Time
8 hours 33 minutes
Difficulty
Intermediate
CEU/CPE
9

Video Transcription

00:00
Hello, Siberians. Welcome to this demonstration on a giant E conditional access.
00:06
This is part of the second model off the is that 500 Microsoft Azure security technologist costs
00:13
quick information on the task double complete in this demo.
00:16
We'll start by designating on account as I emergency brake less account,
00:21
but don't create in named location that will be referencing when we create a conditional access policy.
00:28
We'll proceed to ever reach the result of our policy is in the water if, too, and conclude by enabling our policy on very fine diet applied successfully.
00:37
Let's get into this.
00:39
So in the very first task will be designated on account as I emergency brake less account to ensure that we're able to go back. Miss Configurations in the event off, accidentally locking out order admits, and users in organization
00:54
would actually be doing anything or creating anything in this task.
00:58
I'm just using this to emphasize the importance off having an emergency brake lis account. So in our joy D environments Super Cloud of X y Z, we have to global administrators Brenda and David.
01:12
We will be using debit account as the emergency breathless account. So far the conditional access policies that will be configuring When should I will exclude David's account from the policies. So here I am in the Azure Pato. If I go on the uses,
01:27
you can see the current uses that I have. So I have. David and I have bring there so David to be the one
01:33
that would be designating as the emergency brake less account so it will be excluded on Brenda's account to be the one that will be using for testing our policy. So in the next task, are created in named location called office H. Q. In conditional access will be referenced in this named location in our policy later.
01:52
So back in the your Pato on the Azure active directory.
01:56
If I scroll down, I click on Security.
01:59
And if I click on conditional access
02:00
how, go ahead and click on named locations
02:04
and I'll click on new location
02:07
and in the new location. I'll give that name. I'll call it office H. Q.
02:14
Also, I'll be defining I P ranges
02:17
on our also Matty's as a trusted location because it's the headquarters office location,
02:23
and I'll specify the High P address range off the headquarters office
02:32
Once off at exact information, our guide and click on Create on that has created this name location for me
02:39
and for you in your organization, you can go ahead and add all your office locations and have them under names, locations.
02:46
So in the next task are created Conditional access policy toe apply the controls that we want
02:53
aan s official representation off. What I'll be doing
02:58
are creating a new policy called azure management External. The policy will have the following conditions.
03:04
It will apply to any identity that has the global administrator vote. It will apply if the identities tryingto access as your management apse which includes the your pato as your par show on I just c l a.
03:17
It will exclude situations where the identities connecting from our trusted office h Q location. Our apply a single control to require m f a
03:28
some back in the other Pato on the conditional access policies if I go ahead and click on near policy
03:35
and I was specified the name off the new conditional access policy that I'm creating that is called azure management external
03:42
for the users and groups. I want this to apply to any identity that has the global administrator role. So I go ahead and select directory rose on. I look for Global Administrator.
03:53
I want this to exclude my emergency break glass account, which is David in this case, are quite rightly, can exclude
04:00
on our select users and groups on our look for David's account on our excludes the account
04:06
so that this policy would not play
04:10
now for the cloud apps or actions. I want this to apply for users that are connected to Microsoft Azure management haps.
04:16
So if I go, I don't click on select APS
04:19
on under Select Outlook for Microsoft Azure management are selects that on African select
04:26
andare. Wait and click on Done
04:28
for the Conditions. I want this to exclude when users are connecting from the office. It's your network. So under conditions are select locations,
04:38
I'll configuration, and I'll change that to exclude
04:41
and for exclude. I leave that as selected locations are, click and select on our exclude the Office Execute Network
04:47
on our guidance. Click on Select to that so die includes any of the location for excludes the office X Q location.
04:56
So if I go ahead and click done to that on I'll click Done.
05:00
So now I have the assignment and the conditions aspect configured,
05:04
so the next part is the access control. So what I want to do is I want to grant access but require MF A. If it desires connecting from any location outside my office network.
05:15
Andi user is a global administrator, so I'll leave that selected and I'll go ahead and click on Select
05:21
Now for the enable policy. I'll leave that such to report on Li. I'll need that have beset report on leave. I'm gonna be able to use the what if to test. So if I go ahead and click on Create
05:32
that has created my policy
05:35
so in the next task will be evaluating the result of a policy for a test. Global administrator named Brenda is in the water, if too
05:44
so back in the top photo on the conditional access.
05:47
If I grind and select the water of to here
05:50
