SOLVED
Home

Azure AD conditional Access.

%3CLINGO-SUB%20id%3D%22lingo-sub-119006%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20conditional%20Access.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-119006%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you're%20doing%20IP-based%20restrictions%2C%20then%20this%20becomes%20a%20change%20management%20issue.%20Before%20new%20IP%20ranges%20are%20added%2C%20or%20existing%20IP%20ranges%20are%20removed%2C%20you%20should%20include%20in%20your%20planning%20the%20steps%20to%20update%20your%20conditional%20access%20rules.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20IP-based%20restrictions%20are%20becoming%20unmanageable%20for%20you%2C%20consider%20moving%20to%20managed%20vs%20unmanaged%20device%20policies%20in%20conditional%20access%20instead.%20That%20way%20you%20aren't%20trusting%20networks%20(all%20networks%20should%20be%20untrusted%20these%20days)%2C%20and%20you're%20focusing%20on%20securing%20identities%20and%20endpoints%20(devices)%20instead.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20a%20blog%20post%20on%20the%20topic%20if%20you're%20interested%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fpractical365.com%2Fsecurity%2Fazure-active-directory-conditional-access-enforce-multi-factor-authentication%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fpractical365.com%2Fsecurity%2Fazure-active-directory-conditional-access-enforce-multi-factor-authentication%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-117996%22%20slang%3D%22en-US%22%3EAzure%20AD%20conditional%20Access.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-117996%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3EI%20was%20looking%20for%20some%20insights%20on%20how%20large%20enterprises%20handle%20this%20situation.%3C%2FP%3E%3CP%3EAssuming%20you%20have%20IP%20based%20restrictions%20for%20SharePoint%20Online%20OR%20Conditional%20access%20where%20you%20created%20a%20named%20location%20with%20a%20set%20of%20IPS.%3CBR%20%2F%3EIn%20a%20scenarios%20where%20on%20the%20network%20infrastructure%20is%20changed%20or%20updated%2F%20new%20sites%20added%2F%20circuits%20changed%2C%20how%20do%20large%20enterprises%20deal%20with%20handling%20this%20change%3F%3C%2FP%3E%3CP%3EFor%20a%20large%20enterprise%20you%20could%20have%20multiple%20locations%20and%20a%20complex%20network%2C%20is%20there%20a%20best%20approach%20to%20handle%20change%20in%20the%20IPs%20so%20that%20users%20don't%20get%20locked%20out%20of%20Office%20365%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EPriyank%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-117996%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Deleted
Not applicable

Hi All,

I was looking for some insights on how large enterprises handle this situation.

Assuming you have IP based restrictions for SharePoint Online OR Conditional access where you created a named location with a set of IPS.
In a scenarios where on the network infrastructure is changed or updated/ new sites added/ circuits changed, how do large enterprises deal with handling this change?

For a large enterprise you could have multiple locations and a complex network, is there a best approach to handle change in the IPs so that users don't get locked out of Office 365?

 

Thanks,

Priyank

1 Reply
Solution

If you're doing IP-based restrictions, then this becomes a change management issue. Before new IP ranges are added, or existing IP ranges are removed, you should include in your planning the steps to update your conditional access rules.

 

If IP-based restrictions are becoming unmanageable for you, consider moving to managed vs unmanaged device policies in conditional access instead. That way you aren't trusting networks (all networks should be untrusted these days), and you're focusing on securing identities and endpoints (devices) instead.

 

Here is a blog post on the topic if you're interested: https://practical365.com/security/azure-active-directory-conditional-access-enforce-multi-factor-aut...

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
ChirmyRam in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies