LogoLogo
Get CIPPJoin Discord
  • ☕CIPP Documentation
  • 🦸Setup
    • Self Hosting Guide
      • Prerequisites
      • Installation
      • Run From Package Mode
      • Post-Install Configuration
      • Configuring Automatic Updates
      • Updating Versions
      • Migrating to Hosted CIPP
      • Self-hosted API Setup
    • Service Account Setup
      • GDAP's Importance in CIPP
      • Creating the CIPP Service Account
      • Conditional Access best practices
      • Recommended Roles
    • Configuring CIPP
      • Adding users to CIPP
      • Executing the SAM Setup Wizard
      • Tenant Onboarding
      • Adding Tenants & Consenting the CIPP-SAM Application
      • User Roles in CIPP
      • Adding a custom domain name
      • I want to manage my own tenant
    • Implementing CIPP
      • Recommended First Steps
      • Standards Setup
    • Resources
      • Professional Onboarding Services
      • Sponsor Quick Start
  • 🙋User Documentation
    • Shared Features
      • Menu Bar
        • Tenant Select
        • Display Mode
        • 🔍Search
        • Bookmarks
        • User Preferences
      • Table Features
      • Speed Dial
      • Keyboard Shortcuts
    • CIPP Dashboard
    • Identity Management
      • Administration
        • Users
          • Bulk Add
          • Invite Guest
          • Add User
          • View Individual User
            • Edit User
            • Exchange Settings
            • Compromise Remediation
            • Conditional Access
        • Risky Users
        • Groups
          • Add Group
          • Edit Group
        • Group Templates
          • Add Group Template
          • Deploy Group Templates
        • Devices
        • Deleted items
        • Roles
        • JIT Admin
          • Add JIT Admin
        • Offboarding Wizard
      • Reports
        • MFA Report
        • Inactive Users
        • Sign-in Report
        • AAD Connect Report
        • Risk Detections
    • Tenant Administration
      • Administration
        • Tenants
          • Edit Tenant
          • Tenant Groups
            • Add Tenant Group
            • Edit Tenant Group
        • Alert Configuration
          • Add Alert
        • Audit Logs
          • View Audit Log
        • Enterprise Applications
        • Secure Score
        • App Consent Requests
        • Authentication Methods
        • Partner Relationships
      • GDAP Management
        • Relationships
          • Relationship Summary
        • Role Mappings
          • Map GDAP Roles
        • Role Templates
          • Add Template
        • Invites
          • New Invite
        • Onboarding
        • Offboarding
      • Configuration Backup
        • Backups
          • Restore Configuration Backup
          • Add Configuration Backup Task
      • Standards
        • List Standards Templates
        • Add Standards Template
        • Compare Tenant to Standard
        • Best Practice Analyser
          • Best Practice Templates
          • Custom Reports
        • Domains Analyser
      • Conditional Access
        • CA Policies
          • Deploy CA Policies
        • CA Vacation Mode
          • Add Vacation Schedule
        • CA Templates
        • Named Locations
          • Add Named Location
      • Reports
        • License Report
        • Sherweb License Report
          • Add Subscription
        • Consented Applications
    • Security & Compliance
      • Incidents & Alerts
        • Incidents
        • Alerts
      • Defender
        • Defender Status
        • Defender Deployment
        • Vulnerabilities
      • Reports
        • Device Compliance
    • Intune
      • Applications
        • Applications
          • Add Application
            • Add MSP App
            • Add Store App
            • Add Choco App
            • Add Office App
        • Application Queue
      • Autopilot
        • Autopilot Devices
        • Add Autopilot Device
        • Profiles
          • Add Profile
        • Status Pages
        • Add Status Page
      • Device Management
        • Devices
        • Configuration Policies
        • Compliance Policies
        • Protection Policies
        • Apply Policy
        • Policy Templates
        • Scripts
      • Reports
        • Analytics Device Score
        • Work from Anywhere
    • Teams & SharePoint
      • OneDrive
      • SharePoint
        • Add Site
        • Bulk Add Sites
      • Teams
        • Teams
          • Add Team
        • Teams Activity
        • Business Voice
    • Email & Exchange
      • Administration
        • Mailboxes
          • Add Shared Mailbox
        • Deleted Mailboxes
        • Mailbox Rules
        • Contacts
          • Add Contact
          • Edit Contact
        • Quarantine
        • Tenant Allow/Block Lists
          • Add Entry
      • Transport
        • Transport Rules
          • Deploy Transport Rule Template
        • Transport Templates
        • Connectors
          • Deploy Connector Templates
        • Connector Templates
      • Spamfilter
        • Spamfilter
          • Deploy Spamfilter
        • Spamfilter Templates
        • Connection filter
          • Deploy Connection Filter
        • Connection filter templates
      • Resource Management
        • Rooms
          • Add Room
          • Edit Room
        • Room Lists
      • Reports
        • Mailbox Statistics
        • Mailbox Client Access Settings
        • Anti-Phishing Filters
        • Malware Filters
        • Safe Link Filters
        • Safe Attachment Filters
        • Shared Mailbox with Enabled Account
        • Global Address List
    • Tools
      • Tenant Tools
        • Graph Explorer
        • Application Approval
        • Tenant Lookup
        • IP Database
        • Individual Domain Check
      • Email Tools
        • Message Trace
        • Mailbox Restores
        • Message Viewer
      • Dark Web Tools
        • Tenant Breach Lookup
        • Breach Lookup
      • Template Library
      • Community Repositories
        • View Repository Templates
      • Scheduler
        • Add Job
    • CIPP
      • Application Settings
        • Permissions
        • Tenants
        • Backend
        • Notifications
        • Partner Webhooks
        • Licenses
        • CIPP Backup
        • Global Variables
      • Logbook
      • SAM Setup Wizard
      • Integrations
        • Integration Sync
        • CIPP-API
        • Sherweb
        • Gradient
        • Halo PSA Ticketing
        • NinjaOne
        • Hudu
        • Password Pusher
        • Have I Been Pwned?
        • Cloudflare
        • GitHub
      • Custom Data
        • Directory Extensions
          • Add Directory Extension
        • Schema Extensions
          • Add Schema Extension
        • Mappings
          • Add Mapping
          • Edit Mapping
      • Advanced
        • Super Admin
          • Tenant Mode
          • Function Offloading
          • Custom Roles
          • SAM App Roles
          • SAM App Permissions
        • Exchange Cmdlets
        • Timers
        • Table Maintenance
  • 📂Troubleshooting
    • Error codes
    • Troubleshooting instructions
      • Refreshing a Specific Tenant's Permissions via CPV API
    • Frequently Asked Questions
      • I got a "Potential Phishing page detected" alert. What do I do with that?
  • 🔐Security
    • CIPP Security and Compliance
      • Security Policy
      • Security reports
    • CIPP Community Vulnerability Disclosure Policy
  • 👩‍💻👩💻 Dev Documentation
    • CIPP Dev Guide
      • Setting Up for Local Development
      • Executing Local Development
      • Project Structure
      • Development Tips
      • CIPP v7 Developer Brief
    • Contributing to the Code
    • Contributing to the Documentation
  • ⚙️API Documentation
    • Setup & Authentication
    • Endpoints
  • 🧰MSP Adoption Toolkit
    • Building a CIPP Business Case
  • ☕Sip & CIPP
    • Conditional Access
    • Autopilot & Intune
  • CIPP New Interface Release Candidate 2 (rc2)
Powered by GitBook
On this page
  • Session Abstract
  • Learning Objectives

