The look of confusion and mental juggling going on at the 3:00 mark (and again at 6:00) when trying to figure out what the policy is going to do is my whole experience with CA because of its backwards building nature. A security tool this powerful and useful shouldn't involve puzzles. Also, is there a centralized place to get the results of the Report Only policies or do you just need to look at the user sign-in's details?
I manage a lot of clients and my biggest fear with conditional access is causing user disruption. For example: when I turned on MFA, I didnt realize it would sign users Outlook settings and we had a lot of calls. Report only sounds somewhat promising but doesnt necessarily show if the user will be receiving any prompts on their end. Is there a recommended way of approaching this?
Great vid, I've got lazy recently (or a lot more productive) and have started to use the templates for enabling CA I never saw the point in registering for secure info requiring MFA if MFA is enforced for everyone?
Yeah I can’t see how that helps. Perhaps it ensures that MFA is definitely required when adding additional strong auth methods. It’s possible that the “MFA for everyone” policy has some exclusions or could allow a bypass in certain circumstances. Adding it to this policy explicitly means that it will be required? I dunno.
You want to prevent an attacker from compromising a user who has NOT setup MFA yet, and getting their password to be able to setup the attackers strong authentication. The attacker with just the password could then setup strong authentication methods and complete MFA to satisfy other policies that require MFA. This way the CA policy would require Password + coming from a trusted network OR being able to do strong authentication to manage the authentication methods. It's the securing the bootstrapping scenario, which is where the Temporary Access Pass (TAP) comes in since it's a purpose issued credential and can be set to be used 1 time only to setup strong auth methods. I password spray Jim, get his password, and Jim is on vacation and hasn't setup MFA yet, so I setup MFA on his account that I control, and now I can satisfy MFA for other CA policies. Adding the security info CA policy for that action helps mitigate that.
Indeed. The idea behind this video was to show how easy it is to configure conditional access today. It was not a suggestion that you should go ahead and do that in production without understanding the impact of each policy.
![Megan Thee Stallion - Bigger In Texas [Official Video]](http://i.ytimg.com/vi/QxTkZTLWdo4/mqdefault.jpg)
How do I restrict access for Corp. users on Weekends? I want all users not to use laptops on weekends? Via Intune. Thank you
The look of confusion and mental juggling going on at the 3:00 mark (and again at 6:00) when trying to figure out what the policy is going to do is my whole experience with CA because of its backwards building nature. A security tool this powerful and useful shouldn't involve puzzles.
Also, is there a centralized place to get the results of the Report Only policies or do you just need to look at the user sign-in's details?
I believe it’s a case of using the Sign In reports and analytics. Good question though, I’ll take a look.
😂 I had the opportunity to edit out the utter confusion, but I thought it added to the realism
@@theCMC Glad you kept it in because it helps us viewers relate to a similar situation.
so.. why is it backwards? is this an error on MS part?
I think it’s a UI issue on that configuration screen.
Has this changed some, or is it my licensing different that I don't see any options for Devices.
I manage a lot of clients and my biggest fear with conditional access is causing user disruption. For example: when I turned on MFA, I didnt realize it would sign users Outlook settings and we had a lot of calls. Report only sounds somewhat promising but doesnt necessarily show if the user will be receiving any prompts on their end. Is there a recommended way of approaching this?
Great vid, I've got lazy recently (or a lot more productive) and have started to use the templates for enabling CA
I never saw the point in registering for secure info requiring MFA if MFA is enforced for everyone?
Yeah I can’t see how that helps. Perhaps it ensures that MFA is definitely required when adding additional strong auth methods. It’s possible that the “MFA for everyone” policy has some exclusions or could allow a bypass in certain circumstances. Adding it to this policy explicitly means that it will be required? I dunno.
You want to prevent an attacker from compromising a user who has NOT setup MFA yet, and getting their password to be able to setup the attackers strong authentication. The attacker with just the password could then setup strong authentication methods and complete MFA to satisfy other policies that require MFA. This way the CA policy would require Password + coming from a trusted network OR being able to do strong authentication to manage the authentication methods. It's the securing the bootstrapping scenario, which is where the Temporary Access Pass (TAP) comes in since it's a purpose issued credential and can be set to be used 1 time only to setup strong auth methods. I password spray Jim, get his password, and Jim is on vacation and hasn't setup MFA yet, so I setup MFA on his account that I control, and now I can satisfy MFA for other CA policies. Adding the security info CA policy for that action helps mitigate that.
hm, so you basically created just all the policies without knowing what they do in detail. Don´t see the value in the video?
Indeed. The idea behind this video was to show how easy it is to configure conditional access today. It was not a suggestion that you should go ahead and do that in production without understanding the impact of each policy.
Excellent☺
Nice! 🤗
Configure Azure AD Conditional Access WITH TEMPLATE in Under 10 minutes?
Yeah.