I’m proud to announce the December 2022 update of my Conditional Access demystified whitepaper. With this release, we have reached the fifth iteration of the whitepaper and accompanying files.
I released the first version in in August 2019 after writing several blogposts on the subject. In May last year I released the second version containing a lot of updates. In February this year I released another update, and in October 2021 I released update 4. Today I’m releasing a new update, the December 2022 version 1.4 update.
The paper has had some updates, including all information from the blogposts I’ve written about the subject since the latest release. The paper therefore has grown from 95 to 140 pages at this point in time, for reference the May 2020 version contained only 30 pages.
You can download the paper from my GitHub page here: Conditional Access demystified-v1.4 – December 2022.pdf
In this version I added the following updates:
Workflow cheat sheet
The workflow cheat sheet has been updated to reflect the current status of the Conditional Access policies. With the workflow I want to provide IT pro’s with a handy cheat sheet which they can use while building or troubleshooting conditional access policies. If you print the cheat sheet or display it on a secondary monitor it can be quite handy and I use it all the time.
The workflow cheat sheet is available separately for download from my GitHub page here: Conditional Access Workflow – v1.4.pdf
My recommended set of Conditional Access policies
I’ve included my recommended set of conditional access policies. The reasoning behind the policies is described, and I will detail each policy which needs to be created. Also a reference to a spreadsheet is included, containing all the necessary settings in the Conditional Access policy: Conditional Access Policy Description-v1.4.xlsx
New in this version is that I also exported the CA policies from my environment using the Intune Manager tool written by Mikael Karlsson, with this tool you should also be able to import the baseline policies in your own environment. Please make sure that you import the policies as “Report-Only” first and not import them turned on.
You can find the baseline policies provided in this version here: https://github.com/kennethvs/cabaseline202212
Further updates
I also added other information like:
- Filtering for Apps and Workload Identities
- Granular Guest control
- Authentication Strength
- Cross tenant settings
- More information about CA Templates
- Updated Approved Apps versus Require App Protection policy information
- Updated information about break glass accounts
- And more..
I hope you enjoy and learn something from reading the paper and that it helps you to setup Conditional Access for the tenant(s) you are administering. Feel free to reach out if you have any questions or remarks.
Thanks Alain for the great update Kenneth.
Would it make sense to scope CAD002 to all cloud apps? Doing so unfortunately blocks edge profiles from signing in.
Is there a way to scope CAD002 to everything except for edge profile sign-in?
Or should we add all relevant apps to the CAD002 rule on top of O365?
Hi Roel,
Thanks for visiting my blog –
CAD013 is what you are looking for, I would never scope this to ALL apps since it will certainly break things, it will break the apps which you cannot select in the Conditional Access properties and you will have a really hard time figuring out which. But you can add Apps on a per-app basis and add an additional layer above Office 365.
Hope this helps, if not please let me know.
/Kenneth