Creating MFA Policies with Zero Trust Advanced Deployment Guide in Microsoft 365
Published Dec 08 2022 12:00 AM 7,233 Views
Microsoft

Overview of Advanced Deployment Guides & Assistance

As you most probably know, there are Advanced deployment guides available for you on your Microsoft 365 tenant. These are basically deployment guides that help you to configure different settings and onboard services based on your requirements and scenarios. Advanced deployment guides are accessible from Training, guides & assistance card on the Microsoft 365 tenant.

 

Training, guides & assistance snippet from Microsoft 365 tenantTraining, guides & assistance snippet from Microsoft 365 tenant

 

When you visit the Advanced deployment guides & assistance section you will notice several suggestions based on the current configuration of your tenant. When you scroll down a bit on the main page of advanced deployment guides & assistance, you will see the advanced deployment guides available.

 

Screenshot of Advanced deployment guides & assistance page from Microsoft 365 tenantScreenshot of Advanced deployment guides & assistance page from Microsoft 365 tenant

 

There are 40+ guides available in 8 different categories as:

  1. Identity and authentication
  2. Security and compliance
  3. Endpoint management
  4. Microsoft Edge browser deployment and security
  5. Communication and conferencing with Microsoft Teams
  6. Email migration and security
  7. Collaboration
  8. Microsoft 365 productivity apps

 

Screenshot of Security and compliance advanced deployment guides from Microsoft 365 tenantScreenshot of Security and compliance advanced deployment guides from Microsoft 365 tenant

 

Our focus for this post will be on “Set up your Zero Trust security model” guidance under Security and compliance category.

 

Set up your Microsoft Zero Trust security model

The first item under Security and compliance category is the Set-up Microsoft Zero Trust security model advanced guidance. This guidance checks on the licensing available on the tenant and shows the existing license base and if an additional licensing is required or not. In our environment, we are covered end to end with Microsoft 365 E5 licensing in place.

 

Screenshot of "Set up your Microsoft Zero Trust security model" deployment guideScreenshot of "Set up your Microsoft Zero Trust security model" deployment guide

 

Set up your Microsoft Zero Trust security model guidance has two main sections as Standard pillars and Advanced pillars. Standard pillar covers configuration guidance regarding Identity, Endpoints, Data and Apps pillars while Advanced pillar covers guidance regarding Infrastructure and Network pillars.

 

Screenshot of Secure your identities view from Apply Zero Trust security model  guidanceScreenshot of Secure your identities view from Apply Zero Trust security model guidance

 

When you click on any pillar you will be presented with the details of this pillar such as where this pillar fits in the security model, which advanced deployment guides are available in this pillar alongside with an assignment tracking field which can be used as an integrated project management solution for the tasks in mentioned pillar. You can assign these tasks to an administrator or an operator with required privileges, define a due date and update the progress status and move forward.

You can use the links in get started section to take necessary actions based on the advanced deployment guide. For the identity security pillar; we can start configuring MFA, setting up MDI, plan for our passwordless deployment and setup fundamental Azure AD features.

To be an example and a common best practice, I’d like to continue with Configure multifactor authentication guidance.

 

Creating MFA Policies Automatically by Advanced Deployment Guide

 

 

Screenshot of "Enforce multifactor authentication" advanced deployment guideScreenshot of "Enforce multifactor authentication" advanced deployment guide

 

When a guidance is started; it will check the licensing available and the existing configuration in the tenant and will provide options accordingly. In the first page of guidance, we are presented with the information such as what MFA is and why it is important. It will also give us insights based on current configuration.

 

Screenshot of "Configure multifactor authentication (MFA)" advanced deployment guide, Configure Adaptive MFA using Conditional Access viewScreenshot of "Configure multifactor authentication (MFA)" advanced deployment guide, Configure Adaptive MFA using Conditional Access view

 

When moved forward within the configure MFA guidance, it will show conditional access policy templates such as Require MFA For Admins, block all legacy sign-ins that don’t support MFA, Require MFA for external accounts and Require MFA for internal users – Advanced risk detection. Each template has its details available when hovered on tooltip at the right side of the template.

 

Snippet from Configure Adaptive MFA using Conditional Access page, viewing template tooltipsSnippet from Configure Adaptive MFA using Conditional Access page, viewing template tooltips

 

 

Snippet from Configure Adaptive MFA using Conditional Access page, viewing template tooltipsSnippet from Configure Adaptive MFA using Conditional Access page, viewing template tooltips

 

These tooltips will be useful to understand what each template enforces in terms of conditional access policies.

When the configuration is saved using the Save Configuration button on the configure Adaptive MFA using conditional access page, a message stating the configuration is saved and enforced will be seen.

 

Snippet from Configure Adaptive MFA using Conditional Access advanced guidanceSnippet from Configure Adaptive MFA using Conditional Access advanced guidance

We then will be able to move forward in the deployment guide. As you notice, insight about the tenant configuration is changed already to “Adaptive MFA Using Conditional Access” is on and we have an option to click on Manage Conditional Access button to review the Conditional Access policies made by the Advanced Deployment Guide itself.

 

Screenshot from Configure multifactor authentication (MFA) advanced guidance, Review policy created viewScreenshot from Configure multifactor authentication (MFA) advanced guidance, Review policy created view

 

It is possible to click on Manage Conditional Access button on the final page of the guidance and make changes to those policies as needed.

 

Screenshot from Azure Active Directory, Conditional Access PoliciesScreenshot from Azure Active Directory, Conditional Access Policies

 

There can be different number of policies created in conditional access policies based on the selections made in templates in the advanced deployment guide. In my case, I can see 10 different policies are created and turned on.

 

Wrap up

Microsoft 365 has different wizard-like experiences called Advanced Deployment Guides. IT Admins can utilize these experiences to have configurations applied in an easy way. When it comes to securing digital estate, Zero Trust model has its own digital guidance that comprises of different experiences in different pillars such as identity, endpoints, apps, data.

2 Comments
Co-Authors
Version history
Last update:
‎Dec 08 2022 12:07 AM
Updated by: