Menu
Modern Workplace Blog
  • Home
  • About: Kenneth van Surksum
  • Cookie Policy
Modern Workplace Blog
November 17, 2021November 17, 2021

Conditional Access announcements from Ignite November 2021 reviewed

During the Microsoft Ignite conference in November 2021 Microsoft made several announcements related to Azure AD conditional access. You can read those announcements in the following article: “Identity at Ignite: Strengthen resilience with identity innovations in Azure AD“. And this morning Thomas Naunheim, tweeted that he saw the announced functionality appear within his tenant. Time for a quick look. It’s strange though to notice that even though the functionality is available and can be seen, no clear documentation can be found yet, and also no mention of the functionality in the What’s new in Azure Active Directory? documentation. (at time of writing)

In this post I will have a look at the following new functionality:

  • Conditional Access Dashboard
  • Conditional Access pre-build Templates
  • Conditional Access for Workload Identities

The also announced Filters for Devices have already been covered on my blog before, see:

A first look at using Filters for devices as conditions in Azure AD Conditional Access policies

Conditional Access Dashboard

The conditional access dashboard has been revamped and now identifies opportunities to strengthen policies based on analysis of your organization’s sign in patterns.

New Conditional Access overview page

The Overview page provides the following information:

  • The amount of policies and their status, which click through to the Conditional Access policies
  • The amount of users which have no policies applied, which click trough to the Monitoring tab
  • Sign-ins from devices which are either managed or unmanaged, which clicks through the Monitoring tab
  • Applications, which clicks through the Coverage tab
  • Recommendations, with severity, description and link to Policy template mitigating the issue.

The Monitoring tab gives an overview of the Sign-ins by Conditional Access result

Monitoring tab

The Coverage tab provides the following information:

  • Top accessed applications
  • Top accessed applications not protected by Conditional Access
Coverage tab

Conditional Access Templates

When creating a new policy, we now have a new option called “Create new policy from templates (Preview)

Create new policy from templates (Preview) option

When selecting the option you’ll end up in a wizard which allows you to choose whether the template is based on Identities or Devices. Once selected you can select the template from a list of templates.

  • Select policy type
  • Identities based templates
  • Devices based templates

 

The following templates (at time of writing 14) are available

Under Identities:

  • Require multi-factor authentication for admins
  • Securing security info registration
  • Block legacy authentication
  • Require multi-factor authentication for all users
  • Require multi-factor authentication for guest access
  • Require multi-factor authentication for Azure management
  • Require multi-factor authentication for risky sign-ins
  • Require password change for high-risk users

Under devices:

  • Require compliant or hybrid Azure AD joined device for admins
  • Block access for unknown or unsupported device platform
  • No persistent browser session
  • Require approved client apps and app protection
  • Require compliant or hybrid Azure AD joined device or multi-factor authentication for all users
  • Use application enforced restrictions for unmanaged devices

Each policy can also be configured with a state (Off, On or Report Only) and a default naming is provided which you can modify as well. See the following article for more information about what the templates do: Conditional Access templates (Preview)

Conditional Access for Workload Identities

We now have the option to assign certain policies to service principals only, for this a new selection item was created which allows you to switch between “Users and Groups” or “Workload identities (Preview)”. Once Workload Identities is selected you can either select All owned service principals, or select service principals from a list.

Conditional Access policy with Workload identities selected

Once a service principal is selected, a lot of the other configurable options in the Conditional Access policy are not available anymore, you cannot select individual cloud apps, you cannot select any conditions and the only option you have is to block access as a grant control.