Was this helpful?

Edit on GitHub
Export as PDF
  1. Sip & CIPP

Conditional Access

Exploring the Essentials of Conditional Access: Techniques, challenges, and strategies for effective cybersecurity using CIPP.

PreviousBuilding a CIPP Business CaseNextAutopilot & Intune

Last updated 1 year ago

Was this helpful?

View the recording here:

Session Abstract

Our inaugural Sip & CIPP event offered a deep dive into Conditional Access, emphasizing the practical application of Conditional Access policies within the CIPP framework. We explored the nuances of policy creation, management, and the integration of Continuous Access Evaluation for enhanced security. We also shed light on device-specific policies, best practices for complex policy management, and the interaction of Conditional Access with Microsoft 365.

Learning Objectives

  1. Practical Understanding of Conditional Access: Gain a working knowledge of Conditional Access principles and their impact on cybersecurity in MSP contexts.

  2. Strategic Policy Implementation: Learn to strategically implement and manage Conditional Access policies tailored to diverse environments.

  3. Troubleshooting and Optimization Skills: Acquire skills in troubleshooting and optimizing Conditional Access systems for varied client scenarios.

  4. Integrating Conditional Access with Broader Frameworks: Discover how to seamlessly integrate Conditional Access into broader MSP cybersecurity strategies and Microsoft 365 ecosystems.

Detailed Topic Coverage

Overview of Conditional Access

  • Fundamental Principles: Conditional Access is not processed like firewall rules; it's evaluated as one combined policy after login, prioritizing deny rules over allow rules.

  • Policy Evaluation Mechanics: Policies are merged into a single evaluation block to determine access, emphasizing the importance of strategic policy design.

Implementation Strategies

  • Policy Creation and Management: Discussion on creating and managing Conditional Access policies, focusing on best practices for implementation.

  • License Requirements: Emphasis on the necessity of appropriate licensing (e.g., P1 licenses) for each user to utilize Conditional Access features.

Continuous Access Evaluation

  • Significance and Activation: Continuous Access Evaluation is a key feature for maintaining security, constantly reevaluating access tokens to enhance protection.

  • Location-Based Policies: Implementing policies that react to IP address changes, requiring immediate reauthentication, thus countering phishing and token theft.

Device and User-Specific Policies

  • Device-Based Filtering: Strategies for applying policies based on device type and platform, with special considerations for mobile devices to avoid frequent reauthentication.

  • Custom Conditions for Access: The use of custom conditions to define access policies, such as filtering for specific device platforms or excluding mobile devices to reduce unnecessary access challenges.

