This week, I’m exploring some of the basics of Conditional Access and using it with Microsoft Teams.
In the “legacy” world (the term we attach to most things that aren’t bleeding edge these days), we typically saw organizations build the high, high walls and dig the deep, deep moats (and occasionally fill them with alligators) to keep the bad guys out.
In the world of zero trust networking, you have to assume that your attackers are already inside the castle walls, which moves us towards identity-based security concepts.
In today’s cloud-connected world with SaaS-based applications, this castle defense analogy doesn’t work very well (especially for the work-from-home crowd). However, there may be some business reasons you still need to do this. For those of you that want to learn–this post’s for you.
We’re gonna skip right to the nitty-gritty. We’ve already established that you need to configure an Azure AD Conditional Access policy that looks a lot like a legacy “trusted network” policy. In this case, though, we’re going to use the Conditional Access feature to prompt for multi-factor authentication in the event that a user isn’t coming from a known network.
Configuring a location
The first step is telling Azure AD what networks you want to call safe or trusted.
- Navigate to the Azure portal (https://portal.azure.com) and log in as a user with administrative privileges.
- In the search area, type named locations and select the option for Azure AD Named Locations.
- Click + New location.
- Enter a value to identify the location, select the checkbox to Mark as trusted location, and then add one or more of your organization’s public addresses (or address ranges) in the IP ranges area. When you’re finished, click Create.
Woot! That’s it. You’ve created a new trusted location. You can add up to 195 IP addresses or blocks to a location. The largest network you can add is a /8.
Next, we’ll create a super-simple CA policy that utilizes the new location.
Creating a new Conditional Access policy
- In the search bar, type Conditional and select Azure AD Conditional Access. You’re free to type more words, but I’m lazy and want to do as little typing as possible today.
- Select + New policy.
- Enter a value for the name of the policy. We recommend using some sort of naming standard to help you easily identify the scope of the policy.
- Under Assignments > Users and groups, select All users (or a subset, if you are going to pilot this). As a sidebar, we also recommend implementing a break-glass account (as in, “in case of emergency, break glass”) to get yourself back into your tenant should things go sideways. You’ll want to configure that account as an exclusion so this policy doesn’t apply to it.
- Under Assignments > Cloud apps or actions, select the Select apps radio button, and then select Microsoft Teams from the application list. Since Microsoft Teams builds on services such as SharePoint, you may also want to include that in your Teams MFA policy.
- Under Assignments > Conditions, click the Not configured link under Locations to bring you to the Locations configuration area.
- Slide the toggle under Configure to Yes, and then select the Exclude option. Under Exclude, select the All trusted locations radio button to exclude the previously configured locations from the multifactor authentication policy. If you have configured MFA trusted IPs, you can also include that separate object here (in all likelihood, depending on the size of your organization, they’ll be the same).
- Under Access controls > grant, select Grant access, and then select the Require multi-factor authentication checkbox. Click the Select button to confirm.
- On the bottom of the page, under Enable policy, slide the toggle from Report-only to On and then click Create
to seal your fatecreate the policy and enable it.
Creating the enabling the policy should only take a few moments. After that, the testing!
Testing the Conditional Access policy
In order to validate that your new Conditional Access policy for trusted locations behaves as you intend, you’ll need to log in from two different IP ranges. You’ll need an IP on the trusted list, as well as one that is not.
Since the change you’re implementing focuses on a new experience for untrusted locations, we’ll step through that. You’ll want to verify the expected experience when logging on with a device that coming from a trusted location
- Select a device whose external IP address is not in your trusted locations configuration. If you need help determining this, you can use my snazzy Check-ExternalIP function, from this random guy’s blog or from the PowerShell gallery.
- Launch a browser navigate to https://teams.microsoft.com.
- Enter your credentials (if prompted–depending on your SSO configuration).
- Prepare to be prompted.
- In t his instance, you’ll confirm your log-in using the Microsoft Authenticator. If you’ve gone through the process to configure a different MFA provider, do that instead.
As Emeril would say: