Skip to main content

Conditional Access demystified, part 8: Resources and further references

This article is the last part of a series, for which the following articles are available:

Conditional Access demystified, part 1: Introduction
Conditional Access demystified, part 2: What is Conditional Access?
Conditional Access demystified, part 3: How does Conditional Access work?
Conditional Access demystified, part 4: Designing a Conditional Access strategy
Conditional Access demystified, part 5: Implementing Conditional Access
Conditional Access demystified, part 6: Troubleshooting Conditional Access
Conditional Access demystified, part 7: Modifying Conditional Access to suit your special needs

In the last part of this series I will summarize some of the sources I used for writing this series of articles.

Read More

Conditional Access demystified, part 7: Modifying Conditional Access to suit your special needs

This article is part 7 of a series, for which the following articles are available:

Conditional Access demystified, part 1: Introduction
Conditional Access demystified, part 2: What is Conditional Access?
Conditional Access demystified, part 3: How does Conditional Access work?
Conditional Access demystified, part 4: Designing a Conditional Access strategy
Conditional Access demystified, part 5: Implementing Conditional Access
Conditional Access demystified, part 6: Troubleshooting Conditional Access
Conditional Access demystified, part 8: Resources and further references

When you want to integrate other products into your Conditional Access environment you can use “Custom controls” to include products from other vendors into your Conditional Access conditions. If a custom control is used the browser is redirected to the external service, performs any required authentication or validation activities, and is then redirected back to Azure Active Directory. If the user was successfully authenticated or validated, the user continues in the Conditional Access flow. More information and some samples can be found here: Azure AD + 3rd party MFA = Azure AD Custom Controls – https://blogs.technet.microsoft.com/cbernier/2017/10/16/azure-ad-3rd-party-mfa-azure-ad-custom-controls/. This feature is still in preview but very promising for 3rd party vendors who want to integrate with Conditional Access.

Read More

Conditional Access demystified, part 6: Troubleshooting Conditional Access

This article is part 6 of a series, for which the following articles are available:

Conditional Access demystified, part 1: Introduction
Conditional Access demystified, part 2: What is Conditional Access?
Conditional Access demystified, part 3: How does Conditional Access work?
Conditional Access demystified, part 4: Designing a Conditional Access strategy
Conditional Access demystified, part 5: Implementing Conditional Access
Conditional Access demystified, part 7: Modifying Conditional Access to suit your special needs
Conditional Access demystified, part 8: Resources and further references

In this part of the series we will go into more detail on where we can find information which can help us to troubleshoot Conditional Access policies.

Read More

Conditional Access demystified, part 5: Implementing Conditional Access

This article is part 5 of a series, for which the following articles are available:

Conditional Access demystified, part 1: Introduction
Conditional Access demystified, part 2: What is Conditional Access?
Conditional Access demystified, part 3: How does Conditional Access work?
Conditional Access demystified, part 4: Designing a Conditional Access strategy
Conditional Access demystified, part 6: Troubleshooting Conditional Access
Conditional Access demystified, part 7: Modifying Conditional Access to suit your special needs
Conditional Access demystified, part 8: Resources and further references

Before you start implementing your Conditional Access policies you should define an implementation strategy, some things to consider are:

  1. Make sure that Modern Authentication is enabled for Exchange Online (EXO) and Skype for Business Online (SfBO), SharePoint online has modern authentication enabled out of the box
  2. Create 2 break glass accounts, these accounts, which are global administrator should have complex passwords and will be excluded from any conditional access policy created and must have MFA disabled (or either one of two per account). More information about creating break glass accounts can be found here: Manage emergency access accounts in Azure AD – https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-emergency-access. Also keep in mind that you might want to change the default account settings for the Break Glass accounts using PowerShell: https://docs.microsoft.com/en-us/azure/security/azure-ad-secure-steps#step-2—reduce-your-attack-surface
  3. For each conditional access policy created, we will create an exclusion group, so that we can deal with exceptions in our environment. These exception groups will be setup with Access review functionality (if available) to make sure that the membership of these groups are evaluated on a regular basis.
Read More

Conditional Access demystified, part 4: Designing a Conditional Access strategy

This article is part 4 of a series, for which the following articles are available:

Conditional Access demystified, part 1: Introduction
Conditional Access demystified, part 2: What is Conditional Access?
Conditional Access demystified, part 3: How does Conditional Access work?
Conditional Access demystified, part 5: Implementing Conditional Access
Conditional Access demystified, part 6: Troubleshooting Conditional Access
Conditional Access demystified, part 7: Modifying Conditional Access to suit your special needs
Conditional Access demystified, part 8: Resources and further references

When designing a Conditional Access strategy for a customer we first need to start with an inventory of the environment, in the most ideal situation you would design and implement conditional access in a green field scenario, but I for sure never had that luxury before so it’s better to assume that the customer is already using cloud apps and wants to implement conditional access as an security measure.