Policy Complexity and Best Practices

  • Combining Multiple Policies: Challenges and strategies in managing complex policy structures, ensuring that the combined result of all policies aligns with the intended security posture.

  • Best Practices in Policy Design: Recommendations on excluding service provider policies and creating targeted policies for better management and security outcomes.

Integration with Microsoft 365 and CIPP

  • CIPP and Microsoft 365 Synergy: Discussing the integration and cooperative functionality between Conditional Access policies and Microsoft 365, including the impact on applications like Outlook on different operating systems.

  • CIPP for Policy Management: Utilizing CIPP to control and streamline Conditional Access policy implementation and management across different user scenarios.

Chat FAQ

Q: Is the Continuous Access Evaluation feature coming to anything but P2?

A: The feature is actually a P1 feature and is currently active for all users who are using security defaults. This applies to anyone, even without a P1 license, as long as security defaults are enabled​​.

Q: Now that Microsoft is pushing automatic CA policies, do CA policies require security defaults being turned off?

A: When using Conditional Access MFA, it's recommended to disable per-user MFA. If per-user MFA is employed, your Conditional Access policies will be ignored and not used for any evaluation, leading to each logon being a per-user MFA logon​​.

Q: What to do with mailboxes configured with a license and login but used by multiple users?

A: The recommendation is to stop using individual credentials for shared mailboxes. Instead, grant full access permissions to users for the mailbox, allowing them to log in using their own credentials and MFA. It's also advised to encourage the use of the Outlook app on iOS for better functionality and security​​.

Q: How can we avoid 'pass the cookie' attacks even with Conditional Access and MFA enabled?

A: Use Continuous Access evaluation with strictly enforced location policies. This approach, combined with excluding mobile devices from certain conditions, can effectively prevent 'pass the cookie' attacks. Additionally, always revoke all session tokens if a user is compromised​​.

Q: If a login occurs before a policy is set to "on" and a new policy is enabled that would block the user, will the session survive until a new token is needed?

A: Yes, the session will survive unless Continuous Access Evaluation is enabled. In those cases, every time a token is used, it is re-evaluated

Q: When excluding the service provider in Conditional Access policies, do you mean the GDAP groups or a specific object?

A: You need to exclude the tenant ID of the organization. It's recommended to enter the tenant ID as it never changes, although you can also use the domain name. Additionally, using a temporary access password for the 'break glass' account is a good practice​​.

Q: Will the 'What If' tool in Conditional Access only evaluate policies that are active?

A: Yes, the 'What If' tool will only evaluate policies that are currently active or in report-only mode. Policies in off mode are not evaluated against​​.

Q: Where can I find more information on the compliant network locations preview?

A: Microsoft's documentation is the best place to start, though it might not be fully updated. A recommended resource is the blog by Meryl Fernando, a Microsoft employee with expertise in conditional access, available at merrill.net​​.

Q: What's the ETA for full GDAP vs GA account?

A: The transition to GDAP is ongoing, with workloads and capabilities rapidly expanding. Everything that was possible under DAP should now be available in GDAP, though it might take some time to have all the required access without any excess​​.

Q: For scenarios needing a 'break glass' GA access, what is being done to address this?

A: In cases where a global administrator account is still required, a solution being tested involves creating temporary global administrators and removing them at a later date, providing just-in-time access​​.

Q: How can we assign subsite permissions if we can't access the SharePoint site?

A: The solution is to use PowerShell. You will need to know the exact path of what you're applying the permissions to​​.

Q: How many accounts can one FIDO key secure, especially for MSPs with multiple fully managed customers?

A: The number of accounts a FIDO key can secure depends on the key itself. Some keys may have a limit, like 25 accounts, but others might not have a specific limit. It varies based on the type of FIDO key used​​.

Q: What about mobile devices in regards to Continuous Access? How to prevent it from affecting iOS and Android Outlook users?

A: To prevent Continuous Access policies from affecting mobile devices, set the policy to apply only to specific OS's such as Windows, macOS, and Linux. This way, mobile devices that constantly change locations won't be unduly affected​​.

Resources Shared
  1. : A resource from Yubico detailing the account limits for YubiKeys, especially relevant for understanding the capacity and limitations of YubiKeys for TOTP.

  2. : Ramblings of an Identity Microsoftie by Merill Fernando, offering insights into identity management and Microsoft-related identity solutions. (Bonus: Merill's for community discussions)

  3. : Guidance on setting up Conditional Access policies for CIPP, providing best practices and step-by-step instructions.

  4. : Official Microsoft announcement about Microsoft Entra Internet Access and Microsoft Entra Private Access, expanding into Security Service Edge solutions.

  5. : A video by Merill Fernando providing a live example of evilnginx and its implications for Microsoft 365 password security.

☕
https://youtu.be/PG6fN4J7VVY
How many accounts can I register my YubiKey with?
Merill's Identity Insights
Entra Discord
CIPP Conditional Access Setup
Microsoft Entra Blog Post
Stop hackers from stealing your Microsoft 365 user's passwords