Home

Ensure Users aren't missed from CA Policy

%3CLINGO-SUB%20id%3D%22lingo-sub-733613%22%20slang%3D%22en-US%22%3EEnsure%20Users%20aren't%20missed%20from%20CA%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-733613%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EApart%20from%20targeting%20All%20Users%20with%20exceptions%20%2F%20exclusions%2C%20is%20there%20any%20other%20way%20to%20ensure%20that%20users%20don't%20get%20missed%20by%20CA%20policies%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInfo%20appreciated%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-733613%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-733648%22%20slang%3D%22en-US%22%3ERe%3A%20Ensure%20Users%20aren't%20missed%20from%20CA%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-733648%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F131657%22%20target%3D%22_blank%22%3E%40Stuart%20King%3C%2FA%3E%26nbsp%3BThere%20is%20also%20%22any%20location%22%20and%20%22any%20device%22%2C%20but%20%22all%20users%22%20should%20do%20the%20trick.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMake%20sure%20to%20block%20legacy%20authentication%2C%20both%20to%20make%20sure%20MFA%20access%20controls%20works%20and%20because%26nbsp%3B%3CSPAN%3Ebasic%20auth%20tokens%20won't%20carry%20enough%20information%20to%20filter%20properly%20in%20all%20CA%20policies.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-737542%22%20slang%3D%22en-US%22%3ERe%3A%20Ensure%20Users%20aren't%20missed%20from%20CA%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-737542%22%20slang%3D%22en-US%22%3E%3CP%3EBe%20very%20careful%20when%20disabling%20Legacy%20authentication.%20The%20problem%20that%20arises%20is%20if%20users%20are%20using%20any%20of%20the%20legacy%20protocols%20and%20you%20turn%20them%20off....%20it%20is%20a%20bad%20day.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F364308%22%20target%3D%22_blank%22%3E%40jenstf%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-737641%22%20slang%3D%22en-US%22%3ERe%3A%20Ensure%20Users%20aren't%20missed%20from%20CA%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-737641%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20you%20should%20analyze%20the%20Azure%20AD%20Sign-in%20logs%20first%20(add%20client%20application%20column)%20and%20make%20sure%20to%20exclude%20all%20service%20accounts%20that%20doesn't%20support%20modern%20authentication%20from%20the%20policy%20and%20prepare%20the%20users%2C%20especially%20those%20that%20show%20up%20in%20the%20log%20as%20legacy%20auth%20users..%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

Hi All

 

Apart from targeting All Users with exceptions / exclusions, is there any other way to ensure that users don't get missed by CA policies?

 

Info appreciated

3 Replies

@Stuart King There is also "any location" and "any device", but "all users" should do the trick.

 

Make sure to block legacy authentication, both to make sure MFA access controls works and because basic auth tokens won't carry enough information to filter properly in all CA policies.

Be very careful when disabling Legacy authentication. The problem that arises is if users are using any of the legacy protocols and you turn them off.... it is a bad day.

@jenstf 

Yes, you should analyze the Azure AD Sign-in logs first (add client application column) and make sure to exclude all service accounts that doesn't support modern authentication from the policy and prepare the users, especially those that show up in the log as legacy auth users..

Related Conversations
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies