Scan Endorser Conditional with airSlate SignNow

Add tenant conditional

hi guys welcome back to our series of Azure Active Directory aren't in this video we are going to talk about conditional access portal configuration now if you're watching this series from the beginning in the last video we have discussed about the theoretical part moreover related to conditional access whereas the agenda of this video will be knowing all the options available on portal dodger comm which includes space line policies conditions access control and what-if option this is the most important part because you can think of what if option has a tool which can let you know that based on a certain parameters which you have included whether a conditional access policy will be triggered for any user or not now in a community post we have also got a request to include a use case for hybridize already join and we will be including that in this video as well the last thing that I will be talking about will be sign-in logs now since this video will be majorly focused on all the configuration that has to be done on portal what I'll do is I'll switch to my machine where I'm signed in on portal dahshur com so this is my machine whereof sign in the portal Dodger comm and I'm in the section of conditional access all you have to do is you have to click on Azure Active Directory and then from the security section select conditional access now this is the first pane which will list all the policies as well as the different set of options which can be customized but let's first focus on all the policies which are available out of the box so if you talk about the first policy which is baseline policy which says requires MFA for admin the purpose of this policy is to prompt the users who are privileged or who are a part of any of these roles to get prompted for MFA this means that any user who is a part of this particular role will be prompted for MFA and this is a directory level change that means this policy will not give you any option to include or exclude different if we talk about the second policy which says end-user protection now there is something which I would like to add on here that as you can see that this policy protects users by requiring mfa during risky sign in attempts to all the application now for those of you who already know how as your any identity protection works this is a very relatable concept but for those of you who don't know how a Giannini identity protection work it's a service which is offered with p2 licence and which detects the risk in every sign in attempt so if there is any risky event detected for a particular authentication request or a particular sign-in request the user will be prompted to do MFA and as you can see that if the policy is enabled users are required to register for mff within 14 days again this is something which is a directory wide change you won't get any option to either select or include or exclude different set of users the third option that we see here is the block legacy authentication policy that means all the older clients that's been used for email they will be blogged this does include some of the clients in the older version of Android and some some of the older version of Windows as well as I'm not really sure you know whether this will be applicable to iOS what I remember that from iOS 11 modern north in April clients are coming but if any client is there which is using active sync natively that will be blocked if we talk about the fourth option which says require and the fee for service management console so if a user is trying to access any of these servers they will be prompted for MFA now these are for baseline policy which will come out of the box for every tenant this is the one which I have created which I will be discussing later so now let's talk about these options which are available and which can be customized up to a great extent so the first option that we get here is named location so what does this mean that you can add the IP ranges of your different site and locations and just name them now the purpose behind creating named location is to either include or exclude them in a particular conditional access policy so what I've done is I've already created one named location this IP doesn't belong to me but I have just added here so that I can show you in the condition section how to include and exclude unnamed location the second option that we see here is custom control now apart from our area verifying different set of parameters if you have any other third-party identity provider for where you want this authentication request or any authentication request to be routed for some sort of authorization you can add them here now again this list is very limited and I will share Microsoft article in the description section which you can review the Terms of Use is a sort of acknowledgement that you want from your users to be accepted before they get access to any kind of application one of the use case which is commonly implemented is when access has been given to an application which holds a lot of confidential information and the access has been given to our devices which are not controlled by enterprises a Terms of Use is being presented for a user so that they can accept and then only the access will be given the fourth option that we see here is weeping connectivity which will help you to create VPN certificates and the fifth and the last option is of classic policies now if by any chance you have created policies in you in the old agile management portal that we'll get to listed here but as of now I don't think that anyone is using the old management portal so you can just leave this option in fact if you're creating new policies you have to create it from this option itself so we have created baseline policies we have also discussed about all these options now what I'll do is I'll discuss about the new policy or how you should create a conditional access policy so in order to create a new policy click on this option and the first thing that you have to render is the name of your conditional access policy and as you can see I'm getting different conditions here on behalf of which we can have different parameters being a scope of conditional access policy the first one here it says users and groups I can either include or some set of users or I can exclude some set of users but what do I actually mean by exclusion is that let's say I am saying that a conditional access policy should be applied to a specific group and out of and inside this group I have 10 users out of which the policy should not be applied to let's say 2 users then I will add those 2 users here the same process goes for cloud apps you can come here and you can select different apps which are already added in Azure Active Directory but there is one more option here which is called user action which has been lately introduced which can help you to get the users registered for mfa as well now let's talk about the conditions tab which has a lot of conditions which you can configure the first one says sign-in risk so what I can say that if any user that has a high sign-in attempt a high risky sign-in attempt then the access should be blocked just one of the use cases but you can have different set of combinations as per your requirement the other one is platform let's say I want MFA to be prompted on all the devices but exclude iOS then the users will not be prompted for MFA and the iOS platform the same thing goes for locations as well and as I have already created a name the location the moment I'll go to the select option you see I'm getting the same name location getting listed here now let's talk about client apps this is moreover related to either browsers or mobile laughs so let's say from a specific location I don't want any user to use browser or I don't want any user to use native client apps so depending upon our requirement I can either remove or I can either add a particular set of client app the last thing that we see here is the device state that means I'm creating a policy with an I will allow access or wear and I will block access but excluding let's say hybrid as already joined or compliant device so let's say for a browser-based session it is allowed but only if you are using hybrid Azure ad journ or compliant device for rest of them it will be blocked so I'll keep this condition like this and here I'll come and select block access so this was all about the conditions cloud app and users and groups now let's talk about access control you get two categories either to block or grant access based on the conditions or based on the outcome of all these conditions this particular action will be taken so the first one says requires MFA which is very simple the other one says requires devices to become blind that means if you are containing a compliant device or if you are using a compliant device and you're trying to access a particular set of application then only you will get the access the same gets applied to hybrid or a Detroit as well but this option that we see here requires approved client app applies to those up which are approved by Microsoft and there is a list which get which you can see right now you won't only get access if you are using any of these apps so this is what the purpose of this particular app option the fourth option that we see here is required app protection policy for you that means that your clients you know the micro I'll give you an example of Microsoft Outlook app that protection policy should also be applied on that client app then only you will get access now this is moreover related to the concepts which are related to in tune so for those of you who already understand what is in tune mom it will be a very relatable concept but those of you who don't understand just assume that there's something called containerization which happens whenever Indian mom mom policy gets applied to all lined up and if it has all the policies and if your enterprise data is separated from your personal data then only you will get the access that means in teen mom should be in place on your device then only you will get the access now this option that you see here is for Terms of Use if you want the Terms of Use to be displayed for a specific authentication and all these conditions you can select this option now let's talk about the session control the first option is only available for exchange and SharePoint Online because this is up and force restriction the second option that we see here is use conditional access up control this gets applied to Microsoft cloud app security for which I will be creating a different series altogether sign-in frequency means that after how many hours or days you want the authentication to be completed and persisted browser session will only be applied to a conditional access if you are scoping all the policies sorry if you are scoping all the applications so as you can see it says here persistent browser session only works correctly when all cloud apps are selected so if you are selecting some set of applications in this particular section you won't be able to enable that particular option so now we have discussed about all the options that are available beat the one which is in manage section be the one which our baseline policy now I will just brief you about the policy that I have created which has a hybrid azure ad join use case and I'll just try to reproduce the issue and I'll show you how the PRT has been sent so what I have said is that if enter which is one of my users trying to access exchange online through browser session then what has to be required is a hybrid azure ad machine and the user has to accept Terms of Use so this is my use case and now what I'll do is I'll switch to my machine which is hybrid Azure ready join and I'll try to show you in action how exactly it works so this is my machine which is hybrid as already joined and as you can see I already have agile ADP RT I've also started fiddler just to see the traffic and I can show you where exactly the PRT is being presented to log and not Microsoft online.com and how exactly everything works so the expected behavior is on getting the prompt to select my user object on my user account in fact and now I should get the Terms of Use okay so up I might have already accepted Terms of Use that's you know that's why it's gone but if I go back to my fiddler trace and if I pause this and if I go to any of the link which is more over a little too long and got Microsoft online calm as you can see that there is a PRT getting presented here and if I copy this header and I open notepad I'll do a word wrap and I will copy this information and I go about tjw T dot IO on let's just check and as you can see his prime lease at it true and this is the refresh token that means this is a prime leading fresh token now the reason of me showing you this information because a PRT contains device ID now think about this as a scenario that on in a particular request when a device ID is sent to login dot Microsoft online.com login dot Microsoft online comm was able to verify the device ID state as hybrid as already joined and the access has been given to a particular user so this was all about knowing you know how a PRT is presented now let me switch to my machine where I have as your ad portal open and as you can see that you can navigate to this all user section and then you can click on your user object and then you can click on sign in and all the sign-in attempts will get listed here where and you can click on any one of this and then you can go ahead and check the device info which is getting presented what kind of browser whether the MFA was required or not so the last thing with which we are left now is the what-if option and for that I'll go back to conditional access and I'll click on of what-if ad as I've said before that you can choose different parameters here just to see whether a specific conditional access policy will be applied or not so what I want to know that if a particular user is trying to access let's say exchange and I want to know what all conditional access policies will be applied so I'll select my application and I will just click on what F and then it will show you which all policies will be applied so as you can see that there is one policy which is named as conditional access and it requires domain enjoined and concepts work the Terms of Use to be accepted now if I go ahead and change this application to let's say some other application for which I have not created any conditional access policy and I'll again click on what F then nothing will be listed here policies that will not be applied will list everything because the baseline policies are not enabled for my tenant so this was all about knowing what F to sign-in attempts and the different set of options that you get here the baseline policies odd everything which is moreover related to portal but still if you think that I have missed something please feel free to let me know in the comment section so let's quickly talk about the summary of what all we have discussed we have discussed about the portal configuration we have discuss about baseline policies access control whatever hybrid as already join and sign and logs so if you guys have learned something new please feel free to subscribe if you have any feedback query or suggestion please feel free to reach me learn concepts work at gmail.com thank you so much thanks for your time