Time
8 hours 33 minutes
Difficulty
Intermediate
CEU/CPE
9

Video Transcription

00:00
Hello, Siberians. Welcome to this lesson on Azure lady. Conditional access. This is part of the Is that 500 mikes off as your security technologies casts quick information on what will be covering in this lesson will start out by giving an overview off what conscionable accesses with a look at how it works. To protect applications,
00:18
we'll discuss some common use cases.
00:21
We'll cover how policies are applied on end with some vital information on conditional access. Best practices. Let's get into this.
00:29
Let's define what conditional access is. Here's my definition.
00:33
It is on a giant, the feature that protects applications by requiring certain criteria beyond identity authentication to be met before access is granted. We'll see what that means in more details in a few minutes. For house to use conditional access would needs toe have a minimum off azure 80 premium P one license,
00:53
you know as a stand alone
00:54
a spark off licence bundle
00:57
in other force. To understand our conditional access works, we needs to understand the normal application access process with dark, conditional access. So let's review this. If a user access is an application that uses as your 80 s identity provider. They will be redirected to Azure Haiti,
01:14
which validates the first factor authentication in this case to eat us pass. What
01:18
if I m f. A is required? MF They will also be very fight. After successful verification, the user is granted an access token for the application. This is the normal application process with doubts conditional access on. It doesn't give us flexibility on how controls applied for an application.
01:36
Let's see out. This process walks with conditional access. If a user access is an application that uses, as your Lady has his identity provider, there will also be redirected to Azure Haiti, which validates the first factor authentication. After successful verification, the request goes to conditional access for further processing
01:53
before the access is granted.
01:56
This is why I meant by conditions beyond identity verification. So what else Conditional access do with these now? Does the work conditional access is broken down into two persists conditions and controls. This is a classic if this, then that situation. If this condition is met, grant access or block access
02:15
based on the conditions,
02:16
let's look at conditions first. Conditions determines when the policy applies. This could be based on identity information like to use this role on group membership. This could be the application that the user wants to access. This could be based on device information like the operating system or even device state information that's reported
02:36
in the Microsoft in tune.
02:38
It could also be the location information like the I. P address that the request is coming from. And it could be client application information like if it is a browser in mobile application or legacy application. And finally, that could be signing risk information from majority identity protection, which requires a premium Peter license
02:58
controls. On the other hand,
02:59
the term is what the result would be if the conditions are met, that could be allowing a blocking access based on the criteria that met. That could be to require Maffei that would be to limit access using Microsoft's Cloud AB security solution. He could also be to foster password reset
03:15
once the condition access policy result is calculated,
03:19
and based on the result, these there can be granted a talking that it can use to access the application. Let's review some common use cases for control access, one of the access controls that we can use is to require McPhee on their difference in obvious that this can be implemented for, for example, because having MF A for administrators
03:39
administrators have certain privileges the Attackers may find interesting,
03:44
which makes them more of a target on requiring MFP Anders account can help to reduce the risk of them being compromised. We can also require me free Fraser managements to ensure that any access to the azure pato as your power show. Why just cli requires MFP. We can require MF A for access attempt from untrusted networks.
04:02
Why, excluding that trust that Internet
04:05
we can require? MF A for how users This is one of a row good practice in a way, as we discussed in the last month. But what you see is that we have a great amount of flexibility in our M. F. A. Is applied using conditional access. Another common use cases to block legacy authentication. Like I see authentication protocols caviar. Very high risk
04:25
off, which includes no support for MF,
04:27
which means that they are susceptible to brood falls are passed. What gets an attack? We can block off the indication the questions in this protocols using conditional access. We can also require that users be connecting from our trusted locations before they can completely Emma for registration process To limit the risk off Attackers, I jack. In this process,
04:46
we can block access by location,
04:48
and this is useful to block access to certain applications. If users are connecting from untrusted networks, we can require complainants devices on organizations that have the plate makes off interior, can use the information, return from the devices toe, identify what at the meat complaints stand. That's before the I granted access. Let's review very quickly
05:08
our conditional access policies apply.
05:10
The first point to make here is that if modern one condition is configured in the policy, are the conditions must be satisfied to tree get out policy. So if we have a policy that history conditions
05:20
and harder for the policy to apply to a user, all tree conditions must be met. So in this case, because Brenda scenario matches artery conditions, the policy will apply to bring their on access will be granted.
05:33
However,
05:35
if modern one connection access policy apply street user all policies that apply must be satisfied.
05:42
So if we have to conditional access policies one of them allowing access and you're the blocking access.
05:47
If a user fits the conditions in both policies, access will be blog's, even if another policy that allows access applies to them. In this case, access we blood for Brenda, even though this, under the policy that applies to bring that allows access. This means that block access trumps all of the configuration settings
06:06
in the event off. Multiple policies applying
06:10
their best practices that are recommended to follow when implementing conditional axes and failure to follow them could result in locking yourselves out from access and applications. The fuzz don't
06:21
not years block access control for any policy that includes all users are whole applications this configuration blood access to your entire organization, and it is definitely not a good idea. The second thing to avoid is the use off the required domain join or require complaints Device.
06:39
If a policy applies to Harvey's, is our whole applications.
06:42
If you're yet so avid domain joined device, I complained Divisie organization. You will not be able to get access with this policy configured in terms of what's though the first thing to go is to configure to break glass emergency accounts before configuring conditional access policies.
06:58
What will DENDYS will exclude the brig less account from all conditional access policies that
07:03
acquire extra verification or the results in a block access.
07:09
We also want to exclude service, account and service principles from any policy diary choirs. MFP Since MF cannot be completed, programmatically
07:17
want to avoid policies that applies to all users or whole cloud applications, except it's absolutely necessary before ruling out any new condition access policy.
07:29
It's important to ever lose your policy using the what if two off conditional access.
07:34
And finally, the best way to Vogler conditional access is to volleyed out in faces, a pliant quality to a small set off. Users verify it behaves as expected before volleying it out. So the wide organization here is a quick question for you.
07:49
Which of the following is not a best practice for implementing conditional access
07:57
off In one
07:58
excluding burglars account from conditional access policies that block success.
08:03
Option two
08:05
Exclude service accounts and service principles from any policy that requires MFP
08:09
Option three
08:11
applying policies that applies to all users on all cloud applications.
08:16
Option Fault.
08:18
Evaluate. Your policy is under What if to
08:22
Option five.
08:22
Roll out new policies in faces.
08:26
If a selected option to be applying policies
08:30
that applies to all users are no cloud applications, you would be correct.
08:33
So that is not a good practice to follow, except absolutely necessary and with adequate testing to not apply policies that applies to all Jesus and all cloud applications.
08:46
Here are some supplemental links for for the studies on the topics covered in this lesson,
08:50
Here's a summary of what we covered in this lesson
08:54
for study about by giving another view off what conditional access is.
08:58
But I looked at how it works to protect applications, explaining the two sides off conditions and controls
09:03
well, then discuss, um, common conditional access use cases, which includes blocking legacy authentication. On requiring Emery for different scenarios,
09:13
we covered our conditional access policies, applied
09:16
and finally would discuss some vital information on conditional access best practices.
09:22
Thanks very much for watching, and I'll see you in the next lesson.

Up Next

AZ-500: Microsoft Azure Security Technologies

In the AZ-500 Microsoft Azure Security Technologies training, students will learn the skills that are needed to pass the AZ-500 certification exam. All exam topics are covered as well as exam preparation strategies and hands-on practice.

Instructed By

Instructor Profile Image
David Okeyode
Cloud Security Architect
Instructor