Q: Is the Continuous Access Evaluation feature coming to anything but P2?
A: The feature is actually a P1 feature and is currently active for all users who are using security defaults. This applies to anyone, even without a P1 license, as long as security defaults are enabled.
Q: Now that Microsoft is pushing automatic CA policies, do CA policies require security defaults being turned off?
A: When using Conditional Access MFA, it's recommended to disable per-user MFA. If per-user MFA is employed, your Conditional Access policies will be ignored and not used for any evaluation, leading to each logon being a per-user MFA logon.
Q: What to do with mailboxes configured with a license and login but used by multiple users?
A: The recommendation is to stop using individual credentials for shared mailboxes. Instead, grant full access permissions to users for the mailbox, allowing them to log in using their own credentials and MFA. It's also advised to encourage the use of the Outlook app on iOS for better functionality and security.
Q: How can we avoid 'pass the cookie' attacks even with Conditional Access and MFA enabled?
A: Use Continuous Access evaluation with strictly enforced location policies. This approach, combined with excluding mobile devices from certain conditions, can effectively prevent 'pass the cookie' attacks. Additionally, always revoke all session tokens if a user is compromised.
Q: If a login occurs before a policy is set to "on" and a new policy is enabled that would block the user, will the session survive until a new token is needed?
A: Yes, the session will survive unless Continuous Access Evaluation is enabled. In those cases, every time a token is used, it is re-evaluated
Q: When excluding the service provider in Conditional Access policies, do you mean the GDAP groups or a specific object?
A: You need to exclude the tenant ID of the organization. It's recommended to enter the tenant ID as it never changes, although you can also use the domain name. Additionally, using a temporary access password for the 'break glass' account is a good practice.
Q: Will the 'What If' tool in Conditional Access only evaluate policies that are active?
A: Yes, the 'What If' tool will only evaluate policies that are currently active or in report-only mode. Policies in off mode are not evaluated against.
Q: Where can I find more information on the compliant network locations preview?
A: Microsoft's documentation is the best place to start, though it might not be fully updated. A recommended resource is the blog by Meryl Fernando, a Microsoft employee with expertise in conditional access, available at merrill.net.
Q: What's the ETA for full GDAP vs GA account?
A: The transition to GDAP is ongoing, with workloads and capabilities rapidly expanding. Everything that was possible under DAP should now be available in GDAP, though it might take some time to have all the required access without any excess.
Q: For scenarios needing a 'break glass' GA access, what is being done to address this?
A: In cases where a global administrator account is still required, a solution being tested involves creating temporary global administrators and removing them at a later date, providing just-in-time access.
Q: How can we assign subsite permissions if we can't access the SharePoint site?
A: The solution is to use PowerShell. You will need to know the exact path of what you're applying the permissions to.
Q: How many accounts can one FIDO key secure, especially for MSPs with multiple fully managed customers?
A: The number of accounts a FIDO key can secure depends on the key itself. Some keys may have a limit, like 25 accounts, but others might not have a specific limit. It varies based on the type of FIDO key used.
Q: What about mobile devices in regards to Continuous Access? How to prevent it from affecting iOS and Android Outlook users?
A: To prevent Continuous Access policies from affecting mobile devices, set the policy to apply only to specific OS's such as Windows, macOS, and Linux. This way, mobile devices that constantly change locations won't be unduly affected.
