Detailed, step-by-step guide on how to create all four of the Conditional Access Policies MS Intune and Azure AD

  • This topic is empty.
  • Post
    • December 14, 2024 at 4:08 pm
    Weekend Wiki
    Keymaster
    Here’s a detailed, step-by-step guide on how to create all four of the Conditional Access Policies mentioned earlier in Microsoft Intune and Azure Active Directory.

    1. Policy 1: Allow Access Only from Trusted IP Range (No MFA Required)

    Steps to Create:

    1. Sign in to the Azure Portal: Go to the Azure portal.
    2. Navigate to Azure AD: On the left-hand menu, click on Azure Active Directory.
    3. Go to Conditional Access:
      • In the Azure AD portal, go to Security > Conditional Access.
      • Under Policies, click + New policy.
    4. Name the Policy:
      • Name your policy something descriptive, e.g., Allow Access from Trusted Network (No MFA).
    5. Assignments – Users and Groups:
      • Under Users and groups, select Include and then choose All users or a specific group (e.g., Remote Workers).
    6. Assignments – Cloud Apps:
      • Under Cloud apps or actions, select Include > All cloud apps (or select specific apps like Office 365 or Exchange Online).
    7. Conditions – Locations:
      • Under Conditions, click Locations.
      • Enable Configure and select Yes for Locations.
      • In the Include section, choose Any location.
      • Under Exclude, choose Select locations and then select the trusted IP range you previously set up in Named locations.
    8. Access Controls – Grant:
      • Under Grant, select Grant access and choose No MFA required.
    9. Enable Policy:
      • Set the policy to On and click Create to save the policy.

    Outcome: This policy allows access from a specific trusted IP range without requiring MFA.

    2. Policy 2: Require MFA for External Access (All Locations)

    Steps to Create:

    1. Navigate to Conditional Access:
      • Sign in to the Azure portal and go to Azure Active Directory > Security > Conditional Access > + New policy.
    2. Name the Policy:
      • Name the policy, e.g., Require MFA for External Access.
    3. Assignments – Users and Groups:
      • Under Users and groups, select All users or a specific user group.
    4. Assignments – Cloud Apps:
      • Under Cloud apps or actions, select All cloud apps (or specify apps like Office 365).
    5. Conditions – Locations:
      • Under Conditions, click Locations.
      • Enable Configure and select Yes for Locations.
      • In the Exclude section, choose Trusted locations (i.e., the internal network IP range).
      • In Include, select Any location to apply the policy to external locations.
    6. Access Controls – Grant:
      • Under Grant, select Require MFA.
    7. Enable Policy:
      • Set the policy to On and click Create.

    Outcome: This policy requires MFA for any access from external networks (not internal trusted locations).

    3. Policy 3: Block Access for Jailbroken/Rooted Devices (All Locations)

    Steps to Create:

    1. Navigate to Conditional Access:
      • Sign in to the Azure portal and go to Azure Active Directory > Security > Conditional Access > + New policy.
    2. Name the Policy:
      • Name the policy, e.g., Block Jailbroken/Rooted Devices.
    3. Assignments – Users and Groups:
      • Under Users and groups, select All users or a specific user group.
    4. Assignments – Cloud Apps:
      • Under Cloud apps or actions, select All cloud apps or specific critical apps (e.g., Exchange Online, SharePoint Online).
    5. Conditions – Device State:
      • Under Conditions, select Device state.
      • Enable Configure and then select Yes to include devices marked as Jailbroken/Rooted.
    6. Access Controls – Grant:
      • Under Grant, select Block access to prevent access from jailbroken or rooted devices.
    7. Enable Policy:
      • Set the policy to On and click Create.

    Outcome: This policy blocks access to resources from jailbroken or rooted devices to enhance security.

    4. Policy 4: Require Device Compliance for Access (All Locations)

    Steps to Create:

    1. Navigate to Conditional Access:
      • Sign in to the Azure portal and go to Azure Active Directory > Security > Conditional Access > + New policy.
    2. Name the Policy:
      • Name the policy, e.g., Require Device Compliance for Access.
    3. Assignments – Users and Groups:
      • Under Users and groups, select All users or a specific user group.
    4. Assignments – Cloud Apps:
      • Under Cloud apps or actions, select All cloud apps or a specific app like Office 365, OneDrive, or SharePoint.
    5. Conditions – Device State:
      • Under Conditions, select Device state.
      • Enable Configure and select Compliant devices. This ensures that only devices marked as compliant in Intune will have access.
    6. Access Controls – Grant:
      • Under Grant, select Grant access and Require device to be marked as compliant.
    7. Enable Policy:
      • Set the policy to On and click Create.

    Outcome: This policy enforces that only compliant devices, as defined by Intune, can access corporate resources.

    Summary of Steps for All Policies:

    1. Navigate to Conditional Access: Azure Active Directory > Security > Conditional Access.
    2. Create a New Policy: Click + New policy for each policy.
    3. Configure Assignments: Set users/groups and cloud apps targeted by the policy.
    4. Define Conditions: Configure location, device, and other conditions.
    5. Set Access Controls: Define the actions (e.g., require MFA, block access, or allow based on compliance).
    6. Enable Policy: Set the policy status to On and save.

    By following these steps, you will have four policies to control access based on network locations, device compliance, and device state (rooted/jailbroken). These policies will help ensure that only authorized and secure devices and networks can access your organization’s resources.

  • You must be logged in to reply to this topic.
en_USEnglish
arArabic en_USEnglish