Close Menu
Blog
  Back
Posted by on 8th August 2017

Conditional Access: Transcript

Moving on to Conditional Access. This is the ability to set policies at a tenant level to review every authentication attempt that comes into your tenant and to see if it meets the criteria of that policy. It will make more sense for me to go through. I’ve split them out into policies we think can be done a lot quicker and increase your security massively without impacting users too much and then at the bottom we’ve got a few that might require a bit more planning to roll out.

Starting off, we’re going to start with something we’ve touched on before. Rather than relying on your administrators to manually enable MFA you can configure an additional aces policy that will make sure that anytime an admin authenticates or logs in to an account with any administrative role it would basically ask them to provide a second form of authentication. The beauty of conditional access is that it’s not manually enabled at a user level, it’s a tenant level so it will always apply. We would then recommend configuring that policy as outlined in the document we will send you as this will show you how to make these policies actually work in the portal. Every setting a policy needs to be set up is in the document we will send you so if you want to do any work yourself by all means use that document to do that. You can actually configure exceptions to make sure you don’t get logged out of your tenant. The policy will also allow you to configure exceptions, for this particular one to make sure you don’t get locked out your own tenant, we recommend creating some policies in your break glass accounts. We need to make sure break glass accounts have extremely complex passwords in place. 

Second one, very similar so will touch on that quickly, it would force any connections to the Azure Management Console either through the web portal, powershell or through the command line or graph interface to also use MFA.

Third is to block legacy authentication so legacy authentication is allowed in the tenants and blocking that will hugely improve your security posture straight away. The Microsoft research on this shows that around 97% of breaches that happen are through the legacy authentication protocols. Also, tenants that have a block legacy authentication are 67% less likely to be breached. That’s huge numbers with a fairly small change.

If you do have a requirement for legacy authentication, again use exceptions so block legacy authentication for everything and then go through and allow the accounts you’d still need it to work for or even IP addresses if it’s a server. Again, in the document it will tell you how to do this in more detail. 

Requiring MFA for guests and external users is really important. You have less control over guest users in terms of training them and you don’t know who’s passing credentials around outside of your organisation so ensuring MFA's for all guests and external users is a really handy policy to implement. Also, putting some terms of service in place so the first time a guest accesses your tenant they have to agree to your terms of use which is always useful in the event of a data breach.

So, that’s the sort of ones that we feel there is  reasonable impact for. In terms of things that would need a little more planning, we’ve got a few more policies but they are still mandatory policies that we have in place for all of our customers.

What those are, the first one is approved apps on mobile devices. So, that’s basically apps that we have control over, so apps that are protected by application control policy which we’ll come to later on a mobile device which basically means that we can set some restrictions on those apps so we can say people can’t copy data from OneDrive on their phone to their Gmail or Google Drive, that sort of stuff. We can wipe those apps on those mobile devices as well so if people are using an app that we have the control over it won’t let them use the application basically. 

The other policy we think you should put in place is MFA, so you can request MFA or block any non-compliant devices. We’ll touch on compliance a little bit later but what it basically means is you can set up compliance policies as an Endpoint Manager to assess your devices against your security baseline criteria which might mean the device has to be used in a certain patch level of windows, it might have to be bitlocker that sort of thing. If it meets those criteria and it's deemed compliant it will be allowed into your tenant without any MFA. If the device is not compliant because it doesn’t meet the criteria you set out we have two options. We can tell the policy to force the user to be MFA’d to make sure it really is them and not some brute force attack but some organisations opt for if it’s not one of our devices or a compliant device then we don’t want it in our tenant at all. It just depends on some of the information security policies of the particular organisation but one of those is definitely a good idea to put in place. 

Require an exchange active sync police for mobile devices, it’s a secure protocol that makes sure that the exchange is using active sync and not some sort of third party apps to interface with the exchange. 

The last one might be something that people aren’t fully aware of. There’s this security registration process which is effective if you;re using self-service password reset or multi-factor authentication, when a user first sets up those services they need to register other methods of authentication such as email or mobile number. They need to enrol into those services initially to provide that information. If you think about if you've set up a new user and they haven't logged in yet, somebody else or a brute force could technically enrol that user if they are in that account first so what you can do is secure that process and say that any sort of enrolment for MFA or self service password reset can only happen from a particular location in terms of IP address or you can provide the user a temporary password or code to do the enrolment first and only they would have that code. So that conditional access policy enforces that basically. 

We’re just going to quickly show you the document now. You can see it's got a section on Conditional Access policies and it's got all of the recommended details to implement these policies so you can use the document to implement them if you wish to. So, this is a section of the document we’re going to send over to you, it's quite a big document but if you go here it's got the Conditional Access section and you can see here this document details exactly the policies we’ve been discussing there. All of the details here such as the assignments and access control are the exact options you'll see in the portal and you can use the document as a reference to get these policies up and running. 

 
Recent Posts

Some of our happy clients...

