Skip to main content

Conditional Access demystified, part 5: Implementing Conditional Access

This article is part 5 of a series, for which the following articles are available:

Conditional Access demystified, part 1: Introduction
Conditional Access demystified, part 2: What is Conditional Access?
Conditional Access demystified, part 3: How does Conditional Access work?
Conditional Access demystified, part 4: Designing a Conditional Access strategy
Conditional Access demystified, part 6: Troubleshooting Conditional Access
Conditional Access demystified, part 7: Modifying Conditional Access to suit your special needs
Conditional Access demystified, part 8: Resources and further references

Before you start implementing your Conditional Access policies you should define an implementation strategy, some things to consider are:

  1. Make sure that Modern Authentication is enabled for Exchange Online (EXO) and Skype for Business Online (SfBO), SharePoint online has modern authentication enabled out of the box
  2. Create 2 break glass accounts, these accounts, which are global administrator should have complex passwords and will be excluded from any conditional access policy created and must have MFA disabled (or either one of two per account). More information about creating break glass accounts can be found here: Manage emergency access accounts in Azure AD – https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-emergency-access. Also keep in mind that you might want to change the default account settings for the Break Glass accounts using PowerShell: https://docs.microsoft.com/en-us/azure/security/azure-ad-secure-steps#step-2—reduce-your-attack-surface
  3. For each conditional access policy created, we will create an exclusion group, so that we can deal with exceptions in our environment. These exception groups will be setup with Access review functionality (if available) to make sure that the membership of these groups are evaluated on a regular basis.
Read More

Conditional Access demystified, part 4: Designing a Conditional Access strategy

This article is part 4 of a series, for which the following articles are available:

Conditional Access demystified, part 1: Introduction
Conditional Access demystified, part 2: What is Conditional Access?
Conditional Access demystified, part 3: How does Conditional Access work?
Conditional Access demystified, part 5: Implementing Conditional Access
Conditional Access demystified, part 6: Troubleshooting Conditional Access
Conditional Access demystified, part 7: Modifying Conditional Access to suit your special needs
Conditional Access demystified, part 8: Resources and further references

When designing a Conditional Access strategy for a customer we first need to start with an inventory of the environment, in the most ideal situation you would design and implement conditional access in a green field scenario, but I for sure never had that luxury before so it’s better to assume that the customer is already using cloud apps and wants to implement conditional access as an security measure.

Read More

Conditional Access demystified, part 3: How does Conditional Access work?

This article is part 3 of a series, for which the following articles are available:

Conditional Access demystified, part 1: Introduction
Conditional Access demystified, part 2: What is Conditional Access?
Conditional Access demystified, part 4: Designing a Conditional Access strategy
Conditional Access demystified, part 5: Implementing Conditional Access

Conditional Access demystified, part 6: Troubleshooting Conditional Access
Conditional Access demystified, part 7: Modifying Conditional Access to suit your special needs
Conditional Access demystified, part 8: Resources and further references

Microsoft explains Conditional Access in the following way. Conditional Access consists of access scenario’s called Conditional Access policies. An Conditional Access policy follows the following pattern:

When this happens, then to this

“When this happens” defines the reason for triggering your policy. This reason is characterized by a group of conditions that have been satisfied. With “Then do this” you define how users can access your cloud apps.

Technically this is translated to Conditions (When this happens) and Access controls (Then do this)

Conditional Access policy
Read More

Conditional Access demystified, part 2: What is Conditional Access?

This article is part 2 of a series, for which the following articles are available:

Conditional Access demystified, part 1: Introduction
Conditional Access demystified, part 3: How does Conditional Access work?
Conditional Access demystified, part 4: Designing a Conditional Access strategy
Conditional Access demystified, part 5: Implementing Conditional Access
Conditional Access demystified, part 6: Troubleshooting Conditional Access
Conditional Access demystified, part 7: Modifying Conditional Access to suit your special needs
Conditional Access demystified, part 8: Resources and further references

Microsoft describes Conditional Access as followed: “With Conditional Access, you can implement automated access control decisions for accessing your cloud apps that are based on conditions.” and “Conditional Access policies are enforced after the first-factor authentication has been completed. Therefore, Conditional Access is not intended as a first line defense for scenarios like denial-of-service (DoS) attacks, but can utilize signals from these events (e.g. the sign-in risk level, location of the request, and so on) to determine access.

