Andy, thank you sincerely for sharing such valuable knowledge. I genuinely appreciate it. I hope that one day, I will have the opportunity to meet you in person and express my gratitude personally :)
With IPv6 you want to make sure you allow unnamed locations. IPv6 doesn't always give a location and you can accidentally lock out your CEO from the calendar when he's trying to plan his mother's funeral.
well done. I want to suggest a more practical approach with examples in a real environment and with a specific set of policies that are basic best practice. not only showing the admin portal but also show a real result on a device. also a minimum security setup with a set of policies and settings would be nice as example. also we want to copy and paste a basic set of policies and settings from one tenant to another, to have best practice minimal settings for all clients. maybe one or more of those suggestions will lead to an update video on this neat features...thanks!
Regarding the warning about the legacy authentication clients: disable legacy authentication by default (it's a recommendation documented by Microsoft somewhere). Either set a CA policy to block it entirely, or disable it through the Admin center (or both).
Just a mention: User Risk and Sign In Risk require P2 licensing. Many NGOs that I handle do not get that in their licensing. Conditional access appears with P1 licensing which my NGOs apparently all have by default. (sigh)
Hello, I just found your video.. it is really interesting and helpful, it solved a lot of my questions, I was recently tasked to use conditional access to block access to onedrive on non company devices, any ideas on how to block one drive only?
Love your content. Been following for a while now. Question for you on MFA/CA policies. As an admin, my phone screen went out on me, leaving me basically without a phone. Couldn't receive calls or texts which is what my MFA was configured for. What's the best way to configure myself so that if I'm ever in this situation again, I can still authenticate and access M365?
This is easy. Go into Microsoft 365 and go into the users account. There is an option to reinforce MFA. This will then force the user to repeat the MFA registration process. It’s well documented, learn.microsoft.com. Good luck
Thanks for the vedio. Could you please let me know what would be the ideal way to configure a policy if i wants to block all the countries and only allow users to login from the country where our office resides I know we can simply create this using named location and CA But what if any of my users travelling and i need to give them access to those countries as well.(only that user) i also dont want that user to get access to any other country than where she is travelling and office locations I tried multiple ways of creating polcies , but none seems to be fitting in. Some or the other flaws Can you please help me here
I would probably create an allow only list which blocks all other countries using location based conditional access. For documentation on this please visit learn.microsoft.com or post a question to the Microsoft tech community 😊
@@AndyMaloneMVPi beleive u probably misuderstood my question I will give you an example. My office resides in india. So i created a names location named office location and selected india . Created a policy excluding office location i.e india . Included any location . Grant acess block for all users. Now for eg if my CEO is travelling to UK , i want to allow him to login to all apps from india as well as UK. So if i exclude him from the main policy , he would be able to login from anywhere. But i only want him to login from uk and india. Secondly if i exclude him from main policy and create a new names location travel country and add UK. And create a new CA policy adding only my CEO and blocking any location excluding travel country. Would he be able to login only from uk or india and uk?? Secondly everytime when user travels we have to add them to secuity group and remove later which is a lot manual work So what would you suggest You help would be much appreciated . Thanks again for the swift response
@@abayomitaoheed9734 please send me an email via my RUclips channel or LinkedIn giving me details of where your located and what training your looking for. My schedule is very busy but I can see if I can fit you in.
Andy, thank you sincerely for sharing such valuable knowledge. I genuinely appreciate it. I hope that one day, I will have the opportunity to meet you in person and express my gratitude personally :)
Aw that is so kind, thank you so much. I really do appreciate that 😊 and 👍
Great Video!
Perfect timing. I was just coming to your channel looking for info on this!
Hey that’s awesome😊I hope you’ll subscribe 👍
Great explanation
Thanks alot Andy,
a very informative video Thank you!
A great quick crash course, thank you!
With IPv6 you want to make sure you allow unnamed locations. IPv6 doesn't always give a location and you can accidentally lock out your CEO from the calendar when he's trying to plan his mother's funeral.
Your comment made me laugh
@@BloomerzUK it wasn't a call I wanted at 6AM on a Sunday. Lol lesson never forgotten.
@@brandonw1604 I thought you were joking.. you poor sod!
@@BloomerzUK nope, didn't know about IPv6 and locations.
