Notes

• There is no way to Block Exchange Online or Sharepoint Online without blocking Teams
• There is no way of Blocking Office 365, but allowing Teams. It relies on other services.
• When Blocking Access to All Cloud Apps Always Exclude BeakGlass Accounts
• When requiring MFA for All Users, All Cloud Apps (including using locations) remember
  • To exclude Breakglass
  • It will probably break logic apps, avm, windows 365, linux/windows virtual maching auth, sql integrated auth
• All Cloud App blocks can do things like blocking intune or license registration
• Create a security group for each policy that can be used to exclude users, this is better than making changes to those policies.
  • apply access reviews to those groups
• Follow proper change control
• At minimum always license Role members with Azure AD Premium 2.
• To use conditional access policies azure ad premium 1 license are required
• On Premise synced "service accounts" should be the exception not the rule.

Goals

• Protect Privileged Credentials
• Require trusted devices
• Do not depend on trusted networks / locations
• Always require multifactor

Important

• Before making any changes to any conditional access policy Make sure to be familiar with backing them up and being able to restore them. I have created instructions on how to do that.

Click Here to Open How to Back up and Restore Conditional Access Policies *

Recommended Policies

• (Currently out dated) to import all these policies click here for script

Guest

Guest - Block Microsoft Azure Management

• Log Analytics query can be found here to use to find possible impacted users: query-GuestAccessingAzureManagement.kql
• Users
  • Include: All guest and external users
  • Exclude: Breakglass, Exclusion Group
• Cloud Apps or Actions
  • Select what this policy applies to: Cloud apps
  • Include: Microsoft Azure Management
  • Exclude: None
• Conditions
• Grant
  • Block Access

Guest - Sign-in Risk Block All Cloud Apps (medium,high)

• Requires P2 License
• Log Analytics query can be found here to use to find possible impacted users: query-AIPRiskyGuest.kql
• Users
  • Include: All guest and external users
  • Exclude: Breakglass, Exclusion Group
• Cloud Apps or Actions
  • Select what this policy applies to: Cloud apps
  • Include: All Cloud Apps
  • Exclude: None
• Conditions
  • Sign-in risk: High, Medium, Low
• Grant
  • Block Access Ideally use a block over MFA, but MFA can be used if non spammable MFA is used

Guest - Always require MFA

added 12/1/2022

• Users
  • Include: Guest
  • Exclude: Breakglass, Exclusion Group
• Cloud Apps or Actions
  • Select what this policy applies to: Cloud apps
  • Include: All Cloud Apps
  • Exclude: None
• Conditions
• Grant
  • Grant Access
  • Require Multi-Factor Authentication
  • Require all the selected controls

Directory Roles

My list of "Privileged Roles" for these policies

• Application Administrator
• Authentication Administrator
• Cloud Application Administrator
• Conditional Access Administrator
• Exchange Administrator
• Global Administrator
• Helpdesk Administrator
• Hybrid Identity Administrator
• Password Administrator
• Privileged Authentication Administrator
• Privileged Role Administrator
• Security Administrator
• SharePoint Administrator
• User Administrator

Privileged Role Members - Always require MFA and Limit Session

• Users
  • Include: Directory Roles (Privileged Roles)
  • Exclude: Breakglass, Exclusion Group
• Cloud Apps or Actions
  • Select what this policy applies to: Cloud apps
  • Include: All Cloud Apps
  • Exclude: None
• Conditions
• Grant
  • Grant Access
  • Require Multi-Factor Authentication
  • Require all the selected controls
• Session
  • Sign-in frequency 2 Hours

Privileged Role Members - Block Legacy Authentication

• Users
  • Include: Directory Roles (Privileged Roles)
  • Exclude: Breakglass, Exclusion Group
• Cloud Apps or Actions
  • Select what this policy applies to: Cloud apps
  • Include: All Cloud Apps
  • Exclude: None
• Conditions
  • Client apps
    • Exchange ActiveSync clients
    • Other clients
• Grant
  • Block Access

Privileged Role Members - Sign-in Risk Block All Cloud Apps (low,medium,high)

• Requires P2 License
• Users
  • Include: Directory Roles (Privileged Roles)
  • Exclude: Breakglass, Exclusion Group
• Cloud Apps or Actions
  • Select what this policy applies to: Cloud apps
  • Include: All Cloud Apps
  • Exclude: None
• Conditions
  • Sign-in risk: High, Medium, Low
• Grant
  • Block Access

Privileged Role Members - User Risk Block All Cloud Apps (low,medium,high)

• Requires P2 License
• Users
  • Include: Directory Roles (Privileged Roles)
  • Exclude: Breakglass, Exclusion Group
• Cloud Apps or Actions
  • Select what this policy applies to: Cloud apps
  • Include: All Cloud Apps
  • Exclude: None
• Conditions
  • User risk: High, Medium, Low
• Grant
  • Block Access

Privileged Role Members - Require Compliant Devices

added 12/1/2022

• Requires Intune License and Compliance Policies Created
• Users
  • Include: Directory Roles (Privileged Roles)
  • Exclude: Breakglass, Exclusion Group
• Cloud Apps or Actions
  • Select what this policy applies to: Cloud apps
  • Include: All Cloud Apps
  • Exclude: None
• Conditions
• Grant
  • Grant Access
  • Require device to be marked as compliant
  • Require Hybrid Azure AD joined device
  • Require one of the selected controls

Directory Sync Account - Block Non Trusted Networks

• Requires Named Locations to be created and trusted
• Users
  • Include: Directory Role (Directory Sync Account)
  • Exclude: Breakglass, Exclusion Group
• Cloud Apps or Actions
  • Select what this policy applies to: Cloud apps
  • Include: All Cloud Apps
  • Exclude: None
• Conditions
  • Locations
  • Include: Any Location
  • Exclude: All trusted locations
• Grant
  • Block Access

Directory Sync Account - Sign-in Risk Block All Cloud Apps (low,medium,high)

• Requires P2 License
• Users
  • Include: Directory Roles (Directory Sync Account)
  • Exclude: Breakglass, Exclusion Group
• Cloud Apps or Actions
  • Select what this policy applies to: Cloud apps
  • Include: All Cloud Apps
  • Exclude: None
• Conditions
  • Sign-in risk: High, Medium, Low
• Grant
  • Block Access

Devices

All Devices - Require Compliant Device for Office 365

updated 12/1/2022

• Requires Intune License and Compliance Policies Created
• Users
  • Include: All Users
  • Exclude: Guest, Breakglass, Exclusion Group, Directory Role (Directory Sync Accounts)
• Cloud Apps or Actions
  • Select what this policy applies to: Cloud apps
  • Include: Office 365
  • Exclude: None
• Conditions
• Grant
  • Grant Access
  • Require device to be marked as compliant
  • Require Hybrid Azure AD joined device
  • Require one of the selected controls

All Devices - Block Exchange ActiveSync

added 12/1/2022

• Users
  • Include: All Users
  • Exclude: Breakglass, Exclusion Group,
• Cloud Apps or Actions
  • Select what this policy applies to: Cloud apps
  • Include: Office 365 Exchange Online
  • Exclude: None
• Conditions
  • Client apps
  • Exchange ActiveSync clients
• Grant
  • Block Access

Unmanaged Devices - No Persistent Browser Session

added 12/1/2022

• Users
  • Include: All Users
  • Exclude: Breakglass, Exclusion Group,
• Cloud Apps or Actions
  • Select what this policy applies to: Cloud apps
  • Include: All cloud apps
  • Exclude: None
• Conditions
  • Filter for device
  • device.isCompliant -ne True -or device.trustType -ne "ServerAD"
• Session
  • Sign-in frequency: 1 Hour
  • Persistent browser session: Never persistent

All Users

All Users - Require MFA for All Cloud Apps

• Log Analytics query can be found here to look for applications not getting mfa: query-MFAPercentageperapp.kql
• Users
  • Include: All Users
  • Exclude: Breakglass, Exclusion Group, Directory Role (Directory Sync Accounts), Guest
• Cloud Apps or Actions
  • Select what this policy applies to: Cloud apps
  • Include: All Cloud Apps
  • Exclude: None
• Conditions
• Grant
  • Grant Access
  • Require Multi-Factor Authentication
  • Require all the selected controls

Note: this policy will more than likely break on premise sync accounts, make sure the Directory Sync Accounts Role is in the exclusion group.

