Lock Down Your Microsoft 365: Your Essential Security Policies

Поділитися
Вставка
  • Опубліковано 18 гру 2024

КОМЕНТАРІ • 122

  • @smittayy
    @smittayy 10 місяців тому +13

    I'd also recommend creating a Continuous Access Policy to require MFA if the network changes. This helps protecting against session token theft

    • @bearded365guy
      @bearded365guy  10 місяців тому +2

      Yep, another good one.

    • @paulmckenna9477
      @paulmckenna9477 9 місяців тому +5

      Can you provide any details on how to go about accomplishing this? Sounds like a useful policy to implement.

    • @jdm915
      @jdm915 3 місяці тому

      Anyone have an idea of how to setup the policy these guys are talking about?

    • @DhavalBrahmbhatt2627
      @DhavalBrahmbhatt2627 3 місяці тому

      Pls provide details, been dying to set something like that up but can't figure it out.

    • @smittayy
      @smittayy 3 місяці тому

      @@DhavalBrahmbhatt2627 it’s “continuous access evaluation” my bad on the incorrect name.
      Conditions you include everything but mobile since they would be prompted every time they get a new IP on cellular.
      Session is set to “Use continuous access evaluation”
      Hope that helps direct

  • @bowersza
    @bowersza 10 місяців тому +1

    Thanks, Jonathan - what a great overview! I cannot stress enough the importance of implementing these important controls in your tenant. well done!

  • @GregThomson
    @GregThomson 5 місяців тому +2

    @Jonathan Edwards. A nice bunch conditional access policies. My understanding is that the device platform filter only looks at the device string as reported by the device. This can be spoofed. A better control for managed devices are device filters. e.g. Where the device platform is not a managed Windows device, require an app protection policy.

  • @alexandrecarreirapt
    @alexandrecarreirapt 9 місяців тому +2

    I work supporting 365 and i love your videos. Thanks!

  • @djr357x
    @djr357x 4 місяці тому +2

    This is fantastic. thanks so much for putting this together.

  • @gregfyn
    @gregfyn 10 місяців тому +3

    Thanks Jonahan, I like your straight forward communication style.

  • @whoamigodknows9020
    @whoamigodknows9020 7 місяців тому +1

    Brilliant. No BS. straight to the point.

  • @technomatters6234
    @technomatters6234 22 дні тому

    You are just awesome! Making it work for us like a genius although still a newbie :) God bless

  • @easy-tech3535
    @easy-tech3535 9 місяців тому +1

    Thanks Jonathan, this insight was really helpful. May I know what license type is required to create new policies?

  • @vibhubhatnagar6331
    @vibhubhatnagar6331 2 місяці тому

    loved this video thanks looking forward for more such videos

  • @sohail-khanPaki
    @sohail-khanPaki 5 місяців тому +1

    Thanks for Knowledge sharing. Very informative 👍

  • @HammadAli-eb1jc
    @HammadAli-eb1jc 27 днів тому

    Hay can you please make video on channel creation for external sharing without switching Domains / Tenant ?

  • @GFloGG
    @GFloGG 6 місяців тому +2

    Thank you for this video! Really great insight to the CA policies and really set a great foundation for me! Love what you're doing!

  • @TechTails
    @TechTails Місяць тому

    You are good at explaining this stuff. I already know some of this but doesnt hurt to check again.

  • @patrick__007
    @patrick__007 10 місяців тому +3

    As always very informative!
    Though I've some questions about 2FA.
    1. What will be the impact for users when disabling SMS from Entra when they've already enabled/using SMS using the Per user MFA?
    2. Do you need to disable Per user MFA when 2FA forced using a CA?
    3. You've excluded the Admin from any CA. How would you enforce 2FA for this one?
    Greetings from overseas, the Netherlands.

