Configure Conditional Access Policy in Azure

Reading Time: 4 minutes

In this blog post I will go through the process of configuring a conditional access policy within Azure AD.

Conditional Access policies are simply if and then statements, for example, if a user wants to access a resource, then they must complete an action. Example: A staff member wants to access the payroll application and is required to perform multi-factor authentication to access it.

Note: Using this feature requires an Azure AD Premium P1 license

1. Login to the Azure Portal portal.azure.com
2. Click Azure AD or locate via the search box
3. Click Security

4. Click Conditional Access

5. Click New Policy

6. For the purpose of this demo, I have selected:

Assignments:
– Selected Users and groups
– Selected the Sales group

7. Next, click Cloud apps or actions

8. Select what this policy applies to. For the purpose of this demo, I have clicked select apps

9. Select your apps. For the purpose of this demo, I have selected Office 365 only

10. Next, click Conditions

Up to this point I have selected the Sales group and the application Office 365. I will now continue to apply conditions to the Sales group. Click Conditions

11. Click Device Platforms

12. For the purpose of this demo, I want this policy to apply for Sales people using an IOS device, such as an iphone

13. Click Locations

14. Here you could configure a location, for example you could prevent a conditional access policy from applying to your trusted locations but apply the policy everywhere else. Note the exclude option below where you could exclude locations from this policy.

15. Here you can control user access to target specific client applications not using modern authentication.

Note: When not configured, policies now apply to all client apps, including modern and legacy auth.

16. Click device state

17. Here you can control user access when the device the user is signing in from is not Hybrid Azure AD joined or marked as compliant.

18. Next, click grant

19. Here you can decide what you want this policy to do, block or allow access based on conditions. If you allow, you can select what conditions the users have to meet when authenticating. You could also select several options and select require all the selected controls or require one of the selected controls.

20. Finally, you have the option to enable the policy by clicking On. Clicking Off and the policy will not apply. Or clicking Report-Only which will only log events for you to analyse but not apply to users.

21. Click Create

Note: if you receive the below message after clicking create, you must disabled security defaults before you can create your policy.

Security defaults must be disabled to enable conditional access policy.

Out of the box, Microsoft now provide secure default settings that Microsoft manage on behalf of organisations to keep customers safe until they are ready to manage their own identity security. Security defaults is now enabled by default when setting up a new tenant.

You can disable security defaults by:

  1. Logon in to the Azure portal at portal.azure.com
  2. Click Azure Active Directory, or search using the search box
  3. Click properties located in the left pane
  4. Browse to the bottom of the page, and click the link Manage Security Defaults

22. and here is the policy

Notice the option What If below. This option allows you to test what a conditional access policy would do if applied to a user.

How to assign licenses for Microsoft 365 using a security group

Reading Time: 3 minutes

In this blog post I will go through the process of automatically assigning users 365 licenses based on group membership

  1. Login to the 365 portal and launch the Azure AD Admin Center
  2. Click licenses located in the left pane

3. Click All products

4. Click on the license you want to link to a group

5. Click Assign

6. Select the security group and click select

7. Click Assignment options

8. Here is where you can decide what applications you want to assign members of your security group.

9. Click ok and assign

Licenses assigned

10. To check if the group has been assigned and the number of users assigned a license, click the license type

11. Click Licensed groups

12. and to check licensed users, click Licensed users from the left pane

You could also check licenses and apps assigned by visiting the 365 admin center, expand users and click active users

Click the user name and click licenses and apps (You may need to wait for a moment while replication occurs)

How to set passwords to expire in Azure

Reading Time: 3 minutes

In this blog post I will go through enabling password expiration within the Microsoft 365 portal. I will also go through the default password options within Azure AD.

Note: this only applies if you’re utilising a Microsoft cloud only setup.
Also, at the time of writing this post, Azure AD does not allow configuring password expiration from the portal. You must do this via Powershell or from the 365 portal as we will be doing now.

  1. Login to portal.office.com
  2. Click Settings and Org settings

3. Click Security & privacy

4. Click Password and expiration policy

5. By default passwords are set to never expire. Click the option Set user passwords to expire after a number of days

6. Configure settings as required, or leave the defaults and click save

Moving on, let’s take a look at the default Azure password configuration

1) Click the link to launch the Azure Active Directory admin center

2) Click Azure Active Directory

3) Click Security from the left pane

4) Click Authentication Methods

5) Click Password protection

6) and here are the default settings

The audit option applies to the custom list of banned passwords. If set to Enforce, users will be prevented from setting banned passwords and the attempt will be blocked. If set to Audit, the attempt will only be logged.

