SOLVED

Azure AD conditional Access.

%3CLINGO-SUB%20id%3D%22lingo-sub-117996%22%20slang%3D%22en-US%22%3EAzure%20AD%20conditional%20Access.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-117996%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3EI%20was%20looking%20for%20some%20insights%20on%20how%20large%20enterprises%20handle%20this%20situation.%3C%2FP%3E%3CP%3EAssuming%20you%20have%20IP%20based%20restrictions%20for%20SharePoint%20Online%20OR%20Conditional%20access%20where%20you%20created%20a%20named%20location%20with%20a%20set%20of%20IPS.%3CBR%20%2F%3EIn%20a%20scenarios%20where%20on%20the%20network%20infrastructure%20is%20changed%20or%20updated%2F%20new%20sites%20added%2F%20circuits%20changed%2C%20how%20do%20large%20enterprises%20deal%20with%20handling%20this%20change%3F%3C%2FP%3E%3CP%3EFor%20a%20large%20enterprise%20you%20could%20have%20multiple%20locations%20and%20a%20complex%20network%2C%20is%20there%20a%20best%20approach%20to%20handle%20change%20in%20the%20IPs%20so%20that%20users%20don't%20get%20locked%20out%20of%20Office%20365%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EPriyank%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-117996%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-119006%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20conditional%20Access.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-119006%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you're%20doing%20IP-based%20restrictions%2C%20then%20this%20becomes%20a%20change%20management%20issue.%20Before%20new%20IP%20ranges%20are%20added%2C%20or%20existing%20IP%20ranges%20are%20removed%2C%20you%20should%20include%20in%20your%20planning%20the%20steps%20to%20update%20your%20conditional%20access%20rules.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20IP-based%20restrictions%20are%20becoming%20unmanageable%20for%20you%2C%20consider%20moving%20to%20managed%20vs%20unmanaged%20device%20policies%20in%20conditional%20access%20instead.%20That%20way%20you%20aren't%20trusting%20networks%20(all%20networks%20should%20be%20untrusted%20these%20days)%2C%20and%20you're%20focusing%20on%20securing%20identities%20and%20endpoints%20(devices)%20instead.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20a%20blog%20post%20on%20the%20topic%20if%20you're%20interested%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fpractical365.com%2Fsecurity%2Fazure-active-directory-conditional-access-enforce-multi-factor-authentication%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fpractical365.com%2Fsecurity%2Fazure-active-directory-conditional-access-enforce-multi-factor-authentication%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Deleted
Not applicable

Hi All,

I was looking for some insights on how large enterprises handle this situation.

Assuming you have IP based restrictions for SharePoint Online OR Conditional access where you created a named location with a set of IPS.
In a scenarios where on the network infrastructure is changed or updated/ new sites added/ circuits changed, how do large enterprises deal with handling this change?

For a large enterprise you could have multiple locations and a complex network, is there a best approach to handle change in the IPs so that users don't get locked out of Office 365?

 

Thanks,

Priyank

1 Reply
Highlighted
Solution

If you're doing IP-based restrictions, then this becomes a change management issue. Before new IP ranges are added, or existing IP ranges are removed, you should include in your planning the steps to update your conditional access rules.

 

If IP-based restrictions are becoming unmanageable for you, consider moving to managed vs unmanaged device policies in conditional access instead. That way you aren't trusting networks (all networks should be untrusted these days), and you're focusing on securing identities and endpoints (devices) instead.

 

Here is a blog post on the topic if you're interested: https://practical365.com/security/azure-active-directory-conditional-access-enforce-multi-factor-aut...