All Users - Sign-in Risk Block All Cloud Apps (high)

block is preferred unless non spammable MFA methods are used

• Requires P2 License
• Log Analytics query can be found here to use to find possible impacted users: query-AIPHighRiskAllCloudApps.kql
• Users
  • Include: All Users
  • Exclude: Guest, Breakglass, Exclusion Group
• Cloud Apps or Actions
  • Select what this policy applies to: Cloud apps
  • Include: All Cloud Apps
  • Exclude: None
• Conditions
  • Sign-in risk: High
• Grant
  • Block Access

All Users - Sign-in Risk Require MFA for All Cloud Apps (low,Medium,High)

• Requires P2 License
• Log Analytics query can be found here to look for impacted users: query-AIPHighRiskAllCloudApps.kql
• Users
  • Include: All Users
  • Exclude: Guest, Breakglass, Exclusion Group
• Cloud Apps or Actions
  • Select what this policy applies to: Cloud apps
  • Include: All Cloud Apps
  • Exclude: None
• Conditions
  • Sign-in risk: High, Medium, Low
• Grant
  • Require MFA

All Users - User Risk Block All Cloud Apps (high)

Ideally SOC would investigate, self remediation using password change only if confidant in users MFA strengths

• Requires P2 License
• Users
  • Include: All Users
  • Exclude: Guests, Breakglass, Exclusion Group
• Cloud Apps or Actions
  • Select what this policy applies to: Cloud apps
  • Include: All Cloud Apps
  • Exclude: None
• Conditions
  • User risk: High
• Grant
  • Block Access

All Users - Sign-in Risk Block Microsoft Azure Management (low,medium,high)

• Requires P2 License
• Log Analytics Query can be found here to look for impacted users: query-AIPRiskAzureManagement.kql
• Users
  • Include: All Users
  • Exclude: Breakglass, Exclusion Group
• Cloud Apps or Actions
  • Select what this policy applies to: Cloud apps
  • Include: Microsoft Azure Management
  • Exclude: None
• Conditions
  • Sign-in risk: high, medium, low
• Grant
  • Block Access

All Users - Sign-in Risk Block Security Information Registration (medium,high)

• Requires P2 License
• Users
  • Include: All Users
  • Exclude: Breakglass, Exclusion Group
• Cloud Apps or Actions
  • Select what this policy applies to: User Actions
  • Register security information
• Conditions
  • Sign-in risk: Medium, High
• Grant
  • Block Access

All Users - Require MFA Device Join/Registration

• Users
  • Include: All Users
  • Exclude: Breakglass, Exclusion Group
• Cloud Apps or Actions
  • Select what this policy applies to: User Actions
  • Register or join devices
• Conditions
• Grant
  • Grant Access
  • Require Multi-Factor Authentication
  • Require all the selected controls

All Users - Block Legacy Authentication

• Users
  • Include: All Users
  • Exclude: Breakglass, Exclusion Group
• Cloud Apps or Actions
  • Select what this policy applies to: Cloud Apps
  • Include: All Cloud Apps
• Conditions
  • Client apps
  • Exchange ActiveSync clients
  • Other clients
• Grant
  • Block Access

All Users - Require MFA for Microsoft Azure Management

Not needed if "All Users - Require MFA for All Cloud Apps" was implemented without any conditions

• Log Analytics Query can be found here to look for impacted users: query-noMFAAzureManagement.kql
• Users
  • Include: All Users
  • Exclude: Breakglass, Exclusion Group
• Cloud Apps or Actions
  • Select what this policy applies to: Cloud Apps
  • Include: Microsoft Azure Management
• Conditions
• Grant
  • Grant Access
  • Require Multi-Factor Authentication
  • Require all the selected controls

All Users - Require MFA for Microsoft Graph PowerShell and Explorer

Not needed if "All Users - Require MFA for All Cloud Apps" was implemented without any conditions

• Use the following KQL to query log analytics to get a list of users using (allowed to use) the endpoints Click Here
• Users
  • Include: All Users
  • Exclude: Breakglass, Exclusion Group
• Cloud Apps or Actions
  • Select what this policy applies to: Cloud Apps
  • Include: Microsoft Graph PowerShell, Graph Explorer
• Conditions
• Grant
  • Grant Access
  • Require Multi-Factor Authentication
  • Require all the selected controls

All Users - Require MFA for Defender Management Endpoints

Not needed if "All Users - Require MFA for All Cloud Apps" was implemented without any conditions

• Users
  • Include: All Users
  • Exclude: Breakglass, Exclusion Group
• Cloud Apps or Actions
  • Select what this policy applies to: Cloud Apps
  • Include: Microsoft Cloud App Security, Azure Advanced Threat Protection, Windows Defender ATP
• Conditions
• Grant
  • Grant Access
  • Require Multi-Factor Authentication
  • Require all the selected controls

Privileged Role Members and Select Users - Allow Access to Microsoft Graph PowerShell and Graph Explorer