The way I see it, the best way to explain what Conditional Access does, is by making the comparison to a firewall. A firewall determines what traffic can access your resources, under what circumstances and Conditional Access sort of does the same. Conditional Access describes under what circumstances users can access your cloud applications.

Read More

Conditional Access demystified, part 1: Introduction

In July 2016 Microsoft made Conditional Access generally available as a feature of Azure Active Directory (AzureAD). Since that time I had a love and hate relationship with this functionality of Azure AD. Mainly because it’s difficult to test scenario’s and some changes can have a really high impact. I even experienced being locked out of accessing the Azure portal during one of my tests.

Why this series of articles?

Some good documentation from Microsoft and blogpost by fellow bloggers detailing Conditional Access scenario’s, but not really a one-stop shopping overview. With this series of blog posts I hope to achieve this.

Read More

Course: 20533C – Implementing Microsoft Azure Infrastructure Solutions–Study reference

While teaching the 20533C course to students I provide them with more information about the topics covered in the training. Perhaps they can help you as well while studying for your exam. Keep in mind that the overview is valid for the C version of the course.

General Information:

Read More

The new Self Service Portal for System Center 2012 R2 Service Manager and my experiences installing and using it so far – UPDATED

Update (December 11th 2015): Today Microsoft released a hotfix for the Self Service Portal, the hotfix (KB3124091) can be downloaded from Microsoft Download here.

The corresponding KB article at time of writing isn’t available yet. I did an installation in my lab environment though and the most annoying issues are solved Please read the full article to get an idea of what was solved.

Read More

Distributing content to Distribution points and Distribution point groups in ConfigMgr 2012

With the release of System Center 2012 Configuration Manager, Microsoft introduced the distribution point groups functionality. Distribution point groups provide a logical grouping of distribution points and collections for content distribution as described in the following Technet Article: Configuring Content Management in Configuration Manager, Create and Configure Distribution Point Groups

A Distribution Point can be made member of one or more Distribution Point Group, based on the content deployed to that Distribution Point Group and whether the Distribution Point is member of that group, the Distribution Point receives content which is defined for the Distribution Point group.

When distributing content you have the ability to choose whether you want to distribute to a either a Collection/Collections, Distribution Point or Distribution Point Groups. This is actually the point where things start to go wrong, since depending on who is performing the distribution of the content, different options are chosen.Read More

Installing the Service Manager Self Service Portal (SSP) on Windows Server 2012 R2

When Microsoft released System Center 2012 R2 Service Manager in October 2013, I was quite suprised that the server the webparts for the Self Service Portal only were supported on SharePoint 2010. At that time, installing SharePoint 2010 was only supported on Windows Server 2008 R2.

Luckely somewhere around May 2014 Microsoft released Service Pack 2 for SharePoint 2010 allowing the installation of SharePoint 2010 on top of Windows Server 2012 R2. Support statement was made in KB2724471: SharePoint 2010 support for Windows Server 2012 and Windows Server 2012 R2. And also Microsoft supports running the SharePoint Web Part on top of Windows Server 2012 R2 as stated in the Software Requirements for System Center 2012 – Service Manager. Installing the SharePoint web parts on SharePoint 2013 still isn’t supported, let’s hope a future update will bring this support, and that hopefully in the next version of the product we have another solution which is pure HTML based.Read More

SCSM 2012: Failed to execute Submit Operation, event id 26319

At a customer of mine a issue with Incident Requests in System Center 2012 R2 Service Manager was reported. Some users reported that they received the error:”Failed to execute Submit operation. Fix the reported error before… – The user <domain>\<accountname>  does not have sufficient permission to perform the operation.

image

Full error in the console was:

Read More