    • @bearded365guy
      @bearded365guy  10 місяців тому +3

      Hi to the Netherlands!
      Firstly, it’s all about communication. This video was easy for me because it’s a test tenant with no real users 😀
      Within Entra, you can see which users are using which form of 2FA, so you can contact those users who are using SMS and get them to convert.
      The Microsoft documentation says that you need to disable MFA on each user account in the 365 portal. I have also seen some powershell scripts which do the same thing.
      The recommendation for admin. Have two admin accounts. One is part of the CA policy which has MFA enabled. The second admin account is known as the ‘break glass’, it has no MFA but a really long and complex password. We set these to be about 30 characters.
      Hope that helps.

    • @ValerieDelgado-d1m
      @ValerieDelgado-d1m 2 місяці тому

      ​@@bearded365guy1:16

  • @JamieSneddon-t9e
    @JamieSneddon-t9e 9 місяців тому

    Great video, already had some of these set up but others were missing. It was a very easy video to follow, cheers!

  • @sonny.eblacas
    @sonny.eblacas 8 місяців тому

    Very straightforward. I love it ♥
    Thanks!!! 💯

  • @ggoben
    @ggoben 10 місяців тому +3

    Great Vid. Was wondering if you could do a video on Intune device licenses. There is practically no info out there on this. Specifically enrolling Win10/11 devices using Intune device licenses for shared workstations? What are the best ways to do this? What are the limitations? Lots of businesses use shared workstations for healthcare or factory workers that use the same workstations when on shift as others. We want them in Intune without paying per user license. Thanks!

    • @bearded365guy
      @bearded365guy  10 місяців тому +1

      I’ll be doing some of these videos very soon

  • @JRashid90
    @JRashid90 10 місяців тому +2

    Another great video! Too many organisations rely on Microsoft Baseline or defaults

  • @GabrielJIsaza
    @GabrielJIsaza 7 місяців тому +1

    Amesing explanation. Question, do I need to assign an Entra P1 license for each user in my organization if I want to implement those essential security policies?

    • @bearded365guy
      @bearded365guy  7 місяців тому +2

      Good question! Microsoft Licensing says - yes, each user should have a license. But it will let you use the policies even if there is just one license in the tenant. I always try to be honest and add the licenses.

    • @ggates5859
      @ggates5859 3 місяці тому

      @@bearded365guyHonesty, esp for Global Admins, is always the best policy.

  • @ScottMillar
    @ScottMillar 7 місяців тому

    you would'nt believe how many dont do any of this! very helpful

  • @jimmyroels7604
    @jimmyroels7604 10 місяців тому +1

    Thank you Jonathan, this will help me secure the tenants of my customers.

  • @barcoproductions
    @barcoproductions 7 місяців тому +1

    Very helpful video!

  • @orlandom-c3r
    @orlandom-c3r 9 місяців тому +3

    I just wanted to join the group and let you know that your videos are amazing. Straight to the point and very informative. Due to this video, I created a little script in PowerShell using Microsoft Graph that will configure all these conditional access policies and one more that block access to all Azure Admin Portals. I just want to share the script as a little contribution to all the effort and good things that you put on your videos. What is the best way to share it? Thanks again for all your good work

    • @bearded365guy
      @bearded365guy  9 місяців тому +3

      That’s fantastic. Can you send me a link to jonathan@integral-it.co.uk and I’ll share it on the channel somehow

    • @smarqus4720
      @smarqus4720 6 місяців тому +1

      @@bearded365guy I would love to see that powershell

  • @JuanDiazSilvermyst
    @JuanDiazSilvermyst 4 місяці тому

    I love these. Do you have more videos of these policies? tips/tricks and why its good to use them?

    • @bearded365guy
      @bearded365guy  4 місяці тому

      @@JuanDiazSilvermyst There is just what is on my channel at the moment.

  • @fbifido2
    @fbifido2 7 місяців тому

    @14:24 - can we just create a policy for each of the templates and be secured ????

  • @jimbozo03
    @jimbozo03 10 місяців тому +1

    What is the minimum licensing required to enable conditional access (365 business premium?) ? And what if you have a mixed licensing environment? Do policies apply to basic users if setup ?

    • @jimbozo03
      @jimbozo03 10 місяців тому

      Copilot tells me the basic users wouldn’t be evaluated against the policies due to not being licensed, so essentially any MFA or geo blocking policy for all users would not apply to them.
      To me this also become a bigger problem if you’re using sensitivity labels, where those labels do not apply to basic users so as long as they can access the document any encryption or sharing restrictions would not apply to that basic plan user

    • @bearded365guy
      @bearded365guy  10 місяців тому +1

      Business Premium.

  • @danpowell7421
    @danpowell7421 7 місяців тому

    Some great tips here!
    thanks for sharing

  • @chrisbattiston
    @chrisbattiston 10 місяців тому +1

    Thankt!!! Great video !
    And what do I do with the scanner email and the MFA? without using a gmail (I have already seen your other video)

    • @bearded365guy
      @bearded365guy  10 місяців тому +1

      You could exclude from MFA policy. Or… add an IP address in trusted MFA. I didn’t show it on video, but it’s on same screen as approved countries

    • @chrisbattiston
      @chrisbattiston 10 місяців тому +1

      @@bearded365guy Thank you ! you're the best! I've been in IT for 30 years and I've only been working on security issues at Microsoft for a few months (which I didn't know anything about) and your videos are extremely helpful!

  • @shellpie1
    @shellpie1 3 місяці тому

    Thank you SO MUCH.

  • @mihaneman3129
    @mihaneman3129 9 місяців тому +1

    thank you so much the content is excellent and helps a lot

  • @Zak.88
    @Zak.88 10 місяців тому

    Well done Jonathan, loves all your videos. thanks

  • @xspance
    @xspance 10 місяців тому +1

    Firstly love the videos thanks so much learnt a bunch.
    Set this up as a lab. I had issues launching outlook and any other app. I wasn’t sure how to configure the intube app policy for mobile and desktop. I watched the other vid but it still just kept looping for login credentials.

    • @bearded365guy
      @bearded365guy  10 місяців тому +1

      Can you access if you disable the app protection conditional access policy?

    • @xspance
      @xspance 10 місяців тому

      @@bearded365guy Hey Johnathan! Yes, I excluded myself from the policy and gained access. The config wasn't complete, I couldn't set the intune app policy.

  • @markrichter7504
    @markrichter7504 6 місяців тому

    Great video, Thanks!

  • @maltbycentre3394
    @maltbycentre3394 7 місяців тому +1

    Is it possible to disable external guest downloads of OneDrive shared files via CA? Thank you.

    • @bearded365guy
      @bearded365guy  7 місяців тому

      Yes it is.

    • @maltbycentre3394
      @maltbycentre3394 7 місяців тому +1

      @@bearded365guy Could you please show me a video you made before about it or the options I need to select to make it work? Thank you.

    • @bearded365guy
      @bearded365guy  7 місяців тому

      I’ll be making one soon

  • @msmacthankQ
    @msmacthankQ 7 місяців тому

    Brilliant Video, thank you so much. With CA01 do you turn this on after you have communicated to everyone to download the App and set it up? If you have users working all over the world is it still good to set up CA02?

  • @MarceloMedeirosInfo
    @MarceloMedeirosInfo 7 місяців тому +1

    Hey Jonathan, how you doing my friend? My name is Marcelo, I'm from Brazil and you videos are super helpfull! Thank you so much for your work! 😊👍

  • @justinpascarella
    @justinpascarella 9 місяців тому +1

    Thanks again Jonathan! The video I've been waiting for. Question, for those already enrolled in SMS/Phone call MFA, once you enable/enforce these policies, what happens? Will they be prompted/forced to enroll or change their MFA method to using the MS Authenticator?

    • @bearded365guy
      @bearded365guy  9 місяців тому

      If we disable those ways to authenticate, then yes

  • @gregoryigbinoba4778
    @gregoryigbinoba4778 5 місяців тому

    @Jonathan Edwards. Thanks for the knowledge. On which M365 service do we test/validate the 'Disable persistent browser session' after setting up the Conditional Access Policy?

  • @paulmckenna9477
    @paulmckenna9477 9 місяців тому +1

    At the start of the video you created a conditional access policy requiring MFA for all users. Why is a second policy required MFA for Entra join. Isn't that redundant? Great video, Thanks!

    • @bearded365guy
      @bearded365guy  9 місяців тому +1

      The second policy is specifically to join devices to Entra

  • @thaksdaone1
    @thaksdaone1 10 місяців тому +1

    very helpful,,thanks a lot sir

  • @themikerennie
    @themikerennie 9 місяців тому +1

    For the whitelisting countries bit, when you filter to compliant devices outside of approved counties, would approved apps (like Outlook or Teams) on unmanaged iPhones still work?

    • @bearded365guy
      @bearded365guy  9 місяців тому +1

      No, what we’d also need to do is actually manage the smartphones in MDM, rather than app protection

    • @themikerennie
      @themikerennie 9 місяців тому +1

      I guess we could scope the allowed countries policy to Windows / Mac devices then use app protection policies to lock down the iOS / android devices differently.

  • @andrewenglish3810
    @andrewenglish3810 3 місяці тому

    In the Entra ID Conditional Access -> Policies -> new Policy settings there is now "Newtwork" do we need to change anything there for any of these policies you are creating?
    And when you do the exclusion for CA02 if the we are on P1 license with Business Standard will this work or do we need to add a different set of options?

  • @DoughBoy2024
    @DoughBoy2024 10 місяців тому +1

    Great vid. Speaking of global admin, how about a video talking about how to manage/removing local admin privileges on workstations?

  • @smarqus4720
    @smarqus4720 6 місяців тому

    Place you mentioned not recommended to use Microsoft authenticator app ? I don’t know how the authentication will the work without the app or MSS ?
    Please if hacker use VPN, for UK can he success pass the location policy?

    • @bearded365guy
      @bearded365guy  6 місяців тому +1

      The authenticator app is OK for MFA, SMS less so.

    • @smarqus4720
      @smarqus4720 6 місяців тому

      @@bearded365guy
      Thank you, what about my question about VPN ?

  • @gnuttz1972
    @gnuttz1972 9 місяців тому

    Great video but there are plenty of dangers associated with many of these which i think need mentioning. For example blocking legacy applications could have many negative side effects especially in a large tenant running in hybrid mode with ad connect back to a sizeable mature on prem environment. There would need to be an audit phase to identify the effect. Is there a way to test an environment for side effects? Sadly not many 365/Azure environments are ‘blue sky’ and therefore will likely be legacy apps.

    • @ACBCallahan
      @ACBCallahan 8 місяців тому +1

      Yes, using the “Report Only” mode is helpful for an audit period like that.

  • @tri.taminh
    @tri.taminh 6 місяців тому +1

    Hi do i need the license Microsoft 365 Premium for all users so that the Conditional Access to take effect or I just need to assign Premium license to Global Admin and others user can still use Basic and Standard license?

    • @bearded365guy
      @bearded365guy  6 місяців тому +1

      There is a license loop hole that means you just need one Business premium license in the tenant. With our clients, we always license each user properly for what features they’ll be using.

    • @tri.taminh
      @tri.taminh 6 місяців тому

      ​@@bearded365guy thank you very much, that helps alot.

  • @alan33308
    @alan33308 10 місяців тому

    Jonathan you are a God sent!
    Thank you so much for these great videos! 🙏🙏🙏

  • @andrewenglish3810
    @andrewenglish3810 8 місяців тому

    Which Entra ID do you have for this video? P1 or P2?

  • @crocaliph
    @crocaliph 7 місяців тому

    Did exactly like you on CA02 : Block access from other countries, whitelisted the countrie we work in, but i had a case yesterday when someone traveled to Spain, he was not able to login, yet Intune says his laptop is compaint, any Ideas? When i go to sign in logs, CA02 did block them, 2 of them had the same issue.

