How to go the Application Access View

The main problem to me is that tamper protection doesn't prevent users to exclude folders from AV scans.

yesss WTH?? I CAN NOT access my emails

Very helpful video! Thanks as always

Awesome work guys. I have your KQL book, love it! Lots of work and good content!

really love the video its so informative

Yo Magneto! Wassup

Great video Ru! Thank you for going through out of the box security defaults.

Great video Ru - while secure by default is a great concept it will always be contextual. What i would really like to see is an onboarding permissions run through rather than have defaults at all. Dont let someone create a tenant until they review and set a default of their own before the tenant spins up. I know easy create is great, but if an admin/user was asked to provide a bunch of config before tenant creation in the form of some sort of submission form or flow through window - a) they would be aware of what the current setting is and that it exists in the first place and b) they might consider looking for advice to get it secure from get go.

Default tenant config needs to span from Azure Free all the way through to E5, hence favouring Security Defaults rather than CA, and as you said, they aren’t compatible. I agree though, I’d much rather see MFA for all users, MFA for Admins and block Legacy Auth called out as specific Conditional Access Policies if your licensing supported it. Email authentication- from memory- is only available for Self Service Password Reset- not as a MFA challenge (even though it’s listed in Auth Methods). I could be wrong, that mightn’t be the default. Great content. Keep it up!

Magneto relogin please

Yes please to a conditional access design video. We are just planning out a persona based approach as I have seen you use this in other videos

I have come across an issue in the past with the last mistake. If you're trusting MFA from other tenants and they have a type of authentication method used that you do not allow in your own tenant this will fail, or at least has failed for us in the past. It will show in the audit logs that the MFA was a success but that the user failed to authenticate so we ended up removing this option and forcing users to register the auth app when accessing our application.

Great video!🎉 Can you please help me with the following? We have some users having complaints about the fact the Microsoft Teams, Outlook apps etc on their smartphones are randomly logged out. I have seen some errorcodes in Entra like 70045, 500121 and 70044. I think my users shouldn't get prompted to use MFA when opening these apps on their devices. Its just that when not authenticating the devices aren't syncing new mail, messages etc. What is best practise? We are not enforcing app protection policies (yet)

Honestly thought single user MFA was being sacked off. Great video! Thanks for sharing

Always good to hear another perspective on things. Great vid. Cheers!!

Great video! I'd add #6 - enforcing higher Auth method before being ready... the number of times I've seen tenants being blocked because someone (def. never me) enforced Phishing resistant methods before the tenant was ready!

what auth policies are the safest?

Great video as usual! Would certainly be handy to have a deep dive in to CA policies, not so much the functionality (though could include that if the video was long enough), but the naming conventions I've seen you use in some videos. It's all to easy to end up with dozens of policies that have an unclear function, particularly when coming in to a new tenant that hasn't been well documented.

Hi Ru, awesome as always! I have a couple of questions though if I may on number 5. When you say Guests can only register phishing resistant MFA in their home tenant and not a target tenant, what is the mechanism that enforces this? Is is UserType = Member? If so what about External Members? Or put another way is it any user that isn't an Internal Member? Following on from that, what is the expected behaviour for a Guest user, who is challenged for Phishing Resistant MFA by a Target tenant who does trust MFA form other tenants, but the user has not registered any PR-MFA in their home tenant, is it just a straight block? Or do they get redirected to the home tenant to register some?

Thanks for the breakdown! Just a quick off-topic question: I have a SafePal wallet with USDT, and I have the seed phrase. (alarm fetch churn bridge exercise tape speak race clerk couch crater letter). How should I go about transferring them to Binance?

Configured the Group to be activated by using an Authentication Context. Therefor I've created an Authentication Context in Entra, Conditional Access policy pointed to that Authentication Context, PIM group and force to use 2FA. The result is that while activating the group no 2FA is enforced..

Valid point about the Emergency Access accounts and excluding them not only from CA policies but also making them permanent GA, but why would you make "other administrators" the approvers for privilege roles? In my mind I would make department or team managers the approvers, if you need to elevate to GA, your team lead (who might not be technical themselves) would still want justification and maybe a change number to approve your request but do they need to hold an admin role themselves? or have I missed something?

Great content, as per your usual 🙂 I'd add that you can use role-assignable groups to help protect against the last issue discussed about using PIM for groups.

Would like to see more on your conditional access designs.

