Can Someone Explain How Our Conditional Access Policy Works?

By
Elli Mongillo
-
0
3
Asked By TechieNerd42 On

I'm struggling to get my head around the Conditional Access Policies that were set up by our Managed Service Provider. Basically, we block access from everywhere except the UK. However, we have a user, John Doe, who travels to Spain occasionally, and he's allowed access there as well. We have Named Locations that allow access from the UK and Spain.

The UK policy blocks access unless you're within the UK, which makes sense, but I'm confused about the policy for John Doe. It seems to be set to block access from Spain, but it's intended to allow him in. The confusion arises from how we've set up the network sections; Spain and UK are in the excluded section, yet John Doe is included in the policy. Shouldn't he be in the excluded section? I also noticed that he's included in the block access policy for non-UK locations, leading me to think that his settings might be incorrect. Even worse, when I try to remove users from the excluded section, I get a warning to ensure I don't lock myself out, as it needs at least one account. Is there a simpler way to handle John Doe's access?

2 Answers

Answered By SecureNet1985 On

That’s a great point! Break glass accounts are critical; you don’t want to lock everyone out, including yourself. However, it’s a balancing act—I'd recommend ensuring that at least one account has minimal permissions in the exclude section to manage emergencies without exposing the network. Just be cautious to avoid giving blanket permissions that could lead to security breaches.

Answered By AdminGuru99 On

Ah, this can get tricky! It sounds like a classic case of Conditional Access doing exactly what you’ve told it to do, even if it doesn’t match your expectations. Just to clarify, rather than having a specific 'Allow Spain' policy for John Doe, you might want to adjust the existing BLOCK policy so that it doesn’t apply to him when he’s in Spain. Just remember that all policies are evaluated together, and if any policy blocks access, that takes priority over anything allowing it. Also, keep in mind that you need to have a break glass account excluded just in case things go awry.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.