Add a domain to Microsoft 365 Step by Step

Reading Time: 6 minutes

In this blog post I will add and verify a domain in the Microsoft 365 admin portal. I will also setup an email address using the newly added domain via the Exchange admin center. Finally, I will test to ensure I can send and receive emails.

  1. Login to the Microsoft 365 Admin Portal at admin.microsoft.com (Login with Global Admin account)
  2. Click Show All

    Note: you could also add the domain by clicking Setup.

3. Click Settings

4. Click Domains

5. As you can see from the below screenshot, I have my default onmicrosoft.com domain displayed

6. Click Add Domain or purchase a new one by clicking Buy domain

7. Add a domain if you already own one and click use this domain when ready

8. I’ll be selecting the option to add a TXT record to my external domain DNS portal. Click continue

9. Microsoft provide a TXT record which I will need to add to my domain DNS portal. This process verifies that you own the domain you are trying to add to 365

10. I login to my domain portal at my domain registrars website, locate DNS and click to add a new TXT record.

11. I add the details and click Add Record

12. TXT record added successfully

13. Back to the 365 portal to verify the domain. If the domain does not verify, allow time for replication

14. The following appears after Microsoft have verified your domain. You may want to stop at this point as you may not want to configure email routing just yet without planning. I’ll explain further at step 15 below.

The text states:

Connect your domain to your Microsoft services so you can use email and instant messaging. There are a couple of options to consider, depending on how you’d like to manage domain name service (DNS) records for your domain ‎imranrashid.co.uk‎.

Add your own DNS records. We’ll provide a list of DNS records that you’ll need to add for your domain at your DNS host.

15. If you decide to cancel the setup after verification, you’ll find that the new domain is now available within Exchange Admin Center. Let’s take a look. Note that your domain has been verified so if you decide to cancel the wizard at this point. You can return and continue from where you left at a later time. Let’s login to Exchange Online and check the status of the new domain aswell as add a new email alias to my mailbox. No email routing has been configured at this point.

– Access Exchange Admin Center

– Click Mail flow

– Click accepted domains and you’ll find that the domain has been added as your default domain

-I won’t be able to receive email to this domain until I continue with configuring the required DNS/MX records but I am in a position to start configuring email addresses.

– Click on recipients

-In the example below, my mailbox is still set to the default onmicrosoft.com address

– Click the edit icon or double click the name

– Click email addresses, add your email address and save

– My email address has changed from the default onmicrosoft.com to my newly added domain.

16. I want to continue with setting up my records to allow me to send and receive emails to my new email address

You can continue with the domain setup at anytime. Note that if you’re using an external email filtering solution such as Mimecast the process is different so some planning is required before you decide to make this serious change of routing email into O365. Routing email changes should be completed at a suitable time to reduce impact to your users.

So i have acccessed the Microsoft 365 Portal, clicked settings, domains and clicked my domain which is currently displaying a status of Incomplete setup

17. Click Continue Setup

18. And we’re back at the setup screen we left earlier

19. Click more options and the below options appear

20. I will be selecting the default option Add your own DNS records, click continue

21. Microsoft have provided me with further records to add to my domain portal for imranrashid.co.uk

You’ll find a further option towards the bottom of the page as shown below. If you decide to click the options below, further DNS records will be provided for Skype For Business and Intune and Mobility Device Management for Micrsosoft 365

22. For the purpose of this demo, I will only be working with Exchange Online. Let’s add the MX, CNAME and TXT records to my domain portal for imranrashid.co.uk before we continue. Back to my domain portal to add the records.

23. Records added as specified by Microsoft, back to the portal.

Note: It may take some time for changes to replicate but in most cases the process does not take long. You will want to plan the replication time into your schedule as in some cases it can take up to 24 hours for DNS records to replicate.

24. Click continue

If there are issues, Microsoft will assist by providing recommendations on how to resolve your issues, for example, if you have typed or copied a record incorrectly, Microsoft will raise this on the next page.

25. Success, domain setup completed. I should now be able to send and receive emails.

26. Earlier in this blog post I assigned an email address to my mailbox via the Exchange Admin Center, so let’s test by logging into my mailbox and test email.

Send email outbound from irashid@imranrashid.co.uk

Email received

Let’s reply to the email

Email received successfully

Stay tuned for further blog posts