Conclusion

Some welcome additions to the Azure AD Conditional Access functionality has been added, especially giving insight on which sign-ins are not covered by your CA policies is very helpful. I do also have some remarks though:

  • Adding extra options to Conditional Access makes it more complex
  • The templates cover some good scenario’s but lack the option to exclude your break glass accounts

Reference

If you want to know more about conditional access, I want to suggest that you read my Whitepaper on the subject, for which the latest version can be found below:

October 2021 update of the conditional access demystified whitepaper and workflow cheat sheet

https://docs.microsoft.com/en-gb/azure/active-directory/conditional-access/concept-conditional-access-policy-common

Tweet
Follow me
Tweet #WPNinjasNL

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Founding member of:

Recent Posts

  • Azure AD Conditional Access authentication context now also available for Azure AD Privileged Identity Management
  • December 2022 update of the conditional access demystified whitepaper and workflow cheat sheet.
  • Conditional Access public preview functionality reviewed (22H2) – Part 3: Granular control for external user types
  • Conditional Access public preview functionality reviewed (22H2) – Part 2: Conditional Access filters for Apps and Workload Identities
  • Conditional Access public preview functionality reviewed (22H2) – Part 1: Authentication Strength

Books

System Center 2012 Service Manager Unleashed
Amazon
System Center 2012 R2 Configuration Manager Unleashed: Supplement to System Center 2012 Configuration Manager
Amazon
System Center Configuration Manager Current Branch Unleashed
Amazon
Mastering Windows 7 Deployment
Amazon
System Center 2012 Configuration Manager (SCCM) Unleashed
Amazon

Archives

  • February 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • May 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • August 2019
  • July 2019
  • November 2016
  • November 2015
  • June 2015
  • May 2015
  • November 2014
  • July 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • November 2013
  • August 2013
  • April 2013
  • March 2013
  • January 2013
  • December 2012
  • November 2012
  • August 2012
  • July 2012
  • June 2012

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Categories

  • ABM (3)
  • Advanced Threat Protection (4)
  • Announcement (42)
  • Azure (3)
  • AzureAD (65)
  • Certification (2)
  • Cloud App Security (3)
  • Conditional Access (50)
  • Configuration Manager (24)
  • Events (11)
  • Exchange Online (7)
  • Identity Protection (3)
  • Intune (17)
  • Licensing (2)
  • Microsoft Endpoint Manager (35)
  • Mobile Application Management (1)
  • Modern Workplace (65)
  • Office 365 (10)
  • Overview (10)
  • Power Platform (1)
  • PowerShell (2)
  • Presentations (7)
  • Privileged Identity Management (5)
  • Role Based Access Control (2)
  • Security (50)
  • Service Manager (4)
  • Speaking (22)
  • Troubleshooting (4)
  • Uncategorized (11)
  • Windows 10 (14)
  • Windows 11 (4)
  • Windows Update for Business (3)
  • WMUG.nl (16)
  • WPNinjasNL (30)

Tags

#AzureAD #community #conditionalaccess #ConfigMgr #IAM #Intune #m365 #MEM #MEMCM #microsoft365 #modernworkplace #office365 #security #webinar #wmug_nl ATP AzureAD Branding Community Conditional Access ConfigMgr ConfigMgr 2012 Configuration Manager Email EXO Identity Intune Licensing M365 MCAS Modern Workplace Office 365 OSD PIM Policy Sets Presentation RBAC roles Security Service Manager SSP System Center troubleshooting webinar Windows 10

Recent Comments

  • Kenneth on December 2022 update of the conditional access demystified whitepaper and workflow cheat sheet.
  • John Barnes on December 2022 update of the conditional access demystified whitepaper and workflow cheat sheet.
  • Intune Newsletter - 24th February 2023 - Andrew Taylor on Azure AD Conditional Access authentication context now also available for Azure AD Privileged Identity Management
  • Azure AD Conditional Access authentication context now also available for Azure AD Privileged Identity Management | Modern Workplace Blog on A first look at Azure AD Conditional Access authentication context
  • Kenneth on Intune: Choosing whether to assign to User or Device Groups

This information is provided “AS IS” with no warranties, confers no rights and is not supported by the author.

Copyright © 2021 by Kenneth van Surksum. All rights reserved. No part of the information on this web site may be reproduced or posted in any form or by any means without the prior written permission of the publisher.

Shorthand: Don’t pass off my work as yours, it’s not nice.

©2023 Modern Workplace Blog | Powered by WordPress and Superb Themes!
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT