MS-101 Microsoft 365 Mobility and Security exam includes planning and configuring conditional access policies as one of the main components. This article aims to provide insight into how to navigate this aspect.
Microsoft 365’s Conditional Access is a tool used to provide security based on specific scenarios or conditions. Its fundamental function is to enforce and facilitate access policies across the organization. The devices attempting to access an organization’s resources must meet these policy conditions before gaining access.
1. Device Compliance
Firstly, let’s understand device compliance. It is a state describing whether a device meets the organization’s outlined conditions. The organization, through their IT Department, can set conditions for aspects such as OS versions, security settings, and more, which a device should satisfy.
2. Conditional Access Policies
Conditional Access Policies form a critical part of Conditional Access, which Microsoft 365 Enterprise E5 offers. These policies guide the behavior of user access attempts to organizational resources. When an attempt is made, Conditional Access use its intuitive policy rules to either Block Access or Grant Access.
The Grant Access category further classifies into:
- Require device to be marked as compliant
- Require approved client app
- Require all the below (Multifactor Authentication, device to be marked as compliant, device to be Hybrid Azure AD joined)
3. Configuring Conditional Access Policies for Device Compliance
To configure these policies, follow these steps:
- Log in to the Azure portal.
- Go to Azure Active Directory > Security > Conditional Access.
- Select ‘New Policy’ and fill out the appropriate fields such as ‘Name’, ‘Users and Groups’, ‘Cloud apps or actions’.
- In ‘Conditions’ > ‘Device State’, here, you may include/exclude compliant devices. It’s here where you decide whether to target only compliant or non-compliant devices.
- The next section, ‘Access Controls’, contains ‘Grant’ and ‘Session’. Under ‘Grant’, choose ‘Require device to be marked as compliant’ to ensure device compliance.
Remember, this is a standard set-up. Every organization is unique with different requirements; you might need to adjust accordingly! Understand your organization requirements and guide your settings based on that understanding.
4. Examples of Conditional Access Policies
Here are some practical scenarios that require configuring conditional access policies:
Scenario 1: You can set a policy where a worker can access a company’s resources only through a device marked as compliant.
Scenario 2: It is possible to set up a policy that requires workers to access the company’s resources only through approved client applications.
These two examples highlight critical possibilities that conditional access policy settings offer. However, there are other scenarios, each addressing unique access concerns.
Conclusion:
Planning and configuring conditional access policies for device compliance is an integral aspect of Microsoft 365 device management. It allows an organization to maintain control over which devices access its resources while ensuring that these devices meet the company’s security standards. Therefore, gain an in-depth understanding of this topic to pass your MS-101 Microsoft 365 Mobility and Security Exam.
Practice Test
You cannot apply conditional access policy to a group of users in Microsoft
- 1) True
- 2) False
Answer: 2) False
Explanation: Conditional Access Policy allows the application of access rules to a group of users or a single user in Microsoft
Which of the following is not a condition in the Conditional Access policy?
- A) User risk
- B) Client app
- C) User status
- D) Device platform
Answer: C) User status
Explanation: User risk, Client app, and Device platform are all conditions in the Conditional Access policy. User status is not a condition in the Conditional Access policy.
In Microsoft 365, you can always force users to complete Multi-Factor Authentication (MFA).
- A) True
- B) False
Answer: B) False
Explanation: While it is possible to enforce Multi-Factor Authentication, it depends on the configuration of the conditional access policy.
Conditional Access policies are enforced after the first-factor authentication has been completed.
- A) True
- B) False
Answer: A) True
Explanation: The Conditional Access policies are triggered after the first-factor authentication challenge, usually after the user has entered their password.
A sign-in risk policy can be used to block access when the risk level is medium.
- A) True
- B) False
Answer: A) True
Explanation: Sign-in risk policies can be configured to block access based on the risk level detected.
Which permissions levels are necessary to manage conditional access policies in MS-365?
- A) Application Admin
- B) Owner
- C) Security Admin
- D) Compliance Admin
Answer: C) Security Admin
Explanation: Security Admin permissions allow an administrator to manage conditional access policies in Microsoft
You cannot configure Conditional Access policies for Office 365 applications.
- A) True
- B) False
Answer: B) False
Explanation: Conditional Access policies can be applied to Office 365 applications.
A device compliant policy can be configured to require a device to have accurate time settings.
- A) True
- B) False
Answer: A) True
Explanation: Compliance policy rules could vary widely depending on the policy settings, which can include requiring a device to have accurate time settings.
