Create conditional access policies

- [Instructor] I'm in the Microsoft 365 admin center, and in order to create a conditional access policy, we need to go directly into either Azure Active Directory or into the Intune portal itself. Now we can access this without actually having to go to the Azure portal. We can scroll to the bottom section here underneath Admin centers and click Device Management. Device Management will then launch in a separate tab in your browser. And from here, we're able to click and go through each of the options as we need to. I'm going to click into Devices. It will list the devices that are registered to Intune. Now if we scroll further down to the Policy section, you can see that we have Compliance policies and Conditional access policies and Configuration profiles. We're going to focus on Conditional access. If I click into this, as a side note, this is exactly the same way that it looks inside the Azure portal. If you go into the Azure Active Directory and click Conditional Access Policies, you are sent to exact same page. So be aware that if you add a change here, it's reflected in the Azure Active Directory portal. If you add it there, it's reflected into this one here. The pages are the same. Now to begin with, there are four base policies that you can see here. These are not enabled by default, but they should be. Microsoft provide them out of the box. They are very simple. Most of them just force multi-factor authentication for administration accounts, or there's some end user protection. Now, we're not going to focus on those. We're going to create a new policy. So I will click New policy. Now when we creating these types of policies, the best practice here is to name the policy something that makes sense to us. Now we can name them using just simple text values, or we can call it a specific ID reference or something else. For the purpose of this, I'm just going to call this one a Location Blocking Policy. The reason I'm going to call it that is because we're going to utilize location protections. Now the first thing about a conditional access policy is we have to determine who to assign this conditional policy to. If I click here on Users and groups, you'll see that we have an Include option and an Exclude option. The best practice rule here for you potentially as the administrator is to make sure that you have a security group that you can exclude from this type of policy. The reason for this is so that you don't lock yourselves out or restrict yourself access to the tenant. So I'm going to click Include. I'm just going to make sure that we specify individual users. I'm going to choose Select users and groups, and then I will also select Users and groups here. Now notice what happens. A Select option is available. And then from the right-hand side, we get the picker where we can find those individual users within the tenant that we wish to assign this to as well as security groups. I'm simply going to click Adele and choose Select. And you'll see that populates the bottom section for us. And then I'll click Done. That means that this policy will only apply to Adele. The next option here is to choose the application or action. If I click here, you'll see, once again, we get Include and Exclude, but more importantly, we get a policy application node at the top where we can Cloud apps or we can click User actions. Now we're not going to use the User actions. This is all in Preview at the moment. We're going to focus on a cloud application. And once again, I'm not going to choose All cloud apps. I'm just going to choose Select apps and, again, we get a picker on the right-hand side where we can choose the applications we're trying to protect. Now, from the search bar, I'm going to type Exchange, and the reason I'm going to choose Exchange is because one of the most common policies that we should put in place and normally the first thing that organizations migrate to is Office 365 Exchange Online. We'll select Exchange Online and just choose Select. Now what this means, you'll notice there's a little note here for you. So Microsoft are good for this. They put notes everywhere. When I select Office 365, it also tells me it will affect OneDrive and Teams. Just be aware when you select SharePoint, it will also say OneDrive and Teams, and Exchange will do the same. I'm going to click Done. Now we have Adele as the user with one application, which is Exchange. I'm then going to move to my Conditions. Now we have a series of conditions that we can apply here. The first is the Sign-in risk. And the Sign-in risk, in all fairness, is an arbitrary value that we can associate to this. Now, under the covers, Microsoft do some behavioral analytics, and they validate the authenticity of the sign-in. If I click Yes and say Medium, what this means is is that as long as it's anything below the medium risk, then we're going to allow or deny depending on what the grant access controls are going to do. I'm going to say Medium and Select. I'm then going to choose a Device platform. Now we don't have to configure this, but, of course, one of the rules when you're building a device management solution is supporting the devices that you wished to utilize in the organization. And most organizations tend to have a common set based on an operating system. And we'll choose Select device platforms here, and I'll choose iOS and Android as my options. Now, of course, there is support for macOS, Windows, and Windows Phone. I'm going to select Done. Now this is where we get to add what we really wanted to, which is the Locations. I'm going to choose Yest to Configure. This is not configured by default. I'll click Yes, and then we have Any location, which means wherever Adele logs in from, it's going to do something. I can choose All trusted locations. Now this means that I have created a list of trusted locations. This could be internal subnet IP addresses, or they could be Internet office locations. It could be the Internet cafe down the street. If I click Selected locations and go to the Select option, you can see that out of the box the default one is MFA Trusted IPs. What that means is that anything that's been tagged for multi-factor authentication is then trusted as an IP address coming in because that's the secondary authentication. So I'm going to choose MFA Trusted IPs, click Select, choose Done. So far we have a medium risk, iOS and Android, and as long as it's a multi-factor IP, then we're okay. Now the last two options are in Preview, but it's important to understand what these are. This allows us to perform client application inspection. What this means is that I can say when Adele logs in and she tries to get to Exchange, if, for example, I'll just uncheck this option, if she comes in with the browser, then maybe I'll allow her access. But I could also change that and say, if she comes in with a mobile application that supports modern authentication, then we could allow here in also. I'm not going to set this, though. I'm just going to click No and just get rid of that. The other one in Preview is Device state. Now, this one is a new one that's in Preview, where you can configure and depending on the state of the device coming in, we can then deny or grant access. We'll stick to, notice it's come up and said, unsaved edits, and I click OK and click Done. That gives me my conditions. Now the next piece here is to actually define an access control. And you can see from here we have two. One is Block, one is Grant. Very simple, but grant access is broken down into a subset of actions that are required. The first one here is Require multi-factor authentication. That's self-explanatory. It will force a multi-factor authentication prompt at the point that Adele tries to log in. The next two are related to when devices are either registered into Intune or connected to Azure AD. We can require that the device has a compliant status. When we enroll a device, and once it's been connected to Intune, the process will execute and then determine the compliance status. And that's based on authentication, is the device jail-broken, and other components in that device. The Hybrid Azure AD joined is really for Windows devices, and then, of course, we do have two other options here about required approved client applications and then app protections, which we're not going to utilize. I'm simply going to say Require multi-factor authentication. This'll be Adele accessing Exchange from a location that's a multi-factor IP range, and I'm going to grant access. But to make sure she comes in from a location that's okay, I'm going to force a multi-factor authentication. Now if we did decide to use multiple controls, we can then utilize the option at the bottom where we can say all of these need to be met or just one of those. Rarely do we need to use this for a iOS or Android device, but for a Windows device, we would definitely want to utilize multiple. I'm going to click Select. In the Session control option, we can enable extra controls for enforcement within applications itself. Now what this means is instead of us protecting at the device and saying whenever Adele comes in with the Exchange Online connection, we can actually say well if she happens to have this application installed, then that's where the app enforcement should be. We're not going to utilize that for this, so I'm going to close that. And then our final option is to enable the policy, and I'll click Create. The validation is successful, and we now have a conditional access policy, which will block access to Adele until she's performed a multi-factor authentication.