Report on MFA Status with Conditional Access
Is there any effective way to get a report of the actual MFA state of your users? I mean, the individual MFA state as well as MFA enabled via Conditional Access. It's easy to report on the individual MFA state. You get nice results: Enabled, Disabled, Enforced... However, if MFA is enabled via Conditional Access I can't seem to find an effective way to report on them. Below Powershell snippet is the closest I can get. It will check if MFA is enabled individually. If not, it will check the "StrongAuthenticationMethods.IsDefault" attribute and report on that. But this is not always accurate, because if the "Phone" or "Alternate Phone" are configured in the Azure user object, it will still report it here even if the user is not member of a Conditional Access policy. There is a built-in Azure report for this, but it is completely incorrect. It says that, for instance, I'm not enabled for MFA even though I'm enabled for the last 6 years. Report: https://portal.azure.com/#blade/Microsoft_AAD_IAM/AuthMethodsOverviewBlade Has anyone figured this out yet? $user = get-msoluser -UserPrincipalName yourUserName@contoso.com $StrongAuthenticationMethodsresult = $user.StrongAuthenticationMethods | Select-Object MethodType, IsDefault [PSCustomObject]@{ UserPrincipalName = $user.UserPrincipalName ObjectID = $user.objectid DisplayName = $user.DisplayName AuthEmail = $user.StrongAuthenticationUserDetails.Email AuthPhoneNumber = $user.StrongAuthenticationUserDetails.PhoneNumber PhoneDeviceName = $user.StrongAuthenticationPhoneAppDetails.DeviceName AuthAltPhone = $user.StrongAuthenticationUserDetails.AlternativePhoneNumber State = if ($user.StrongAuthenticationRequirements.State -ne $null) { $user.StrongAuthenticationRequirements.State } elseif ( $user.StrongAuthenticationMethods.IsDefault -eq $true) { "ConditionalAccess ($(($user.StrongAuthenticationMethods| Where IsDefault -eq $True).MethodType))" } else { "Disabled" } PhoneAppNotification = if ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "PhoneAppNotification" }) { $true } else { $false } PhoneAppNotificationIsDefault = IF ( ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "PhoneAppNotification" }).isDefault -eq "True") { $true } Else { $false } PhoneAppOTP = if ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "PhoneAppOTP" }) { $true } else { $false } PhoneAppOTPIsDefault = IF ( ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "PhoneAppOTPIsDefault" }).isDefault -eq "True") { $true } Else { $false } TwoWayVoiceMobile = if ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "TwoWayVoiceMobile" }) { $true } else { $false } TwoWayVoiceMobileIsDefault = IF ( ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "TwoWayVoiceMobileIsDefault" }).isDefault -eq "True") { $true } Else { $false } OneWaySMS = if ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "OneWaySMS" }) { $true } else { $false } OneWaySMSIsDefault = IF ( ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "OneWaySMSIsDefault" }).isDefault -eq "True") { $true } Else { $false } }
Conditional Access Policies. App control to allow/reject Canvas apps on App ID?
The documentation reads that individual Apps can be included or excluded from policy. It seems possible that specific Power App Canvas apps can be identified by App ID and excluded or included. We would like to define which apps can be used across the organisation can this be done? Could we identify say 10 app IDs that are acceptable and put this in a policy for the org or groups? Would this mean that even if a user shares an app that unless it's in the policy the shared user could not use it? Thanks Richard U.K
Compliant intune device don't pass conditional access policy
Hey, I'm having problems configuring conditional access for unmanaged and managed devices when accessing ressources. I'm using the prebuild sharepoint CA rules(these are showing up in the CA portal when restricted access is activated in the ahrepoint admin portal under access controll menu) and added the condition that these rules are not applied when a hybrid joined or compliant device tries to get access. Unfortuantely this doesn't work, similar if I use a hybrid joined device or an intune joined compiant device. When I check the login logs in Azure AD I can see that the rules are applied and the fields(managed, compliant, connectiontype) under "device information" are empty so it seems Azure AD can't access the device state from the device itself when ressources are accessed from it. Does anyone know this issue, can reproduce it or have any ideas what needs to be done? Thanks and regards!Intune and Conditional Access
Hi All, I have been asked a few questions about Intune and Conditional Access and I was hoping to get some advice. The question I was asked: ***************** As discussed we have a situation that I believe MS InTune would address. That said, I don’t know what I don’t know, so your direction around the subject would be appreciated. We have migrated 99% of the e-mail estate to Office 365. Over the next month, we will migrate our home and shared drives. In migrating the e-mail users, we have found that a small percentage of the estate, ~20% (15-20 users), were using Corporate e-mail on personal devices. The devices vary from iOS, Android, Mac OSX, Windows. We need to have full control of e-mail residing on third-party devices. It needs to be secure; we need to be able to monitor and track the e-mails. Note, we currently use SOTI for Android device management. We will need to understand if there are any implications associated with coexistence. In parallel to the above, we need to develop our full e-mail policy. We would also need documentation and training on how to administer Intune once live. The documentation is essential. Hopefully the above gives you enough to start with. Please let me know what it would cost to get the above in place. Ignore licenses, I’ll deal with those. While writing, do you know of a way to prevent Office 365 users from downloading or printing from a browser, but only when outside of the corporate network? ***************** Do you know how I would use Intune and Conditional Access to achieve these requirements? I hope you can help, AlanHow to prevent a group of users downloading SharePoint and MS Teams documents
Hi All, We need to prevent a group of users downloading files from SharePoint, and MS Teams. We want them to be able to access and edit the files using office online, but not download and edit them locally. We have been able to do this for Outlook using these instructions https://www.b-fortyone.com/single-post/2016/06/07/Office-365-Prevent-downloading-attachments-via-Outlook-Web-App but we cannot do it for the SharePoint and MS Teams. I hope you can help Colin