    • @bearded365guy
      @bearded365guy  7 місяців тому +1

      What device were they using? Laptops? Phones?

    • @crocaliph
      @crocaliph 7 місяців тому

      @@bearded365guy laptops

    • @crocaliph
      @crocaliph 7 місяців тому

      @@bearded365guy laptops, when i whitelisted spain, all was good

    • @crocaliph
      @crocaliph 7 місяців тому

      @@bearded365guy Laptops, after i whitelisted Spain, all was good.

    • @crocaliph
      @crocaliph 7 місяців тому +1

      @@bearded365guy Laptops, after i whitelisted Spain all was good!

  • @samarthverulkar4529
    @samarthverulkar4529 7 місяців тому

    I want to disable access outside my Virtual desktop Workspace i tried to ip block but not able to see public range

  • @pobertubbesing
    @pobertubbesing 19 днів тому

    You can get around blocked countries through VPN.

  • @daelra
    @daelra 10 місяців тому

    Does the order matter with these policies? I kind of have a few basic general purpose CA policies and a few I want for special cases. Do I put the special cases first or last or does the order not matter and I have fiddle with exclusions for each policy to stop one of them stomping on the others where it shouldn't?
    Also, for licencing purposes, if I set up a 'break-glass' admin account, do I need to have a Business Premium licence attached to it or will one with no licenses be acceptable (providing that is literally its only purpose)? Any technical pros or cons for doing it this way?

    • @bearded365guy
      @bearded365guy  10 місяців тому +1

      No, the order doesn’t matter. It just has to make sense to you or whoever is administering the system.
      I think the advice is that any admin accounts shouldn’t have a license attached at all.

  • @Bjeurn1990
    @Bjeurn1990 10 місяців тому

    Great video ! Thanks!

  • @jonathanmatthew5631
    @jonathanmatthew5631 28 днів тому

    Will vpn bypass conditional access location?

  • @Manavetri
    @Manavetri 9 місяців тому +1

    Only can say... brilliant

  • @davidasplund7088
    @davidasplund7088 9 місяців тому

    Thanks for the video

  • @badda_boom8017
    @badda_boom8017 9 місяців тому

    PERFECT VIDEO !

  • @marcushutchinson7057
    @marcushutchinson7057 10 місяців тому

    If I am using Business Standard this doesn't apply to me and I'm not secured, correct?

    • @LimitlessHorizonAdventure
      @LimitlessHorizonAdventure 7 місяців тому

      I'm interested to know the major ramifications of staying with Business Standard for most business around 10 endpoints. Unless controlling endpoints with Intune and really locking them down are they not still safe with Standard if MFA is enforced on all users?

  • @christophermckissick2089
    @christophermckissick2089 10 місяців тому

    If I have MFA enabled, I cannot setup our software to send emails. It is a housing software that emails our tenants.

    • @bearded365guy
      @bearded365guy  10 місяців тому

      That’s worrying. I would speak to the software company about that…. It’s 2024!

  • @itmaster1900
    @itmaster1900 4 місяці тому

    Nice videos

  • @dougOptics
    @dougOptics 10 місяців тому

    Dude. I love you.

  • @johnthompson3530
    @johnthompson3530 10 місяців тому

    GREAT VIDEO

  • @nazerbor3i
    @nazerbor3i 10 місяців тому +1

    beautiful

  • @rehman2017
    @rehman2017 10 місяців тому +1

    I'm professional thumbnail designer on fiver I really want to design your thumbnails more eye catching

    • @bearded365guy
      @bearded365guy  10 місяців тому +2

      Thanks for your comment. But we’re ok

    • @rehman2017
      @rehman2017 10 місяців тому

      @@bearded365guy I really want to design your thumbnails dear sir only in $10 in 1 hour

    • @rehman2017
      @rehman2017 10 місяців тому

      @@bearded365guy can give you in 1 hour let's try my example thumbnail for free