Save Tenant Conditional with airSlate SignNow

Save tenant conditional

all right so first video how to video on this channel and this one we are talking all about security defaults and baseline security policies so if you listen to our podcast you may for in an episode where we discussed the recent announcements around the retirement of baseline conditional access policies getting replaced with security defaults in this video I'm gonna actually walk you through here's all the baseline conditional access policies that existed pre February 28 2020 and here is how to go create the identical conditional access policies in your environment so if you want to continue using conditional access policies instead of security defaults you are prepared for that change on February 28 2020 if you're watching this after February 28 2020 and maybe you have security defaults I'd want to turn it off and know what conditional access policies you should put in place when you turn security defaults off this will show you again those conditional access policies that you should get in place to essentially replace what security defaults does that will meet all the requirements for things like being in partner center and having delegated access to tenants or just those recommended security policies so let's dive into the video I'll walk you through all of it check out the links in the video description that have links to that podcast episode that have links to some of the documentation around what we're doing here if you do like this you want to see more of these like subscribe to the channel and hopefully we'll have more of these types of videos are coming along shortly the first thing we need to do is navigate over to conditional access so let's dive into our Ezzor Active Directory and from Azure Active Directory down to our security and within security we have a conditional access so you'll see in my environment because I'm recording this before baseline policies have been expired I still have my baseline policies in here I have my for the MFA for admins black legacy require MFA for service management and end-user Protection I also have a couple SharePoint ones here for blocking access and I manage devices browser restrictions and then I do have an exchange outlook mobile only these three will be fine because these are not the baseline security policies that we mentioned that are gonna be expired it really is these four that need to be recreated if you don't plan to turn on security defaults again in my tenant I'm not gonna turn on security defaults because frankly I need more control over my conditional access than security defaults are going to allow me to do so in the next couple weeks here before conditional access policies get removed and security defaults is the new process we're gonna create them if this is post security default and you want to know can I turn off security defaults if I do what conditional access policies should I create this we'll walk through creating these four policies if you no longer have access to see what they were now also like a document down below that you can go click on the link put in your email address and the document of all of this policy configuration will be emailed to you so you can have a document at there so the first of our baseline policies that we want to create is require MFA for admins only so let's click on new policy and this is going to be require MFA for admins next we have our users and groups this is going to be our select users and groups and directory roles the minimum that microsoft recommends is what we'll do here obviously you can apply this to a lot more if you want to but Microsoft's recommendation is your billing administrator your conditional access administrator your exchange administrator you have your global administrator your helpdesk administrator now there's a password administrator security administrator SharePoint administrator and our user straighter so those are Microsoft's recommended 9 this is gonna be required again if you're doing if you're a partner and you need MF a.m. for admins this is kind of that bare minimum that you want to apply it to so we'll click done there cloud apps or security this is gonna be all of our cloud apps so we're requiring MFA for those admins in all of our cloud applications once we're done there we can go down to our access controls so we're not going to do anything with conditions for this one and we do want to grant access but we are going to require multi-factor authentication for all of these users so we'll select that one it does give us don't lock yourself out yes we understand that at this point time we're just requiring MFA I would probably recommend having MFA enabled having MFA setup if you do want to exclude a user to make sure you're not gonna lock yourself out you can always exclude yourself go test this out with some others again set an exclusion up here so you know you have an account you can go back in with once you're done we're gonna turn this on I understand my account will be impacted by this policy proceed anyway because frankly this policy is already set up through the baseline policy I can go ahead and create it and now I have my require MFA for admins at this point in time I can actually go in select this one to do not use this policy as this one isn't gonna take effect anymore and I'm just going to be using my requiring a favor admins next one we have is black legacy authentication this one again is on we're gonna go recreate this one so that when those baseline policies go away we're all set this one we said is black legacy authentication and again this is just blocking some of those older devices that may use like IMAP pop3 and really using the more secure modern auth that's part of office 365 now once we have that named we're gonna go in as well and that this one is also going to apply to all users so instead of doing the directory roles for this one we want all users to have to use modern auth again we could exclude users if you have some extenuating circumstances where you need to user an excluded you could do that get recommendations put this to all users I get them all using apps that use modern authentication cloud apps this is another one we're going to apply to all of our cloud apps we don't want any of those excluded conditions this is where we need to go in now to our client apps because those client apps are what's gonna be using that old legacy authentication