Read More

Conditional Access demystified, part 3: How does Conditional Access work?

This article is part 3 of a series, for which the following articles are available:

Conditional Access demystified, part 1: Introduction
Conditional Access demystified, part 2: What is Conditional Access?
Conditional Access demystified, part 4: Designing a Conditional Access strategy
Conditional Access demystified, part 5: Implementing Conditional Access

Conditional Access demystified, part 6: Troubleshooting Conditional Access
Conditional Access demystified, part 7: Modifying Conditional Access to suit your special needs
Conditional Access demystified, part 8: Resources and further references

Microsoft explains Conditional Access in the following way. Conditional Access consists of access scenario’s called Conditional Access policies. An Conditional Access policy follows the following pattern:

When this happens, then to this

“When this happens” defines the reason for triggering your policy. This reason is characterized by a group of conditions that have been satisfied. With “Then do this” you define how users can access your cloud apps.

Technically this is translated to Conditions (When this happens) and Access controls (Then do this)

Conditional Access policy
Read More

Conditional Access demystified, part 2: What is Conditional Access?

This article is part 2 of a series, for which the following articles are available:

Conditional Access demystified, part 1: Introduction
Conditional Access demystified, part 3: How does Conditional Access work?
Conditional Access demystified, part 4: Designing a Conditional Access strategy
Conditional Access demystified, part 5: Implementing Conditional Access
Conditional Access demystified, part 6: Troubleshooting Conditional Access
Conditional Access demystified, part 7: Modifying Conditional Access to suit your special needs
Conditional Access demystified, part 8: Resources and further references

Microsoft describes Conditional Access as followed: “With Conditional Access, you can implement automated access control decisions for accessing your cloud apps that are based on conditions.” and “Conditional Access policies are enforced after the first-factor authentication has been completed. Therefore, Conditional Access is not intended as a first line defense for scenarios like denial-of-service (DoS) attacks, but can utilize signals from these events (e.g. the sign-in risk level, location of the request, and so on) to determine access.

The way I see it, the best way to explain what Conditional Access does, is by making the comparison to a firewall. A firewall determines what traffic can access your resources, under what circumstances and Conditional Access sort of does the same. Conditional Access describes under what circumstances users can access your cloud applications.

Read More

Windows Assessment and Deployment Toolkit, an introduction

When Microsoft released the Consumer Preview of Windows 8, they also introduced the Windows Assessment and Deployment Kit, in short Windows ADK. With the release of the Windows 8 Release Preview (or release candidate) Microsoft also supplied an updated version of the ADK.

The Windows ADK contains updated tools which used to be part of both the Windows Automated Installation Kit (AIK) and the Windows OEM Preinstallation Kit (Windows OPK). Windows APK can be used for two scenarios: Windows Deployment and Windows assessment.

The Windows Deployment tools help IT Professionals with the deployment of a new version of Windows. Most of these tools are used as a basis for other Deployment tools, like the Microsoft Deployment Toolkit (MDT), the Operating System Deployment (OSD) functionality in System Center Configuration Manager (ConfigMgr) and since version 2012 also for System Center Virtual Machine Manager (SCVMM) to deploy both Operating Systems to bare metal servers and Operating Systems running on top of on of the three Hypervisors that SCVMM can manage (Microsoft Hyper-V, VMware vShpere and Citrix Xen). The products using the functionality of the Windows ADK will most probably be updated after the release of Windows 8 and Windows Server 2012 so that they can use the Windows ADK instead of the Windows AIK. ConfigMgr and SCVMM currently don’t support the use of the ADK and MDT provides support for the ADK for non production Windows deployments

Besides that the Deployment tools contain tools to test and mitigate application compatibility issues, migrate user data from an old OS to a new OS and Manage licenses across many machines from a central console.Read More