• Use the following KQL to query log analytics to get a list of users using (allowed to use) the endpoints Click Here
• Create a new Azure AD Group (name it something like Graph CAP Exclusion) and place the users allowed to access those endpoints into the group. This group will be used for a exclusion to the conditional access policy.
• Create a new conditional access policy
• Users
  • Include: All Users
  • Exclude: Breakglass, Exclusion Group, Directory Roles (Privileged Roles and Global Reader), Graph CAP Exclusion
• Cloud Apps or Actions
  • Select what this policy applies to: Microsoft Graph PowerShell, Graph Explorer
• Conditions
• Grant
  • Block Access

Workload Identities

Workload Identities - Block Non Trusted Networks

• Users or Workload identities
  • What does this apply to? Workload identities
  • Include: All owned service principals
  • Exclude:
• Cloud Apps or Actions
  • Select what this policy applies to: Cloud Apps
  • Include: All cloud apps
• Conditions
  • Locations
  • Include: Any Location
  • Exclude: All trusted locations
• Grant
  • Block Access

Workload Identities - Service Principal Risk Block All Cloud Apps

• Users or Workload identities
  • What does this apply to? Workload identities
  • Include: All owned service principals
  • Exclude:
• Cloud Apps or Actions
  • Select what this policy applies to: Cloud Apps
  • Include: All cloud apps
• Conditions
  • Service principal risk
  • Include: High, Medium, Low
• Grant
  • Block Access

User Based "Service Accounts" Recommended Policies

Service Accounts - Block Untrusted Locations

• Create Conditional Access Policy:
• Users
  • Include: "O365 Service Account Group" , "Azure Service Account Group"
  • Exclude: Breakglass, Exclusion Group
• Cloud Apps or Actions
  • Select what this policy applies to: Cloud Apps
  • Include: All Cloud Apps
  • Exclude: Office 365
• Conditions
  • Include: All Networks
  • Exclude: Exclude Trusted
• Grant
  • Block Access

O365 Service Accounts - Allow Only Office 365

• Create Conditional Access Policy:
• Users
  • Include: "O365 Service Account Group"
  • Exclude: Breakglass, Exclusion Group
• Cloud Apps or Actions
  • Select what this policy applies to: Cloud Apps
  • Include: All Cloud Apps
  • Exclude: Office 365
• Conditions
• Grant
  • Block Access

Azure Service Accounts - Allow Only Azure

• Create Conditional Access Policy:
• Users
  • Include: "Azure Service Account Group"
  • Exclude: Breakglass, Exclusion Group
• Cloud Apps or Actions
  • Select what this policy applies to: Cloud Apps
  • Include: All Cloud Apps
  • Exclude: Microsoft Azure Management
• Conditions
• Grant
  • Block Access

Other Recommended Policies

All Users - Block Tor Exit Nodes

• Use the following KQL to query log analytics to get a list of users coming from Tor Exit Nodes Click Here
• Create a New location (IP Ranges)
• Name: Blocked IP Addresses
• Upload list of IP's from here: tor-exit-nodes.lst
• Do not select mark as trusted location
• Create Conditional Access Policy:
• Users
  • Include: All Users
  • Exclude: Breakglass, Exclusion Group
• Cloud Apps or Actions
  • Select what this policy applies to: Cloud Apps
  • Include: All Cloud Apps
• Conditions
  • Include: Blocked IP Addresses
• Grant
  • Block Access

All Users - Block Countries with No Users

• Create a New location (Countries)
• Name: Block Countries
• Select Determine location by IP addresses (IPv4 Only)
• Select the Countries where signins should not be coming from.
• Use the following KQL to validate (click here)
• Create Conditional Access Policy:
• Users
  • Include: All Users
  • Exclude: Breakglass, Exclusion Group
• Cloud Apps or Actions
  • Select what this policy applies to: Cloud Apps
  • Include: All Cloud Apps
• Conditions
  • Include: Block Countries
• Grant
  • Block Access

Reference

• Configure Conditional Access in Microsoft Defender for Endpoint
• Recommended Microsoft Defender for Cloud Apps policies for SaaS apps
• Policy recommendations for securing SharePoint sites and files
• Policy recommendations for securing email
• Policy recommendations for securing Teams chats, groups, and files
• Enable Azure multifactor authentication for Azure Virtual Desktop
• Conditional Access with Azure SQL Database
• excludes "Azure Windows VM Sign-In" for Windows virtual machine in Azure
• Linux virtual machine in Azure
• Recommendations for conditional access and multi-factor authentication in Microsoft Flow
• Assign a Conditional Access policy for Cloud PCs
• Claus - conditional access guidance december 2021
• AlexFilipin - ConditionalAccess