Using the location condition in a Conditional Access Policy

Microsoft have released a new feature in Conditional Access where named locations can be defined by country GPS coordinates. The Microsoft Article can be referenced HERE

Conceptual Conditional signal plus decision to get enforcement

This is a great improvement in protecting against bad actors. A lot of my customers’ often ask me to create a conditional access policy to block access for all countries except Europe, Ireland and the UK. Bad actors could simply use a vpn and then specify what country they are connecting from which can then by-pass the conditional access blocking bad actors based on country IP, where they cannot by pass GPS coordinates

Conditional Access and Azure Active Directory License Management

Azure AD group based license assignment was made generally available in Feb 2018. It really is a superb way of managing and assigning licenses for services like Office365.

Quite often on projects that I deliver ,  I will work with my customer to build a profile which could be for example standard user, power user , exec user and these groups can assign some or all of the M365 suite of services.

So this means we would have 3 security groups to match each user profile and each organisation can modify their new starter process to add new users into their relevant security group or use Identity Management tools like Microsoft Identity Manager 2016 SP1 to manage the user life cycle.

One of the quickest and most powerful conditional access policy is as follows

  • Assignment : All users , except license groups and break glass admin account
  • Cloud Apps :  All Apps
  • Conditions : Default , NO CHANGE
  • Access Controls \ Grant : BLOCK

So the assignment to all users is the key , If a new user is not setup properly and follows the new user creation process then they cannot access the organisation’s cloud apps that are integrated with Azure AD.

This is a policy to block all unlicensed users.

All licensed users would expect to have the following items configured as a minimum requirement.

  • MFA
  • SSPR
  • Combined SSPR & MFA registration
  • Azure Password Protection Service
  • Microsoft Advanced Threat Protection integration with CASB
  • Azure AD P2 license , Identity Protection policies enabled
  • Azure AD Hybrid joined machines
  • Intune managed bitlocker encrypted devices
  • Intune managed devices with security baselines