%3CLINGO-SUB%20id%3D%22lingo-sub-1351020%22%20slang%3D%22en-US%22%3EManaging%20and%20Securing%20Devices%20Utilizing%20Conditional%20Access%20Policies%20at%20Microsoft%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1351020%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20most%20of%20the%20world%20is%20working%20from%20home%20due%20to%20the%20current%20COVID-19%20pandemic%2C%20ITPros%20are%20busy%20helping%20users%20securely%20access%20corporate%20resources.%20We%20have%20put%20together%20this%20blog%20to%20share%20how%20we%20can%20protect%20and%20secure%20an%20organization's%20resources%20and%20data%20while%20providing%20a%20better%20user%20experience%20and%20increase%20the%20productivity%20using%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Ffundamentals%2Fwhat-is-intune%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20Intune%3C%2FA%3E%20(Microsoft%20Endpoint%20Manager%20-Intune).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMicrosoft%20starts%20with%20a%20solid%20foundation%20and%20all%20users%20need%20to%20use%20a%20secure%20device%20to%20access%20Microsoft%20resources.%20Some%20of%20the%20access%20policy%20highlights.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EDevice%20management%20is%20required%20for%20all%20devices%20accessing%20resources.%20Users%20with%20personally%20owned%20devices%20will%20have%20the%20choice%20to%20opt-in%20to%20device%20management%20or%20to%20not%20use%20their%20device%20for%20work.%3C%2FLI%3E%0A%3CLI%3EHardened%20security%20configurations%20will%20be%20implemented%20across%20all%20device%20types%20to%20take%20advantage%20of%20the%20latest%20security%20technologies%20and%20remove%20legacy%20device%20threats.%3C%2FLI%3E%0A%3CLI%3ECorporate%20applications%20will%20be%20blocked%20from%20devices%20that%20are%20not%20compliant.%20Devices%20that%20are%20not%20managed%20or%20not%20compliant%20with%20security%20policies%20will%20be%20blocked%20by%20default.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EAs%20most%20of%20you%20aware%2C%20by%20using%20Intune%2C%20organizations%20can%20deploy%20security%20policies%20to%20secure%20devices.%20By%20doing%20this%2C%20ITPros%20can%20make%20sure%20that%20only%20authorized%20users%20and%20devices%20get%20access%20to%20proprietary%20information.%20In%20this%20post%2C%20I%20am%20going%20to%20share%20some%20details%20about%20how%20we%20are%20managing%20and%20securing%20our%20devices%20utilizing%20Conditional%20Access%20policies%2C%20Mobile%20Threat%20Defense%20agent%20(MTD)%20and%20Advanced%20Threat%20Protection%20(ATP).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EHow%20are%20Conditional%20Access%20policies%20applied%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EIntune%20and%20Azure%20Active%20Directory%20work%20together%20to%20make%20sure%20only%20managed%20and%20compliant%20devices%20can%20get%20access%20to%20corporate%20resources%20like%20email%2C%20VPN%2C%20etc.%20As%20part%20of%20the%20conditional%20access%20policies%20enforcement%2C%20we%20created%20multiple%20compliance%20policies%20in%20Intune%20to%20evaluate%20the%20compliance%20status%20of%20the%20devices.%20These%20compliance%20policies%20check%20for%20configurations%20such%20as%2C%20device%20encryption%2C%20Password%2FPIN%20configuration%2C%20MTD%20and%20ATP%20status.%20Compliance%20status%20from%20Intune%20is%20update%20in%20AAD%20to%20enforce%20the%20Conditional%20Access%20policies%20created%20in%20AAD.%20Currently%20we%20have%20multiple%20Conditional%20Access%20policies%20enforced%20and%20all%20devices%20need%20to%20meet%20the%20criteria%20to%20gain%20access%20to%20corporate%20resources.%20In%20our%20environment%20we%20chose%20a%20two%20phased%20approach%20to%20enforce%20Conditional%20Access%20policies.