Blog Post

Microsoft Entra Blog
8 MIN READ

Frequent questions about using Conditional Access to secure remote access

Alex Weinert's avatar
Alex Weinert
Bronze Contributor
Apr 03, 2020
Industry trends and changes in the way we work usually span years, with organizations evolving at their own pace. But we're living in unusual times.    Organizations asking employees to work from...
Updated Jul 28, 2020
Version 18.0
security
Alex Weinert's avatar
Bronze Contributor
Joined October 02, 2018
View Profile
Microsoft Entra Blog
Stay informed on how to secure access for employees, customers, and non-human identities, from anywhere, to multicloud and on-premises resources, with comprehensive identity and network access solutions powered by AI.
AJRoy's avatar
AJRoy
Copper Contributor
Apr 30, 2020

I may as well post this as the response to my plea was overwhelming (Irony alert). I figured it out, by luck more than judgement I might add, but there we go. You need 3 policies. I used 2 groups to test. A test group containing my test user that I wanted to block, and a 'live' group containing me who I (naturally) wanted to allow. All the policies are 'Block' policies, so it feels a little counter intuitive to 'Include' who you want to block and 'Exclude' those you don't, but now I've written it, it seems quite clear. So to be clear, if it's 'Included' it's blocked, and 'Excluded' it isn't.

Policy 1 Groups Excl & Incl-No Location

Include who you want blocked, exclude who you don't. Select the App/s you want blocked. I configure the Device Platforms for Word and the Client Apps for everything, but haven't tested whether they are relevant. Nothing else changed.

Policy 2 All Groups Incl-Locations Excl & Incl

Include everyone. No exclusions unless you want a safety valve (just in case). Include the apps as above. Include 'Any Location' and Exclude any 'Trusted Locations'. Device Platforms and Client Apps as above.

Policy 3 Groups Incl & Excl-Locations Excl & Incl

Include who you want blocked, exclude who you don't. Include the apps as above. Include 'Any Location' and Exclude any 'Trusted Locations'. Device Platforms and Client Apps as above.

 

All I can say is with this set up, we can only get in with a VPN working. In the real world where you have to include 'All Users' you may need to put in an excluded (Admin) by name. We were managing the Azure Management Portal, which has implications if you botch it up, so fair play to MS if someone has programmed it to make sure you have to work hard to really screw it up. It doesn't work if that name is in a group, so it has to be explicit, and you can't remove it later! So well done to that nerd in the dark room who really thought about it, it is rare these days.


MS support couldn't do this in two weeks, and then they have the cheek to rate their support!!!