Ring based deployment - AlexFilipin/ConditionalAccess GitHub Wiki

Assuming you are familiar with the evaluation and roll-out section of the quick start guide, you understand when a ring based deployment might be useful. In other words, the ring based deployment is useful when you want to target your conditional access policies to one or several different pilot/ring groups.

Let's assume you want to roll-out strong authentication to all your users, in this case it's useful if you can gradually roll-out strong authentication to different subsets (rings) of your users. Let's assume you want to use the following user groups (rings):

  • IT Department (IT)
  • Key user of the whole company (KEYUSER)
  • Whole company (ALL)

In this example it means that we need the same policy several times, aimed at different rings. For a policy this could look as follows:

200 - IT - Base protection - All apps: Require MFA or trusted device or trusted location

200 - KEYUSER - Base protection - All apps: Require MFA or trusted device or trusted location

200 - ALL - Base protection - All apps: Require MFA or trusted device or trusted location

In this example we have only one policy for three rings, in reality this can be several policies and possibly more rings. So we needed an easy way to manage these multiple policies.

Assuming that you have normally deployed your policy set, the policies are applied to all users. In this case, this would be the ALL ring, so the deployment would be as follows.

.\Deploy-Policies.ps1 -Prefix "CA" -Ring "ALL" -ClientId "a4a0356b-69a5-4b85-9545-f64459010333" -TenantName "company.onmicrosoft.com" -PoliciesFolder "C:\Repos\ConditionalAccess\Policies

Now we have 24 policies in the Tenant which are targeted at all employees, but we can't turn on all of them. We still need them to use the report-only mode to estimate their impact, so we can't adjust them. Therefore we have to create a subset of the 24 policies in the tenant again to have the same policies several times, targeted to different rings.

We can use this by using the RingTargeted parameter of the Deploy-Policies.ps1 script.

.\Deploy-Policies.ps1 -Prefix "CA" -Ring "IT" -RingTargeted $True -ClientId "a4a0356b-69a5-4b85-9545-f64459010333" -TenantName "company.onmicrosoft.com" -PoliciesFolder "C:\Repos\ConditionalAccess\SubsetPolicies

.\Deploy-Policies.ps1 -Prefix "CA" -Ring "KEYUSER" -RingTargeted $True -ClientId "a4a0356b-69a5-4b85-9545-f64459010333" -TenantName "company.onmicrosoft.com" -PoliciesFolder "C:\Repos\ConditionalAccess\SubsetPolicies

The solution will now create a group for IT and a group for the KEYUSER and target the policies to these groups. We also used a different PoliciesFolder in this second and third call of the solution, this one only contains the exact subset of my policies for which I actually need rings.