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EPhase%201%3A%20What%20would%20happen%20if%20we%20enabled%20Conditional%20Access%20policies%20for%20all%20users%20today%3F%26nbsp%3B%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EWe%20have%26nbsp%3Bapplied%20conditional%20access%20policies%20in%20%E2%80%98read%20only%E2%80%99%26nbsp%3Bto%20all%20users%20across%20Microsoft.%20This%20helped%20us%20to%20avoid%20protentional%20impact%20by%20identifying%20the%20impacted%20devices.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EPhase%202%3A%20Enforcement%20of%20policies%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EEnforce%20the%20Conditional%20Access%20policies%20after%20working%20with%20impacted%20users%20from%20phase%201%20so%20while%20accessing%20application%20evaluate%20the%20Conditional%20Access%20policies%20status.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAs%20part%20of%20conditional%20Access%20enforcement%20All%20devices%20must%20be%20managed%20to%20access%20O365%20resources.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EOffice%20365%20components%3C%2FLI%3E%0A%3CLI%3Eportal.office.com%3C%2FLI%3E%0A%3CLI%3EPortal.azure.com%3C%2FLI%3E%0A%3CLI%3EVPN%3C%2FLI%3E%0A%3CLI%3EAny%20apps%20relying%20on%20the%20above%20services%20are%20also%20impacted%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSTRONG%3EThe%20following%20policy%20is%20currently%20rolling%20out%20to%20all%20corporate%20users%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EDevice%20must%20be%20managed.%3C%2FLI%3E%0A%3CLI%3ELatest%20OS%20requirements.%3C%2FLI%3E%0A%3CLI%3EDevice%20must%20be%20healthy%2C%20for%20example%20the%20device%20must%20be%20encrypted%20and%20malware%20free.%3C%2FLI%3E%0A%3CLI%3EMust%20be%20strongly%20authenticated%E2%80%93%20set%20up%20to%20use%20Multifactor%20Authentication)%20MFA)%20and%20a%20complex%20password.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSTRONG%3EBest%20Practices%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EBefore%20enforcing%20the%20conditional%20access%2C%20policies%20make%20sure%20to%20analyze%20the%20impact%20by%20applying%20read-only%20mode.%3C%2FLI%3E%0A%3CLI%3EWork%20with%20potentially%20blocked%20users%20(identify%20users%20from%20read-only%20mode%20deployment)%20to%20remediate%20the%20device%20to%20meet%20the%20requirements.%3C%2FLI%3E%0A%3CLI%3EPhaseout%20the%20policy%20enforcement.%3COL%3E%0A%3CLI%3EPilot%20phase%20with%20small%20number%20of%20users%20to%20ensure%20that%20things%20are%20working%20as%20excepted.%3C%2FLI%3E%0A%3CLI%3EKey%20people%20who%20are%20involved%20and%20support.%3C%2FLI%3E%0A%3CLI%3EVolunteers%20from%20different%20parts%20of%20the%20organization%20need%20to%20assist%20in%20validating%20the%20user%20experience.%3C%2FLI%3E%0A%3CLI%3EEnsure%20that%20each%20phase%20has%20set%20criteria%20that%20must%20be%20met%20before%20you%20increase%20the%20user%20targeting%20and%20lessons%20learned%20from%20previous%20phases%20are%20documented%20in%20a%20%E2%80%9CKnown%20Issues%E2%80%9D%20list.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CUL%3E%0A%3CLI%3EObtain%20executive%20level%20support%20from%20the%20leadership%20team%20in%20each%20organization.%3C%2FLI%3E%0A%3CLI%3EExecutive%20level%20communications%20must%20be%20sent%20to%20users%20explaining%20the%20%E2%80%9CWhy%E2%80%9D%20prior%20to%20enforcement%20of%20users%20in%20each%20organization.%3C%2FLI%3E%0A%3CLI%3EAgree%20on%20enforcement%20strategy%20and%20rollout%20plan%20for%20each%20organization%20with%20core%20organization%20stakeholders.%3C%2FLI%3E%0A%3CLI%3EMultiple%20IT%20End%20User%20Communication%20should%20be%20sent%20to%20users%2C%20e.g.%20%26nbsp%3B2%20weeks%2C%201%20week%20and%201%20day%20prior%20to%20enforcement.%3C%2FLI%3E%0A%3CLI%3EMonitor%20all%20support%20and%20communication%20channels%20for%20feedback%20from%20users.%3C%2FLI%3E%0A%3CLI%3EInclude%20key%20stakeholders%20during%20the%20POC%20validation.%3C%2FLI%3E%0A%3CLI%3EAvoid%20re-enrolling%20the%20same%20device%20unless%20you%20have%20thoroughly%20removed%20the%20previous%20enrollment%20settings.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSTRONG%3ETroubleshooting%20Tips%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EUse%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Freports-monitoring%2Fconcept-sign-ins%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAAD%20Sign-in%3C%2FA%3E%20logs%20to%20find%20all%20the%20information%20about%20user%20sign-in%20and%20the%20Failure%20reason.%3CUL%3E%0A%3CLI%3EDevice%20info%20and%20conditional%20access%20tab%20will%20have%20critical%20information%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-90px%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22naveenak_0-1588271715729.png%22%20style%3D%22width%3A%20722px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F188032i78BB22A6A448B14A%2Fimage-dimensions%2F722x161%3Fv%3D1.0%22%20width%3D%22722%22%20height%3D%22161%22%20title%3D%22naveenak_0-1588271715729.png%22%20alt%3D%22naveenak_0-1588271715729.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EValidate%20the%20device%20identity%20between%20AAD%2C%20Intune%2C%20and%20AAD%20sign-ins%20e.g.%26nbsp%3B%20device%20ID%20and%20user%20details%20of%20the%20device%20should%20match%20across%20all%20three%20environments.%3C%2FLI%3E%0A%3CLI%3EBoth%2C%20the%20user%20and%20the%20device%2C%20must%20be%20compliant%20with%20the%20assigned%20Intune%20compliance%20policies.%3C%2FLI%3E%0A%3CLI%3EWhen%20a%20device%20is%20first%20enrolled%2C%20it%20might%20take%20some%20time%20for%20compliance%20information%20to%20be%20registered%20for%20a%20device%20between%20Intune%20and%20AAD.%20Wait%20a%20few%20minutes%20and%20try%20again.%3C%2FLI%3E%0A%3CLI%3ESome%20Android%20devices%20will%20show%20as%20noncompliant%20for%20device%20encryption%20even%20though%20the%20device%20is%20encrypted%2C%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fuser-help%2Fyour-device-appears-encrypted-but-cp-says-otherwise-android%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20is%20a%20known%20issue%3C%2FA%3E.%20Users%20need%20to%20set%20the%20custom%20PIN%20instead%20of%20using%20default%20PIN%20to%20ensure%20that%20the%20device%20is%20compliant.%3C%2FLI%3E%0A%3CLI%3EYou%20can%20use%20the%20Intune%20Troubleshooting%20blade%20(On%20the%20%3CSTRONG%3EIntune%3C%2FSTRONG%3E%20pane%2C%20choose%20%3CSTRONG%3ETroubleshoot%3C%2FSTRONG%3E.)%20to%20identify%20Intune%20enrollment%20and%20device%20status%20details.%3C%2FLI%3E%0A%3CLI%3EAAD%20devices%20blade%20helps%20to%20identify%20AAD%20registration%20and%20device%20status%20details.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22naveenak_1-1588271715741.png%22%20style%3D%22width%3A%20764px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F188033iBAD6993AAC553DA0%2Fimage-dimensions%2F764x155%3Fv%3D1.0%22%20width%3D%22764%22%20height%3D%22155%22%20title%3D%22naveenak_1-1588271715741.png%22%20alt%3D%22naveenak_1-1588271715741.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EYou%20can%20also%20utilize%20Graph%20API%20to%20build%20custom%20PowerShell%20scripts%20to%20check%20the%20device%20and%20policies%20status.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH2%20id%3D%22toc-hId-1755814931%22%20id%3D%22toc-hId--1354560403%22%20id%3D%22toc-hId--1354560403%22%3EConclusion%3C%2FH2%3E%0A%3CP%3EWe%20hope%20this%20post%20has%20given%20you%20some%20ideas%20on%20how%20to%20implement%20secure%20access%20by%20helping%20users%20to%20improve%20productivity.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1351020%22%20slang%3D%22en-US%22%3E%3CP%3EHow%20we%20are%20managing%20and%20securing%20our%20devices%20utilizing%20Conditional%20Access%20policies%2C%20Mobile%20Threat%20Defense%20agent%20(MTD)%20and%20Advanced%20Threat%20Protection%20(ATP).%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Microsoft

