Conditional access has some new cool features that will provide extra security for your user logins. In this post I will cover some of them. Will be digging deeper on these as they evolve but for now it’s important for all of you to know that they will be coming Globally available and enabled as soon as possible.
Table of Contents
Preview of organization
Policies from templates
How cool is that, finally you can create your policies from templates.
You can select templates for Identities to verify and secure each identity with strong authentication across your entire digital estate.
Here the templates for Identity you can pick the right one.
Or go with Devices to gain visibility into devices accessing the network. Ensure compliance and health status before granting access.
And here are the templates that you can choose from for devices.
Service principals
Now you can also choose Workload identities to policy scope not only users and groups.
Authentication context
Authentication context can be used to further secure data and actions in applications. These applications can be your own custom applications, custom line of business (LOB) applications, applications like SharePoint, or applications protected by Microsoft Defender for Cloud Apps.
Device state -> Filter for devices
Microsoft is removing Device state and you have to use Filter for devices in the future.
GPS locations
You can choose GPS location in Named locations.
And when you enforce it, user will be sent a consent for sharing their location.
And you will be asked to share your location with authenticator (Sorry for the screenshots are in Finnish but you get the point)
Number matching
Microsoft has released number matching (yes, the same feature than is used for MS Account and passwordless sign-in)
Number matching is a key security upgrade to traditional second factor notifications in the Microsoft Authenticator app that will be enabled by default for all tenants a few months after general availability (GA).
We highly recommend enabling number matching in the near-term for improved sign-in security.
It will be available for the following scenarios.
- Multifactor authentication
- Self-service password reset
- Combined SSPR and MFA registration during Authenticator app set up
- AD FS adapter
- NPS extension
And this is how you enable it.
Go to authentication methods and choose a group. As of now it has to be either one, cannot choose “All users” or particular user.
Then under the three dots, choose enabled.
And once enabled, you will receive the number on the screen that you have to write to Microsoft Authenticator app.
Known issues
- Number matching for admin roles during SSPR is pending and unavailable for a couple days.
Limitations and notes with these features
If users or groups are a member of over 2048 groups their access may be blocked. This limit applies to both direct and nested group membership.
Conditional Access policies do not support users assigned a directory role scoped to an administrative unit or directory roles scoped directly to an object, like through custom roles.
Number matching can only be enabled for a single group.
For passwordless users, enabling number matching has no impact because it’s already part of the passwordless experience.
Number matching for admin roles during SSPR is pending and unavailable for a couple days.
Number matching is a key security upgrade to traditional second factor notifications in the Microsoft Authenticator app that will be enabled by default for all tenants a few months after general availability (GA).
We highly recommend enabling number matching in the near-term for improved sign-in security.
End conclusions
Again there is lot’s of new features. Number matching is a really nice addition to make your experience more secure. Also the GPS location sharing is excellent, now you can now the location where the sign-in that you are approving is coming.
With Microsoft Managed Settings, admins can trust Microsoft to enable a security feature they have not explicitly disabled.
This is proactive security in practice!
Stay tuned for more!