we want to force them all to modern this one we are going to configure so once we get here we're gonna uncheck browser we don't care about the browser in this stand in this case and we are only going to check other clients so exchange activesync and modern authentication clients we're gonna allow so this policy the way it's configured actually says going and block these other things not just allow modern auth so once we have other clients selected we can click on done here and we are done with this one and now access controls here we are going to block access so this is one where yep we're good it's gonna give us the same warning again make sure that under your conditions and your client apps you don't have the browser selected if you have selected to include the browser and block it you're not going to be able to get back in through the browser and you could have all kinds of problems we're gonna go ahead and turn this one on as well again I don't have any exclusions in mind probably not a bad idea to go put an initial exclusion in while you're testing this out especially if you haven't had these in place before I'm gonna understand it I'm gonna go ahead and click on create so once you go ahead and click create now we have our require MFA we have our block legacy authentication so require them a favor admins so black legacy authentication we can go ahead and turn this one off since we have the baseline policy to replace that one the next one we're gonna do is require MFA for service management if you are looking for the documentation of Microsoft's website this is actually also called requiring MFA for asher management as this one is sending conditional access for requiring it for the azure portal Azure PowerShell as your CLI for this one again we'll do a new policy and this one is going to be for require MFA for Azure management and our assignments here are going to be all of our users again any user no matter who they are if they're signing into the azure portal as your CLI as your PowerShell we want this to apply to them so once we have all users we can go ahead and click on done here this is going to be where we actually specify a cloud app or action so instead of none or all cloud apps we're actually gonna do a selected app this will show all of your applications in your tenant this doesn't necessarily have to be just office 365 apps this can be other applications that are integrated into your environment for again third-party o authe authentic Asian in this case we are just going to look for the Microsoft Azure management service this is a signal service that includes all three of those things we mentioned before the azure portal Azure PowerShell and Azure CLI so this is only going to apply to our Azure management we can go ahead and click through done there to include that app and then this is gonna be just like requiring MFA when we set it up for our Service admins where we are going to go into our access controls grant and just simply click that we're gonna require MFA for this one go ahead and turn that policy on I understand that my account will be impacted by this one because it's impacting all users and go ahead and create so now we have our require MFA for admins are black legacy authentication and our require MFA for Azure management I'm gonna go ahead and turn off the service management one now that we have that one created and then the final baseline policy is this baseline policy for our nd user protection so end-user protection policy is essentially just going in and will click on it so you can see the description is protecting users by requiring multi-factor authentication if there's a risky sign-in attempt so Microsoft will make an attempt to determine if it's a risky sign-in and then go ahead and automatically require MFA in this case so let's go back here and do a new policy and this is our end-user protection policy so once again this one's gonna go in it is going to apply to all of our users because we want this regardless of who they are if it detects it's a risky sign-in we want that picked up and mfa required cloud apps are actions again this is going to be for all cloud applications so we'll select all cloud apps save that one conditions here this is where you have your sign-in risk up here so we're gonna do sign-in risk configure and this is when will this policy apply in this case we're just gonna do a high sign and risk frankly I don't actually know if the medium or if the baseline policy is high and medium this can always come in and be adjusted later so we'll do the high policy device platforms we're not going to configure any of this this is all fine click done and this is now saying in the condition that any of my users are signing in to any cloud apps and their risk condition is labeled as high we're gonna grant access but we are gonna require MFA so if this at all looks risky if it looks like it's from leaked credentials or if it's one of those impossible sign-in situations where you sign in in two different locations in the world within a few minutes of each other it looks suspicious so let's just go ahead and require MFA and not use any of those saved credentials or cash credentials put some extra protection there so we can go ahead and select that again it's going to tell us don't lock yourself out yes we understand all that and we can go ahead and click create now that that's been created we have our end-user protection we can go into our baseline policy up here and turn that off so now we have one of these policies down here requiring MFA black legacy auth require MFA and end-user protection for all of these baseline policies that are going away or will have already gone away come the end of February 2020 so if your post February 2020 and you want to use conditional access instead of security defaults this will meet your requirements for partners for partner Center for those different scenarios when Microsoft actually requires certain levels of MFA or security to be in place and this gives you a little bit more control over being able to exclude certain user accounts if you do need to do that if you do want to still have that break glass accounts and security defaults don't account for that go through this follow this check out the links in the video description if you want links to where Microsoft walks through how to create all of these as well so I hope you enjoyed it hope this helps we'll see you on the next video [Music] [Applause]