As most of the world is working from home due to the current COVID-19 pandemic, ITPros are busy helping users securely access corporate resources. We have put together this blog to share how we can protect and secure an organization's resources and data while providing a better user experience and increase the productivity using Microsoft Intune (Microsoft Endpoint Manager -Intune).

 

Microsoft starts with a solid foundation and all users need to use a secure device to access Microsoft resources. Some of the access policy highlights.

  • Device management is required for all devices accessing resources. Users with personally owned devices will have the choice to opt-in to device management or to not use their device for work.
  • Hardened security configurations will be implemented across all device types to take advantage of the latest security technologies and remove legacy device threats.
  • Corporate applications will be blocked from devices that are not compliant. Devices that are not managed or not compliant with security policies will be blocked by default.

As most of you aware, by using Intune, organizations can deploy security policies to secure devices. By doing this, ITPros can make sure that only authorized users and devices get access to proprietary information. In this post, I am going to share some details about how we are managing and securing our devices utilizing Conditional Access policies, Mobile Threat Defense agent (MTD) and Advanced Threat Protection (ATP).

 

How are Conditional Access policies applied?

Intune and Azure Active Directory work together to make sure only managed and compliant devices can get access to corporate resources like email, VPN, etc. As part of the conditional access policies enforcement, we created multiple compliance policies in Intune to evaluate the compliance status of the devices. These compliance policies check for configurations such as, device encryption, Password/PIN configuration, MTD and ATP status. Compliance status from Intune is update in AAD to enforce the Conditional Access policies created in AAD. Currently we have multiple Conditional Access policies enforced and all devices need to meet the criteria to gain access to corporate resources. In our environment we chose a two phased approach to enforce Conditional Access policies.

 

Phase 1: What would happen if we enabled Conditional Access policies for all users today? ​

We have applied conditional access policies in ‘read only’ to all users across Microsoft. This helped us to avoid protentional impact by identifying the impacted devices.

Phase 2: Enforcement of policies

Enforce the Conditional Access policies after working with impacted users from phase 1 so while accessing application evaluate the Conditional Access policies status.

 

As part of conditional Access enforcement All devices must be managed to access O365 resources.

  • Office 365 components
  • portal.office.com
  • Portal.azure.com
  • VPN
  • Any apps relying on the above services are also impacted

The following policy is currently rolling out to all corporate users

  • Device must be managed.
  • Latest OS requirements.
  • Device must be healthy, for example the device must be encrypted and malware free.
  • Must be strongly authenticated– set up to use Multifactor Authentication) MFA) and a complex password.

Best Practices

  • Before enforcing the conditional access, policies make sure to analyze the impact by applying read-only mode.
  • Work with potentially blocked users (identify users from read-only mode deployment) to remediate the device to meet the requirements.
  • Phaseout the policy enforcement.
    1. Pilot phase with small number of users to ensure that things are working as excepted.
    2. Key people who are involved and support.
    3. Volunteers from different parts of the organization need to assist in validating the user experience.
    4. Ensure that each phase has set criteria that must be met before you increase the user targeting and lessons learned from previous phases are documented in a “Known Issues” list.
  • Obtain executive level support from the leadership team in each organization.
  • Executive level communications must be sent to users explaining the “Why” prior to enforcement of users in each organization.
  • Agree on enforcement strategy and rollout plan for each organization with core organization stakeholders.
  • Multiple IT End User Communication should be sent to users, e.g.  2 weeks, 1 week and 1 day prior to enforcement.
  • Monitor all support and communication channels for feedback from users.
  • Include key stakeholders during the POC validation.
  • Avoid re-enrolling the same device unless you have thoroughly removed the previous enrollment settings.

Troubleshooting Tips

  • Use AAD Sign-in logs to find all the information about user sign-in and the Failure reason.
    • Device info and conditional access tab will have critical information

naveenak_0-1588271715729.png

 

  • Validate the device identity between AAD, Intune, and AAD sign-ins e.g.  device ID and user details of the device should match across all three environments.
  • Both, the user and the device, must be compliant with the assigned Intune compliance policies.
  • When a device is first enrolled, it might take some time for compliance information to be registered for a device between Intune and AAD. Wait a few minutes and try again.
  • Some Android devices will show as noncompliant for device encryption even though the device is encrypted, this is a known issue. Users need to set the custom PIN instead of using default PIN to ensure that the device is compliant.
  • You can use the Intune Troubleshooting blade (On the Intune pane, choose Troubleshoot.) to identify Intune enrollment and device status details.
  • AAD devices blade helps to identify AAD registration and device status details.

 

naveenak_1-1588271715741.png

 

  • You can also utilize Graph API to build custom PowerShell scripts to check the device and policies status.

Conclusion

We hope this post has given you some ideas on how to implement secure access by helping users to improve productivity.