseline. There are some quirks and flaws that I’ll cover in this blog:  The good: You can control the IF and THEN conditions. For example, IF an end-user tries to connect to portal.office.com from a non-compliant device, THEN it should prompt you for MFA. There are a lot of other possible conditional access rules you could implement giving you more control about things as risky…

Read More Read More