Lukas Beran<p>One of the most popular posts on my blog is an article about recommended conditional access policies in Microsoft Entra ID <a href="https://www.cswrld.com/2024/02/recommended-conditional-access-policies-in-microsoft-entra-id/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">cswrld.com/2024/02/recommended</span><span class="invisible">-conditional-access-policies-in-microsoft-entra-id/</span></a></p><p>In this article, I describe the most important conditional access policies that every organization should have implemented.</p><p>I have received a lot of positive feedback on the article, for which I am very grateful! However, people also wrote that they would like more details about the configuration of each policy if possible, and that they would like more details about the configuration of other conditional access policies as well.</p><p>So I made a very detailed video of over an hour, describing in detail a total of 28 conditional access policies that I recommend to consider deploying in all organizations, regardless of their size.</p><p>Cloud identity security is absolutely critical, and unfortunately I regularly see security gaps in conditional access policies.</p><p>📺Watch the recording on my Patreon <a href="https://www.patreon.com/posts/recommended-in-105019232?utm_medium=clipboard_copy&utm_source=copyLink&utm_campaign=postshare_creator&utm_content=join_link" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">patreon.com/posts/recommended-</span><span class="invisible">in-105019232?utm_medium=clipboard_copy&utm_source=copyLink&utm_campaign=postshare_creator&utm_content=join_link</span></a></p><p>The recording is also available in Czech language on<br>Forendors <a href="https://www.forendors.cz/p/d4210cfb79de8b0c2cdfcfd4c3a7b5b2" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">forendors.cz/p/d4210cfb79de8b0</span><span class="invisible">c2cdfcfd4c3a7b5b2</span></a><br>Herohero <a href="https://herohero.co/cswrld/post/bceroxowdykkdsviexrujbiknuqywrxa" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">herohero.co/cswrld/post/bcerox</span><span class="invisible">owdykkdsviexrujbiknuqywrxa</span></a></p><p>👍Share, like, comment!</p><p><a href="https://infosec.exchange/tags/conditionalaccess" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>conditionalaccess</span></a> <a href="https://infosec.exchange/tags/entraid" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>entraid</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/recommendations" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>recommendations</span></a> <a href="https://infosec.exchange/tags/tips" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tips</span></a></p>
lingo.lol is one of the many independent Mastodon servers you can use to participate in the fediverse.
A place for linguists, philologists, and other lovers of languages.
Administered by:
Server stats:
66active users
lingo.lol: About · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.4.1
#conditionalaccess
0 posts · 0 participants · 0 posts today
Thomas Naunheim :verified:<p>Integration of Authentication Context in <a href="https://infosec.exchange/tags/AzureAD" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AzureAD</span></a> PIM is a great addition for implementing <a href="https://infosec.exchange/tags/ConditionalAccess" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ConditionalAccess</span></a>. It allows to trigger a policy when an eligible <a href="https://infosec.exchange/tags/AzureAD" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AzureAD</span></a>, <a href="https://infosec.exchange/tags/Azure" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Azure</span></a> or Group membership will be requested. I like to share some of my notes from the field...</p><p>ℹ️ Auth. Context will not enforce re-authentication. There is no step-up if you are already satisfied conditions/controls by token claim (e.g. previously Passwordless sign-in will not re-prompt for PIN or Biometric). It would be great to combine the feature with SIF Everytime.</p><p>💡 I experimented with following step-up: FIDO2/WHfB is already enforced in CA policy (Auth. Strength). Auth. Context is requesting GPS-based Location from Auth. App to verify access from allowed countries. User will be prompted for Number Match + GPS during role activation.</p><p>⚠️ Owner and User Access Administrator can change or remove assignment to Authentication Context from PIM role settings:<br><a href="https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-configure-role-settings" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">learn.microsoft.com/en-us/azur</span><span class="invisible">e/active-directory/privileged-identity-management/pim-resource-roles-configure-role-settings</span></a></p><p>But also Classic Administrators (e.g., from EA Portal) are able to modify PIM role settings. Keep this in mind!</p>
TrendingLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload