You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/conditional-access/concept-condition-filters-for-devices.md
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -21,7 +21,7 @@ When creating Conditional Access policies, administrators have asked for the abi
21
21
22
22
There are multiple scenarios that organizations can now enable using filter for devices condition. Below are some core scenarios with examples of how to use this new condition.
23
23
24
-
-**Restrict access to privileged resources**. For this example, lets say you want to allow access to Microsoft Azure Management from a user who is assigned a privilged role Global Admin, has satisfied multifactor authentication and accessing from a device that is [privileged or secure admin workstations](/security/compass/privileged-access-devices) and attested as compliant. For this scenario, organizations would create two Conditional Access policies:
24
+
-**Restrict access to privileged resources**. For this example, lets say you want to allow access to Microsoft Azure Management from a user who is assigned a privileged role Global Admin, has satisfied multifactor authentication and accessing from a device that is [privileged or secure admin workstations](/security/compass/privileged-access-devices) and attested as compliant. For this scenario, organizations would create two Conditional Access policies:
25
25
- Policy 1: All users with the directory role of Global Administrator, accessing the Microsoft Azure Management cloud app, and for Access controls, Grant access, but require multifactor authentication and require device to be marked as compliant.
26
26
- Policy 2: All users with the directory role of Global Administrator, accessing the Microsoft Azure Management cloud app, excluding a filter for devices using rule expression device.extensionAttribute1 equals SAW and for Access controls, Block. Learn how to [update extensionAttributes on an Azure AD device object](/graph/api/device-update?view=graph-rest-1.0&tabs=http&preserve-view=true).
27
27
-**Block access to organization resources from devices running an unsupported Operating System**. For this example, lets say you want to block access to resources from Windows OS version older than Windows 10. For this scenario, organizations would create the following Conditional Access policy:
@@ -44,11 +44,11 @@ The following steps will help create two Conditional Access policies to support
44
44
45
45
Policy 1: All users with the directory role of Global Administrator, accessing the Microsoft Azure Management cloud app, and for Access controls, Grant access, but require multifactor authentication and require device to be marked as compliant.
46
46
47
-
1. Sign in to the **Azure portal** as a Global Administrator, Security Administrator, or Conditional Access Administrator.
47
+
1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.
48
48
1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.
49
49
1. Select **New policy**.
50
50
1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
51
-
1. Under **Assignments**, select **Users or workload identities**..
51
+
1. Under **Assignments**, select **Users or workload identities**.
52
52
1. Under **Include**, select **Directory roles** and choose **Global Administrator**.
53
53
54
54
> [!WARNING]
@@ -65,7 +65,7 @@ Policy 2: All users with the directory role of Global Administrator, accessing t
65
65
66
66
1. Select **New policy**.
67
67
1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
68
-
1. Under **Assignments**, select **Users or workload identities**..
68
+
1. Under **Assignments**, select **Users or workload identities**.
69
69
1. Under **Include**, select **Directory roles** and choose **Global Administrator**.
70
70
71
71
> [!WARNING]
@@ -89,7 +89,7 @@ Setting extension attributes is made possible through the Graph API. For more in
89
89
90
90
### Filter for devices Graph API
91
91
92
-
The filter for devices API is available in Microsoft Graph v1.0 endpoint and can be accessed using https://graph.microsoft.com/v1.0/identity/conditionalaccess/policies/. You can configure a filter for devices when creating a new Conditional Access policy or you can update an existing policy to configure the filter for devices condition. To update an existing policy, you can do a patch call on the Microsoft Graph v1.0 endpoint mentioned above by appending the policy ID of an existing policy and executing the following request body. The example here shows configuring a filter for devices condition excluding device that are not marked as SAW devices. The rule syntax can consist of more than one single expression. To learn more about the syntax, see [dynamic membership rules for groups in Azure Active Directory](../enterprise-users/groups-dynamic-membership.md).
92
+
The filter for devices API is available in Microsoft Graph v1.0 endpoint and can be accessed using https://graph.microsoft.com/v1.0/identity/conditionalaccess/policies/. You can configure a filter for devices when creating a new Conditional Access policy or you can update an existing policy to configure the filter for devices condition. To update an existing policy, you can do a patch call on the Microsoft Graph v1.0 endpoint mentioned above by appending the policy ID of an existing policy and executing the following request body. The example here shows configuring a filter for devices condition excluding devices that aren't marked as SAW devices. The rule syntax can consist of more than one single expression. To learn more about the syntax, see [dynamic membership rules for groups in Azure Active Directory](../enterprise-users/groups-dynamic-membership.md).
93
93
94
94
```json
95
95
{
@@ -130,7 +130,7 @@ The following device attributes can be used with the filter for devices conditio
130
130
131
131
## Policy behavior with filter for devices
132
132
133
-
The filter for devices condition in Conditional Access evaluates policy based on device attributes of a registered device in Azure AD and hence it is important to understand under what circumstances the policy is applied or not applied. The table below illustrates the behavior when a filter for devices condition are configured.
133
+
The filter for devices condition in Conditional Access evaluates policy based on device attributes of a registered device in Azure AD and hence it's important to understand under what circumstances the policy is applied or not applied. The table below illustrates the behavior when a filter for devices condition is configured.
134
134
135
135
| Filter for devices condition | Device registration state | Device filter Applied
Copy file name to clipboardExpand all lines: articles/active-directory/conditional-access/concept-conditional-access-policy-common.md
+9-9Lines changed: 9 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -11,7 +11,7 @@ ms.date: 08/22/2022
11
11
ms.author: joflore
12
12
author: MicrosoftGuyJFlo
13
13
manager: amycolannino
14
-
ms.reviewer: calebb, davidspo
14
+
ms.reviewer: calebb, lhuangnorth
15
15
16
16
ms.collection: M365-identity-device-management
17
17
---
@@ -27,6 +27,8 @@ Conditional Access templates are designed to provide a convenient method to depl
27
27
28
28
The 14 policy templates are split into policies that would be assigned to user identities or devices. Find the templates in the **Azure portal** > **Azure Active Directory** > **Security** > **Conditional Access** > **Create new policy from template**.
29
29
30
+
Organizations not comfortable allowing Microsoft to create these policies can create them manually by copying the settings from **View policy summary** or use the linked articles to create policies themselves.
31
+
30
32
:::image type="content" source="media/concept-conditional-access-policy-common/create-policy-from-template-identity.png" alt-text="Create a Conditional Access policy from a preconfigured template in the Azure portal." lightbox="media/concept-conditional-access-policy-common/create-policy-from-template-identity.png":::
31
33
32
34
> [!IMPORTANT]
@@ -39,22 +41,20 @@ The 14 policy templates are split into policies that would be assigned to user i
39
41
-[Securing security info registration](howto-conditional-access-policy-registration.md)
-[Require approved client apps or app protection](howto-policy-approved-app-or-app-protection.md)
51
-
- Require compliant or Hybrid Azure AD joined device or multi-factor authentication for all users
52
-
- Use application enforced restrictions for unmanaged devices
53
+
-[Require compliant or Hybrid Azure AD joined device for administrators](howto-conditional-access-policy-compliant-device-admin.md)
54
+
-[Use application enforced restrictions for unmanaged devices](howto-policy-app-enforced-restriction.md)
53
55
54
56
> \* These four policies when configured together, provide similar functionality enabled by [security defaults](../fundamentals/concept-fundamentals-security-defaults.md).
55
57
56
-
Organizations not comfortable allowing Microsoft to create these policies can create them manually by copying the settings from **View policy summary** or use the linked articles to create policies themselves.
57
-
58
58
### Other policies
59
59
60
60
*[Block access by location](howto-conditional-access-policy-location.md)
Copy file name to clipboardExpand all lines: articles/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa.md
+6-15Lines changed: 6 additions & 15 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,5 +1,5 @@
1
1
---
2
-
title: Conditional Access - Require MFA for administrators - Azure Active Directory
2
+
title: Require MFA for administrators with Conditional Access - Azure Active Directory
3
3
description: Create a custom Conditional Access policy to require administrators to perform multifactor authentication
4
4
5
5
services: active-directory
@@ -11,11 +11,11 @@ ms.date: 08/22/2022
11
11
ms.author: joflore
12
12
author: MicrosoftGuyJFlo
13
13
manager: amycolannino
14
-
ms.reviewer: calebb, davidspo
14
+
ms.reviewer: calebb, lhuangnorth
15
15
16
16
ms.collection: M365-identity-device-management
17
17
---
18
-
# Conditional Access: Require MFA for administrators
18
+
# Common Conditional Access policy: Require MFA for administrators
19
19
20
20
Accounts that are assigned administrative rights are targeted by attackers. Requiring multifactor authentication (MFA) on those accounts is an easy way to reduce the risk of those accounts being compromised.
21
21
@@ -38,24 +38,15 @@ Microsoft recommends you require MFA on the following roles at a minimum, based
38
38
39
39
Organizations can choose to include or exclude roles as they see fit.
Conditional Access policies are powerful tools, we recommend excluding the following accounts from your policy:
44
-
45
-
-**Emergency access** or **break-glass** accounts to prevent tenant-wide account lockout. In the unlikely scenario all administrators are locked out of your tenant, your emergency-access administrative account can be used to log into the tenant to take steps to recover access.
46
-
- More information can be found in the article, [Manage emergency access accounts in Azure AD](../roles/security-emergency-access.md).