Odly specific. Poor guy I wouln't want that call.
well done. I want to suggest a more practical approach with examples in a real environment and with a specific set of policies that are basic best practice. not only showing the admin portal but also show a real result on a device. also a minimum security setup with a set of policies and settings would be nice as example. also we want to copy and paste a basic set of policies and settings from one tenant to another, to have best practice minimal settings for all clients. maybe one or more of those suggestions will lead to an update video on this neat features...thanks!
Absolutely, come on one of my courses and I’ll show you
Regarding the warning about the legacy authentication clients: disable legacy authentication by default (it's a recommendation documented by Microsoft somewhere). Either set a CA policy to block it entirely, or disable it through the Admin center (or both).
User interface at Entra has changed (of course). Still a good video.
Andy, as always, excellent content!
Just a mention: User Risk and Sign In Risk require P2 licensing. Many NGOs that I handle do not get that in their licensing. Conditional access appears with P1 licensing which my NGOs apparently all have by default. (sigh)
You’re right identity protection requires P2 conditional access P1
Hello, I just found your video.. it is really interesting and helpful, it solved a lot of my questions, I was recently tasked to use conditional access to block access to onedrive on non company devices, any ideas on how to block one drive only?
Look at the OneDrive settings in the sharepoint admin centre
You can now add some M365 admin portal in the CA. Thanks Andy!
You are quite correct, you always could👍
Great learning, thank you
Glad you enjoyed it
Excelent vifdeo, 1.25 speed is the sweet spot for me but I appreciate the original speed
Cool, thanks
Great video very informative Thanks!!!!
Glad you enjoyed it!
Very helpful
Great Videos! You Add a new Subscriber
well done mate :)
Perhaps for an future update on CA with Windows Defender Cloud for Apps?
If you take a look in my Microsoft defender and Microsoft per view playlists, there are sessions on cloud apps here that explain everything
Love your content. Been following for a while now. Question for you on MFA/CA policies. As an admin, my phone screen went out on me, leaving me basically without a phone. Couldn't receive calls or texts which is what my MFA was configured for. What's the best way to configure myself so that if I'm ever in this situation again, I can still authenticate and access M365?
This is easy. Go into Microsoft 365 and go into the users account. There is an option to reinforce MFA. This will then force the user to repeat the MFA registration process. It’s well documented, learn.microsoft.com. Good luck
Thanks for the vedio.
Could you please let me know what would be the ideal way to configure a policy if i wants to block all the countries and only allow users to login from the country where our office resides
I know we can simply create this using named location and CA
But what if any of my users travelling and i need to give them access to those countries as well.(only that user) i also dont want that user to get access to any other country than where she is travelling and office locations
I tried multiple ways of creating polcies , but none seems to be fitting in.
Some or the other flaws
Can you please help me here
I would probably create an allow only list which blocks all other countries using location based conditional access. For documentation on this please visit learn.microsoft.com or post a question to the Microsoft tech community 😊
@@AndyMaloneMVPi beleive u probably misuderstood my question
I will give you an example. My office resides in india. So i created a names location named office location and selected india .
Created a policy excluding office location i.e india . Included any location . Grant acess block for all users.
Now for eg if my CEO is travelling to UK , i want to allow him to login to all apps from india as well as UK. So if i exclude him from the main policy , he would be able to login from anywhere. But i only want him to login from uk and india.
Secondly if i exclude him from main policy and create a new names location travel country and add UK. And create a new CA policy adding only my CEO and blocking any location excluding travel country.
Would he be able to login only from uk or india and uk??
Secondly everytime when user travels we have to add them to secuity group and remove later which is a lot manual work
So what would you suggest
You help would be much appreciated .
Thanks again for the swift response
Pls,How can I get train from you?
Thanks
Pay me lots of money🤣😂🤗
@@AndyMaloneMVP I'm ready pls
@@abayomitaoheed9734 please send me an email via my RUclips channel or LinkedIn giving me details of where your located and what training your looking for. My schedule is very busy but I can see if I can fit you in.
tks a lot.
Hey thanks so much I appreciate that👍🤗😊
I don't have that many options under protect & secure, just authenticaton methods and password reset. How do I unlock conditional access?
This sounds like a licensing issue.
😞 Promo>SM