Compliance policies in Microsoft 365 do not support Windows 10 devices.
- A) True
- B) False
Answer: B) False
Explanation: Compliance policies in Microsoft 365 support several platforms including Windows
Conditional Access policies can only enforce controls to all client apps.
- A) True
- B) False
Answer: B) False
Explanation: Controls can be enforced on a select set of client apps or all apps, depending on the needs of your organization.
You can create Conditional Access policy with Identity Protection from Microsoft 365 admin center.
- A) True
- B) False
Answer: B) False
Explanation: Conditional access policy with Identity Protection is created from the Azure portal, not from the Microsoft 365 admin center.
Conditional Access policies support multi-factor authentication (MFA) for extra security.
- A) True
- B) False
Answer: A) True
Explanation: Multi-factor authentication (MFA) can be added as a requirement in Conditional Access policies for improved security.
In conditional access policies, you cannot exclude any user.
- A) True
- B) False
Answer: B) False
Explanation: Specific users or user groups can be excluded when defining a Conditional Access policy.
Named locations can be utilized for conditional access policies.
- A) True
- B) False
Answer: A) True
Explanation: Named locations can be defined and used to apply more granular controls in Conditional Access policies.
Conditional Access policy is applied at the data level.
- A) True
- B) False
Answer: B) False
Explanation: Conditional Access policies are applied at the access level, not at the data level.
Interview Questions
What is a conditional access policy?
A conditional access policy is a tool used in Microsoft 365 to implement automated access-control decisions for accessing your cloud apps, based on specified conditions.
Which tool is used to create and manage conditional access policies?
The Azure portal is used to create and manage conditional access policies in Microsoft 365.
Can you explain the concept of ‘Conditions’ in a Conditional Access policy?
Conditions in a Conditional Access policy refer to the set of circumstances or parameters that define when the policy applies. These can include the user or group, cloud apps, device platform, device state, location, and sign-in risk.
What is device compliance in the context of conditional access policies?
Device compliance refers to evaluating if a device meets the standards of your set policies, like security policies. If a device doesn’t meet these standards, access to the requested cloud apps will be denied.
How can you enforce multi-factor authentication in a Conditional Access policy?
By setting the ‘Grant’ controls of a policy to require multi-factor authentication, you can enforce multi-factor authentication. This means that users will have to pass two or more authentication methods to gain access.
Is it possible to exclude certain users or groups from a conditional access policy?
Yes, it’s possible to exclude specific users or groups from a conditional access policy. This can be done while defining the ‘Users and Groups’ condition in the policy settings.
What are ‘session’ activities in the context of conditional access policies?
‘Session’ activities refer to the controls that provide limited experience within a cloud app session. An example of a session activity would be blocking downloads in a SharePoint Online session.
What does the ‘Report-only’ mode do in a Conditional Access policy?
‘Report-only’ mode allows you to understand the impact of your Conditional Access policies without enforcing them. It simulates and logs the outcome of the policy evaluation without impacting the sign-in or session behavior.
Which are the two levels of device compliance policies available on Microsoft Intune?
Microsoft Intune has two levels of device compliance policies: settings and action for non-compliance. These help you configure rules and settings that a device must comply with to be considered compliant and actions to take if a device isn’t compliant.
Can conditional access policies apply to all applications?
No, conditional access policies don’t apply to all applications. They only apply to cloud apps that use modern authentication methods.
Can conditional access policies be used in conjunction with Azure Active Directory?
Yes, Conditional Access is actually a tool built into Azure Active Directory. It uses Azure Active Directory’s identity service to make decisions and enforce organizational policies.
What does the ‘Require device to be marked as compliant’ grant control do?
The ‘Require device to be marked as compliant’ grant control means that to gain access, a device must be marked as compliant in accordance with the device compliance policies set in Microsoft Intune.
How does the ‘block access’ control in a conditional access policy work?
‘Block access’ control categorically prevents specified users from accessing the app when the conditions of the policy are met.
Can you simulate the potential impact of conditional access policies before enabling them?
Yes, you can use the ‘What If’ tool in the Azure portal to simulate the potential impact of your conditional access policies before enabling them.
What happens if multiple conditional access policies apply to a single access attempt?
If multiple conditional access policies apply to a single access attempt, all of the policies are evaluated and must be satisfied for access to be granted. The policies are not evaluated in a specific order; instead, they are evaluated together.
extutorials.com