are selected the user that I want to test, which with Brenda, who is also a global administrator, how quiet and click and select
05:59
for the cloud apps or applications are great and select the Microsoft Azure Management
06:04
Group off APS, so I'll select that on our click and select
06:09
and done
06:11
for the I P address are putting on I P address, which is outside my office h Q location.
06:17
So if I put in a test I p address air
06:21
for the country outset, that's on non areas,
06:25
and I'll click on what if?
06:27
And if I scroll down. So that is showing me now that the policy that will apply to bring the is the as your management external policy on the results will be requiring multi factor authentication. So that's good,
06:41
because that's a plane as I want. So the next thing to do would be to verify what if Brenda Waas connecting from our office edge to your location.
06:49
So if I griet and copy the office HQ I p address that I entered in case that
06:56
on. If I click on what if again
07:00
and you can see that in this case no policies applied because I'm excluding that location from that policy. So dollars good to me. So I think that we can vote is out now. So in the next task, who enabled the conditional access policies that were created on were very five diets working. And to do that,
07:16
our first. That's by accessing the your Pato from the office h Q. I p address range
07:23
on when I access Eat are redirected to azure hair D, which will validates the password on it's gonna realize that the location I'm connecting from is excluded from that policy. So their counter be granted talking to access the photo with doubt, requiring MFP
07:39
how don't proceeds toe access from another location outside the office, a secure network. And when I do that,
07:45
gonna be redirected to azure. Haiti, which would validate the password on the request, will go to a conditional access for for the processing, says the policy. Matches are conditions will be required to complete MF A before we can get a talking toe, access the application. So let's go ahead and do this.
08:01
So the first fill it out, doh, is how quiet and never the policy. I configured Alia.
08:05
So if I go ahead and click on that and I'll change it from report on Li to on
08:11
and I go ahead and click on safe
08:13
and now this policy is enabled
08:16
next one that I'll do is I'll goto the office Educ your location, which in this case of our deep eat into a system that's connecting from that location. You can see the I p address day
08:28
on. I'll try toward indicators. Brenda,
08:31
if I click on next, are putting Brenda's password.
08:35
In fact, we consigning now member does Sinan successfully would have been required to complete MF a national. Now do is to test this out from another location outside the office, execute location
08:46
for what? In Brenda's credentials, and I click on next
08:50
and I put in Brenda's password.
08:54
Unlikely consigning
08:56
now. I'm prompted to register for Emma Fee because bring that has not registered before, So that looks like our policy is working.
09:03
So here is a quick question for you.
09:07
You create a new I just prescription that is associated to a new azure lady tenant.
09:11
You create one active conditional access policy named Pato Policy.
09:18
Part of policy is used to provide access to the Microsoft Azure Management Cloud hap.
09:24
The conditions settings for put our policy are configured as shown in the following exhibits.
09:31
The grand settings for part of policy are configured as shown in the following exhibits.
09:39
For each of the following statement, select yes. If the statement is true otherwise, select no
09:46
statement. One.
09:48
Users from the conditional named location must use multi factor authentication toe access. The azure Pato
09:54
If you selected notes that you would be correct because, as you can see here, the contrast on them location is excluded from this policy that requires MF it.
10:07
Statement. Number two
10:09
users from contest so named location must use multi factor authentication to access the Web services or stayed in the I just prescription
10:18
you have selected. No, you would be correct
10:20
because again, if you look at the policy that's configured it as nothing or mentions nothing about
10:28
a Web application or standing on a job description, this only applies to Microsoft. Azure Management Cloud up
10:37
statement Number three
10:39
users External to the contest Unnamed Location. Must use mortar factor authentication to access the azure portal
10:46
if it selects yesterday that you would be correct, because in this case, any user that's not connecting from the condo's unnamed location who have this policy applied to them and they will be required to use MF A. Here are some supplemental links for further studies on the tasks completed in this demo. In summary.
11:05
Yeah, the tax. I will complete it in this demonstration.
11:09
We started by designating on account as I emergency brake lights account,
11:13
but then created in named location that were referenced when we created a conditional access policy
11:20
we have unrelated. The result of a policy is in the water of to before and nibbling on very fine by its A plane successfully.
11:28
Thanks very much for watching on. I'll see you in the next listen.

Up Next

AZ-500: Microsoft Azure Security Technologies

In the AZ-500 Microsoft Azure Security Technologies training, students will learn the skills that are needed to pass the AZ-500 certification exam. All exam topics are covered as well as exam preparation strategies and hands-on practice.

Instructed By

Instructor Profile Image
David Okeyode
Cloud Security Architect
Instructor