47
-
-**Service accounts** and **service principals**, such as the Azure AD Connect Sync Account. Service accounts are non-interactive accounts that aren't tied to any particular user. They're normally used by back-end services allowing programmatic access to applications, but are also used to sign in to systems for administrative purposes. Service accounts like these should be excluded since MFA can't be completed programmatically. Calls made by service principals aren't blocked by Conditional Access.
48
-
- If your organization has these accounts in use in scripts or code, consider replacing them with [managed identities](../managed-identities-azure-resources/overview.md). As a temporary workaround, you can exclude these specific accounts from the baseline policy.
49
-
50
-
## Template deployment
51
-
52
-
Organizations can choose to deploy this policy using the steps outlined below or using the [Conditional Access templates (Preview)](concept-conditional-access-policy-common.md#conditional-access-templates-preview).
Copy file name to clipboardExpand all lines: articles/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa.md
+7-15Lines changed: 7 additions & 15 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,5 +1,5 @@
1
1
---
2
-
title: Conditional Access - Require MFA for all users - Azure Active Directory
2
+
title: Require MFA for all users with Conditional Access - Azure Active Directory
3
3
description: Create a custom Conditional Access policy to require all users do multifactor authentication
4
4
5
5
services: active-directory
@@ -11,26 +11,19 @@ ms.date: 08/22/2022
11
11
ms.author: joflore
12
12
author: MicrosoftGuyJFlo
13
13
manager: amycolannino
14
-
ms.reviewer: calebb, davidspo
14
+
ms.reviewer: calebb, lhuangnorth
15
15
16
16
ms.collection: M365-identity-device-management
17
17
---
18
-
# Conditional Access: Require MFA for all users
18
+
# Common Conditional Access policy: Require MFA for all users
19
19
20
20
As Alex Weinert, the Directory of Identity Security at Microsoft, mentions in his blog post [Your Pa$$word doesn't matter](https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Your-Pa-word-doesn-t-matter/ba-p/731984):
21
21
22
22
> Your password doesn't matter, but MFA does! Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.
23
23
24
24
The guidance in this article will help your organization create an MFA policy for your environment.
25
25
26
-
## User exclusions
27
-
28
-
Conditional Access policies are powerful tools, we recommend excluding the following accounts from your policy:
29
-
30
-
***Emergency access** or **break-glass** accounts to prevent tenant-wide account lockout. In the unlikely scenario all administrators are locked out of your tenant, your emergency-access administrative account can be used to log into the tenant take steps to recover access.
31
-
* More information can be found in the article, [Manage emergency access accounts in Azure AD](../roles/security-emergency-access.md).
32
-
***Service accounts** and **service principals**, such as the Azure AD Connect Sync Account. Service accounts are non-interactive accounts that aren't tied to any particular user. They're normally used by back-end services allowing programmatic access to applications, but are also used to sign in to systems for administrative purposes. Service accounts like these should be excluded since MFA can't be completed programmatically. Calls made by service principals aren't blocked by Conditional Access.
33
-
* If your organization has these accounts in use in scripts or code, consider replacing them with [managed identities](../managed-identities-azure-resources/overview.md). As a temporary workaround, you can exclude these specific accounts from the baseline policy.
@@ -40,15 +33,13 @@ Organizations may have many cloud applications in use. Not all of those applicat
40
33
41
34
Organizations that use [Subscription Activation](/windows/deployment/windows-10-subscription-activation) to enable users to “step-up” from one version of Windows to another, may want to exclude the Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f from their all users all cloud apps MFA policy.
42
35
43
-
## Template deployment
44
-
45
-
Organizations can choose to deploy this policy using the steps outlined below or using the [Conditional Access templates (Preview)](concept-conditional-access-policy-common.md#conditional-access-templates-preview).
The following steps will help create a Conditional Access policy to require all users do multifactor authentication.
50
41
51
-
1. Sign in to the **Azure portal** as a Global Administrator, Security Administrator, or Conditional Access Administrator.
42
+
1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.
52
43
1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.
53
44
1. Select **New policy**.
54
45
1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
@@ -62,6 +53,7 @@ The following steps will help create a Conditional Access policy to require all
62
53
1. Select **Create** to create to enable your policy.
63
54
64
55
After confirming your settings using [report-only mode](howto-conditional-access-insights-reporting.md), an administrator can move the **Enable policy** toggle from **Report-only** to **On**.
56
+
65
57
### Named locations
66
58
67
59
Organizations may choose to incorporate known network locations known as **Named locations** to their Conditional Access policies. These named locations may include trusted IPv4 networks like those for a main office location. For more information about configuring named locations, see the article [What is the location condition in Azure Active Directory Conditional Access?](location-condition.md)
0 commit comments