8 hours 33 minutes
Hello, Siberians. Welcome to this demonstration on a giant E conditional access.
This is part of the second model off the is that 500 Microsoft Azure security technologist costs
quick information on the task double complete in this demo.
We'll start by designating on account as I emergency brake less account,
but don't create in named location that will be referencing when we create a conditional access policy.
We'll proceed to ever reach the result of our policy is in the water if, too, and conclude by enabling our policy on very fine diet applied successfully.
Let's get into this.
So in the very first task will be designated on account as I emergency brake less account to ensure that we're able to go back. Miss Configurations in the event off, accidentally locking out order admits, and users in organization
would actually be doing anything or creating anything in this task.
I'm just using this to emphasize the importance off having an emergency brake lis account. So in our joy D environments Super Cloud of X y Z, we have to global administrators Brenda and David.
We will be using debit account as the emergency breathless account. So far the conditional access policies that will be configuring When should I will exclude David's account from the policies. So here I am in the Azure Pato. If I go on the uses,
you can see the current uses that I have. So I have. David and I have bring there so David to be the one
that would be designating as the emergency brake less account so it will be excluded on Brenda's account to be the one that will be using for testing our policy. So in the next task, are created in named location called office H. Q. In conditional access will be referenced in this named location in our policy later.
So back in the your Pato on the Azure active directory.
If I scroll down, I click on Security.
And if I click on conditional access
how, go ahead and click on named locations
and I'll click on new location
and in the new location. I'll give that name. I'll call it office H. Q.
Also, I'll be defining I P ranges
on our also Matty's as a trusted location because it's the headquarters office location,
and I'll specify the High P address range off the headquarters office
Once off at exact information, our guide and click on Create on that has created this name location for me
and for you in your organization, you can go ahead and add all your office locations and have them under names, locations.
So in the next task are created Conditional access policy toe apply the controls that we want
aan s official representation off. What I'll be doing
are creating a new policy called azure management External. The policy will have the following conditions.
It will apply to any identity that has the global administrator vote. It will apply if the identities tryingto access as your management apse which includes the your pato as your par show on I just c l a.
It will exclude situations where the identities connecting from our trusted office h Q location. Our apply a single control to require m f a
some back in the other Pato on the conditional access policies if I go ahead and click on near policy
and I was specified the name off the new conditional access policy that I'm creating that is called azure management external
for the users and groups. I want this to apply to any identity that has the global administrator role. So I go ahead and select directory rose on. I look for Global Administrator.
I want this to exclude my emergency break glass account, which is David in this case, are quite rightly, can exclude
on our select users and groups on our look for David's account on our excludes the account
so that this policy would not play
now for the cloud apps or actions. I want this to apply for users that are connected to Microsoft Azure management haps.
So if I go, I don't click on select APS
on under Select Outlook for Microsoft Azure management are selects that on African select
andare. Wait and click on Done
for the Conditions. I want this to exclude when users are connecting from the office. It's your network. So under conditions are select locations,
I'll configuration, and I'll change that to exclude
and for exclude. I leave that as selected locations are, click and select on our exclude the Office Execute Network
on our guidance. Click on Select to that so die includes any of the location for excludes the office X Q location.
So if I go ahead and click done to that on I'll click Done.
So now I have the assignment and the conditions aspect configured,
so the next part is the access control. So what I want to do is I want to grant access but require MF A. If it desires connecting from any location outside my office network.
Andi user is a global administrator, so I'll leave that selected and I'll go ahead and click on Select
Now for the enable policy. I'll leave that such to report on Li. I'll need that have beset report on leave. I'm gonna be able to use the what if to test. So if I go ahead and click on Create
that has created my policy
so in the next task will be evaluating the result of a policy for a test. Global administrator named Brenda is in the water, if too
so back in the top photo on the conditional access.
If I grind and select the water of to here
are selected the user that I want to test, which with Brenda, who is also a global administrator, how quiet and click and select
for the cloud apps or applications are great and select the Microsoft Azure Management
Group off APS, so I'll select that on our click and select
for the I P address are putting on I P address, which is outside my office h Q location.
So if I put in a test I p address air
for the country outset, that's on non areas,
and I'll click on what if?
And if I scroll down. So that is showing me now that the policy that will apply to bring the is the as your management external policy on the results will be requiring multi factor authentication. So that's good,
because that's a plane as I want. So the next thing to do would be to verify what if Brenda Waas connecting from our office edge to your location.
So if I griet and copy the office HQ I p address that I entered in case that
on. If I click on what if again
and you can see that in this case no policies applied because I'm excluding that location from that policy. So dollars good to me. So I think that we can vote is out now. So in the next task, who enabled the conditional access policies that were created on were very five diets working. And to do that,
our first. That's by accessing the your Pato from the office h Q. I p address range
on when I access Eat are redirected to azure hair D, which will validates the password on it's gonna realize that the location I'm connecting from is excluded from that policy. So their counter be granted talking to access the photo with doubt, requiring MFP
how don't proceeds toe access from another location outside the office, a secure network. And when I do that,
gonna be redirected to azure. Haiti, which would validate the password on the request, will go to a conditional access for for the processing, says the policy. Matches are conditions will be required to complete MF A before we can get a talking toe, access the application. So let's go ahead and do this.
So the first fill it out, doh, is how quiet and never the policy. I configured Alia.
So if I go ahead and click on that and I'll change it from report on Li to on
and I go ahead and click on safe
and now this policy is enabled
next one that I'll do is I'll goto the office Educ your location, which in this case of our deep eat into a system that's connecting from that location. You can see the I p address day
on. I'll try toward indicators. Brenda,
if I click on next, are putting Brenda's password.
In fact, we consigning now member does Sinan successfully would have been required to complete MF a national. Now do is to test this out from another location outside the office, execute location
for what? In Brenda's credentials, and I click on next
and I put in Brenda's password.
now. I'm prompted to register for Emma Fee because bring that has not registered before, So that looks like our policy is working.
So here is a quick question for you.
You create a new I just prescription that is associated to a new azure lady tenant.
You create one active conditional access policy named Pato Policy.
Part of policy is used to provide access to the Microsoft Azure Management Cloud hap.
The conditions settings for put our policy are configured as shown in the following exhibits.
The grand settings for part of policy are configured as shown in the following exhibits.
For each of the following statement, select yes. If the statement is true otherwise, select no
Users from the conditional named location must use multi factor authentication toe access. The azure Pato
If you selected notes that you would be correct because, as you can see here, the contrast on them location is excluded from this policy that requires MF it.
Statement. Number two
users from contest so named location must use multi factor authentication to access the Web services or stayed in the I just prescription
you have selected. No, you would be correct
because again, if you look at the policy that's configured it as nothing or mentions nothing about
a Web application or standing on a job description, this only applies to Microsoft. Azure Management Cloud up
statement Number three
users External to the contest Unnamed Location. Must use mortar factor authentication to access the azure portal
if it selects yesterday that you would be correct, because in this case, any user that's not connecting from the condo's unnamed location who have this policy applied to them and they will be required to use MF A. Here are some supplemental links for further studies on the tasks completed in this demo. In summary.
Yeah, the tax. I will complete it in this demonstration.
We started by designating on account as I emergency brake lights account,
but then created in named location that were referenced when we created a conditional access policy
we have unrelated. The result of a policy is in the water of to before and nibbling on very fine by its A plane successfully.
Thanks very much for watching on. I'll see you in the next listen.