Mark Arundale
Managing Director- Sine Consulting

We moved to Circle Cloud just over a year ago because our IT was costing us productivity. There was a lot of downtime and unpredictability, which made running our business harder than it needed to be. Circle Cloud have made things so much more straightforward. Their IT Management Plans are perfect for our needs as a small business. The service is so clear and well designed, we have regular reviews and now have a more proactive and professional provider

Beverly Goodall
Managing Director- Abacus Bean

As the owner of an accountancy practice, there’s so much to think about. I need to stay focussed on our own products and services and making sure our customers are looked after. That’s why working with Circle Cloud has been perfect. They’ve taken away any concerns I’ve had around information security. The initial 30 day onboarding process made such a big difference, and the support we’ve had since has been excellent.

Andy Craddock
Managing Director- Accurate Data Services

In our industry it is critical to be constantly focussed on information security. At Accurate Data Services Ltd we always deal with extremely sensitive data, so remaining one step ahead of IS risk is our top priority.  We wanted to work with Circle Cloud because there IS infrastructure design continuously ticks all of the right boxes, can be delivered quickly and is scaleable.  It really is a comfort to everyone in the business that Circle Cloud are there, constantly having our back and making sure that our IS systems are always best in class.

Tony Crocker
Managing Director- IWC Wills & Probate

Circle Cloud’s IT Managed Service has been brilliant for us. It really is focussed on the security side of things. That matters a lot. When you think about all the emails and information that get shared on a daily basis, there is always that worry that something important might slip through. But Circle Cloud have put everything in place to make sure we’re safe.

Mark Pendlebury
IT Manager- Cosatto Limited

Working with Circle Cloud to implement the transition of our ERP system and SQL server into Azure has been a great choice. They have shown great knowledge of the platform and it's possibilities and have worked closely with us to ensure key project milestones and testing phases were met resulting in a successful and on time go live. Furthermore, they have also offered great advice and help on licensing to ensure costs are kept to a minimum.

Deborah Hugill
IT Director- Nigel Wright Ltd

We needed to modernise our server infrastructure in order to enhance resilience, as well as improve accessibility for our European workforce.  This is why we decided to move to the cloud, however we needed a supplier that could help us on our journey. We found the perfect technology partner in Circle Cloud, who specialise specifically in the Microsoft Cloud. They moved all our applications and files to Microsoft Azure which has proven extremely robust, ticking all the boxes we needed it to.

Urfan Durrani
IT Director- Protec International

As a business we had various challenges from moving a legacy on premise exchange system into hosted Office365 environment. Our Office365 system offers the users almost guaranteed uptime, accessible from any place and device, whilst its management facilities make it easier to monitor and control. The commitment to quality and care by Circle Cloud, provided the management team with assurances.

Craig Kippling
Director- Studio Anyo

We needed a telephone system that offered the functionality of a PBX solution. Circle Cloud were the perfect partner to guide us. They demonstrated how Microsoft Teams itself could be used as our full, business-wide telephone solution. They scoped our requirements and migrated our group to Microsoft Business Voice, which bolts seamlessly onto Microsoft Teams.  Our decentralised workforce can now make and receive business calls from anywhere using mobile apps and laptop headsets. This has proven invaluable over the last year and will assist in our future growth. 

Rebecca Pendlebury
Customer Care Manager- Scamp & Dude

As our Customer Care team grew we soon realised we needed to open up forms of contact for our customers. We also needed a system that was flexible and easy to use. As we already used Teams, it felt natural to incorporate Teams Voice and we couldn’t be happier with the result. As a result of Circle Cloud’s recommendations, implementation and training, we now have a happy team and customers.

Ian Burns
IT Services Manager- Waterton Academy

Circle Cloud’s offer of Office 365 security audits catered for every aspect of the brief, however it excelled in the way it was delivered to us as a customer. The added value area of mapping out detailed next steps alongside flagged areas was highly valued and demonstrated their unique ethos of being able to provide an external sound board/advisory presence and where needed, action change by their internal staff as a commissioned service. Based on the experience we had from Circle Cloud, including value for money, the accuracy and attentiveness from staff, we have now adopted the company as our external consultant for Microsoft cloud technologies.

John Painter
IT Systems & Development Manager- Denbury Homes

In November 2021 Circle Cloud were engaged after a shortlisting process, for a time sensitive tenant to tenant domain migration following a business separation- each tenant being wholly separate to the other. Several companies were contacted and their tools assessed, but none could provide a ‘one stop shop’. The expectation was that end users would see no visible difference with regards to experience or content, with the exception of a new temporary password and new MFA registration process. Circle Cloud were able to achieve this within the tight deadline. Denbury Homes are happy to recommend Circle Cloud for Office 365 and Azure Cloud to Cloud migrations, as well as On Premise to Cloud migrations.

Circle Cloud Limited
Company

Circle Cloud Ltd.
Fusion Hive
North Shore Road
TS18 2NB

  0191 672 7012
  info@circlecloud.co.uk
Products
Company
Social
Accreditation
  • ISO/IEC 27001
    Cert Number: IS 697 097
  • Cyber Essentials Certified
Site by Calm Digital Limited
© 2024 Circle Cloud Ltd.
Drop us a message...
Open Menu Open Menu
Contact Us
Open Menu Open Menu
CONTACT US