- This topic is empty.
- Post
-
- December 14, 2024 at 4:08 pm
Weekend WikiKeymasterHere’s a detailed, step-by-step guide on how to create all four of the Conditional Access Policies mentioned earlier in Microsoft Intune and Azure Active Directory.1. Policy 1: Allow Access Only from Trusted IP Range (No MFA Required)
Steps to Create:
- Sign in to the Azure Portal: Go to the Azure portal.
- Navigate to Azure AD: On the left-hand menu, click on Azure Active Directory.
- Go to Conditional Access:
- In the Azure AD portal, go to Security > Conditional Access.
- Under Policies, click + New policy.
- Name the Policy:
- Name your policy something descriptive, e.g., Allow Access from Trusted Network (No MFA).
- Assignments – Users and Groups:
- Under Users and groups, select Include and then choose All users or a specific group (e.g., Remote Workers).
- Assignments – Cloud Apps:
- Under Cloud apps or actions, select Include > All cloud apps (or select specific apps like Office 365 or Exchange Online).
- Conditions – Locations:
- Under Conditions, click Locations.
- Enable Configure and select Yes for Locations.
- In the Include section, choose Any location.
- Under Exclude, choose Select locations and then select the trusted IP range you previously set up in Named locations.
- Access Controls – Grant:
- Under Grant, select Grant access and choose No MFA required.
- Enable Policy:
- Set the policy to On and click Create to save the policy.
Outcome: This policy allows access from a specific trusted IP range without requiring MFA.
2. Policy 2: Require MFA for External Access (All Locations)
Steps to Create:
- Navigate to Conditional Access:
- Sign in to the Azure portal and go to Azure Active Directory > Security > Conditional Access > + New policy.
- Name the Policy:
- Name the policy, e.g., Require MFA for External Access.
- Assignments – Users and Groups:
- Under Users and groups, select All users or a specific user group.
- Assignments – Cloud Apps:
- Under Cloud apps or actions, select All cloud apps (or specify apps like Office 365).
- Conditions – Locations:
- Under Conditions, click Locations.
- Enable Configure and select Yes for Locations.
- In the Exclude section, choose Trusted locations (i.e., the internal network IP range).
- In Include, select Any location to apply the policy to external locations.
- Access Controls – Grant:
- Under Grant, select Require MFA.
- Enable Policy:
- Set the policy to On and click Create.
Outcome: This policy requires MFA for any access from external networks (not internal trusted locations).
3. Policy 3: Block Access for Jailbroken/Rooted Devices (All Locations)
Steps to Create:
- Navigate to Conditional Access:
- Sign in to the Azure portal and go to Azure Active Directory > Security > Conditional Access > + New policy.
- Name the Policy:
- Name the policy, e.g., Block Jailbroken/Rooted Devices.
- Assignments – Users and Groups:
- Under Users and groups, select All users or a specific user group.
- Assignments – Cloud Apps:
- Under Cloud apps or actions, select All cloud apps or specific critical apps (e.g., Exchange Online, SharePoint Online).
- Conditions – Device State:
- Under Conditions, select Device state.
- Enable Configure and then select Yes to include devices marked as Jailbroken/Rooted.
- Access Controls – Grant:
- Under Grant, select Block access to prevent access from jailbroken or rooted devices.
- Enable Policy:
- Set the policy to On and click Create.
Outcome: This policy blocks access to resources from jailbroken or rooted devices to enhance security.
4. Policy 4: Require Device Compliance for Access (All Locations)
Steps to Create:
- Navigate to Conditional Access:
- Sign in to the Azure portal and go to Azure Active Directory > Security > Conditional Access > + New policy.
- Name the Policy:
- Name the policy, e.g., Require Device Compliance for Access.
- Assignments – Users and Groups:
- Under Users and groups, select All users or a specific user group.
- Assignments – Cloud Apps:
- Under Cloud apps or actions, select All cloud apps or a specific app like Office 365, OneDrive, or SharePoint.
- Conditions – Device State:
- Under Conditions, select Device state.
- Enable Configure and select Compliant devices. This ensures that only devices marked as compliant in Intune will have access.
- Access Controls – Grant:
- Under Grant, select Grant access and Require device to be marked as compliant.
- Enable Policy:
- Set the policy to On and click Create.
Outcome: This policy enforces that only compliant devices, as defined by Intune, can access corporate resources.
Summary of Steps for All Policies:
- Navigate to Conditional Access: Azure Active Directory > Security > Conditional Access.
- Create a New Policy: Click + New policy for each policy.
- Configure Assignments: Set users/groups and cloud apps targeted by the policy.
- Define Conditions: Configure location, device, and other conditions.
- Set Access Controls: Define the actions (e.g., require MFA, block access, or allow based on compliance).
- Enable Policy: Set the policy status to On and save.
By following these steps, you will have four policies to control access based on network locations, device compliance, and device state (rooted/jailbroken). These policies will help ensure that only authorized and secure devices and networks can access your organization’s resources.
- You must be logged in to reply to this topic.