Hey everyone! I've been going through the Conditional Access (CA) policies we have set up, and honestly, it's starting to feel pretty overwhelming, especially since I created most of them. I'm on the lookout for any tools that might help identify gaps in these rules or any strategies to implement a default deny approach. For every policy I've established, I feel like I need a corresponding deny statement, like preventing users from logging in outside the US if they're supposed to be restricted to that region. Any advice would be greatly appreciated!
5 Answers
If you’re looking for resources, definitely check out Threatscape on YouTube. They've got some solid videos on how to design effective conditional access policies!
I totally relate to the confusion you're facing! One thing that really helped me was categorizing access requirements into broader groups and rewriting the policies based on those groups. This method simplifies the whole structure and might help prevent the overlapping policies that can create confusion. Azure’s policy insights can help identify which rules are being applied, but they won’t pinpoint gaps, so you might still need to think critically about your setup. What specific scenarios are currently posing the biggest challenges for you?
You should definitely check out Microsoft's Security Copilot Conditional Access Agent if you haven't already. It's designed to help with these kinds of issues.
You could look into Microsoft's free Zero Trust Assessment. It provides additional checks beyond just CA, which could help you overall.
When it comes to CA, I’d suggest avoiding deny rules entirely. Instead of trying to deny access for certain locations, focus on establishing rules for users and creating exceptions as necessary. For instance, have a block for sanctioned countries where no logins are allowed and another to block access from everywhere except Canada and the US. This method avoids the complications of specifying allowed countries.
I've found that service to be really overpriced. Honestly, investing time in learning about conditional access might be more beneficial than relying on that agent, which offers pretty mediocre support.