Microsoft have released a new feature in Conditional Access where named locations can be defined by country GPS coordinates. The Microsoft Article can be referenced HERE
This is a great improvement in protecting against bad actors. A lot of my customers’ often ask me to create a conditional access policy to block access for all countries except Europe, Ireland and the UK. Bad actors could simply use a vpn and then specify what country they are connecting from which can then by-pass the conditional access blocking bad actors based on country IP, where they cannot by pass GPS coordinates
Azure AD group based license assignment was made generally available in Feb 2018. It really is a superb way of managing and assigning licenses for services like Office365.
Quite often on projects that I deliver , I will work with my customer to build a profile which could be for example standard user, power user , exec user and these groups can assign some or all of the M365 suite of services.
So this means we would have 3 security groups to match each user profile and each organisation can modify their new starter process to add new users into their relevant security group or use Identity Management tools like Microsoft Identity Manager 2016 SP1 to manage the user life cycle.
One of the quickest and most powerful conditional access policy is as follows
Assignment : All users , except license groups and break glass admin account
Cloud Apps : All Apps
Conditions : Default , NO CHANGE
Access Controls \ Grant : BLOCK
So the assignment to all users is the key , If a new user is not setup properly and follows the new user creation process then they cannot access the organisation’s cloud apps that are integrated with Azure AD.
This is a policy to block all unlicensed users.
All licensed users would expect to have the following items configured as a minimum requirement.
Combined SSPR & MFA registration
Azure Password Protection Service
Microsoft Advanced Threat Protection integration with CASB
Azure AD P2 license , Identity Protection policies enabled