Really helpful! We have planned to implement PIM next week! 🎉

Subscribed! Thanks 😊

Great video. Thank you for making this, you explained everything perfectly. I really hope that you can make a video on BYOD of mobile devices.

great video - funny that the demo tenant in mistake no 3 is showing an implementation of mistake no 2 :) where admins are blocked only if they are Medium or Low risk but not at high risk :D

What about using user environment variables in exclusions? 🙈

Great video Ru and thanks again for the talk at Scottish Summit

Thanks for the video and sharing your experience. I have also had issues with customers when you encrypt by default, breaks all kind of legacy systems, however with the correct exclusions within 2 months people even forget about it and are used to the new “experience”

Hi Folks! The content is really good, and so are the guests. It would be great if you could add some kind of diagrams, images, or anything that helps digest what the guest is explaining, because otherwise, it becomes quite a challenging podcast to stay focused on.

Very useful, i will recommend my clients watch this video

Thanks Ru, can you maybe share the specific settings you use for updates , the baseline you use in general?

Great job Ru 💪🏻

Hi Ru, good video on some common pitfalls. You mentioned Defender running on DC's in the video, but I've not found a lot of information surrounding Domain Controllers being managed by anything but GPO. I know that it's in preview for Intune Management via MDE; have you had much exposure to this method of management? How does the synthetic registration work on a Domain Controller now with this option to manage DC's, and is there any limitations you're aware of with them? (I think you're not getting firewall control on DCs, but do get AV protections).

the exclusion at 5:18 can this format be used in ASR rules to exclude them

It's very surprising to me that this video did not even mention Tamper Protection, which I would argue is perhaps the most important setting considering how domain wide ransomware attacks typically progress.

nice video. Glad we didnt do those mistakes ;) But I have a few questions: 1. Defender exceptions. The last time I looked at ms docs for their own products, they do not give you contextual suggestions. I'm really curious how you could narrow down these exceptions for e.g. IME, ConfigMgr,... do you already have those and are willing to share? 2. not a qeustion but a vital hint: before you disallow local firewall policy merge, be 100% sure, you have manually set all required rules. I heard, once somebody may have set this to false and forgot to defince allow outgoing rules which ended up in all devices being offline and no way to fix this anymore, as all outgoing was blocked... 3. XDR recommendations are broken. We have all our clients set to scan removable storage on full scan. I can verify by powershell and reg key. but for some reason recommendations say, ~50% of my clients are configured wrong. Checking the exposed device, they are all set correct. (And thats not the only recommendation I set to solved by 3rd party, because the detection is just wrong. And there is absolutely no use of making a support ticket there. They actively refuse to address the issues)

Great Video! Is it possible to allow access to office 365 app on device and use them when saving within office 365 but disable saving locally on the device?

**Summary of "Why Your Entra ID Protection Strategy Is Weak [5 Critical Mistakes]"** The video highlights five critical mistakes commonly made when configuring Microsoft's Entra ID Protection and offers solutions to enhance security strategies: 1. **Misconfiguring Conditional Access Policies:** - **Risk Level Selection:** When setting up conditional access policies based on sign-in risk, selecting a specific risk level (e.g., "Low") applies **only** to that level, not to higher levels. The risk checkboxes are treated as "equal to," not "greater than or equal to." - **User Risk vs. Sign-in Risk:** If both user risk and sign-in risk are configured in the same policy, **both conditions must be true** for the policy to apply. To optimize, create separate policies for user risk and sign-in risk to ensure they function as intended. 2. **Challenges with Passwordless Authentication:** - **Password Change Requirement:** Requiring high-risk users to change their passwords can confuse passwordless users who do not have a traditional password. - **Solutions:** - **Block Authentication:** Instead of requiring a password change, consider blocking authentication for high-risk users to prompt clearer action. - **Exclude Passwordless Users:** Exclude passwordless users from policies that require a password change, allowing them to continue using passwordless methods without disruption. 3. **One-Size-Fits-All Approach:** - **Customized Policies:** Avoid applying the same identity protection policies to all users. Different user groups, such as administrators and regular users, have varying security needs. - **Gradual Implementation:** Start with stricter policies for high-risk groups like admins and VIPs. For example, block admins on medium or low risk while only blocking regular users on high risk. This approach facilitates smoother adoption and minimizes unintended consequences. 4. **Excluding Guest Users from Protection:** - **Inclusion of Guests:** Do not automatically exclude guest users from identity protection policies. Guest users often access the system from uncontrolled devices, increasing security risks. - **Enhanced Security Measures:** Consider applying more stringent identity protection policies to guest users to mitigate potential vulnerabilities associated with their access. 5. **Overlooking Audit Log Retention:** - **License-Based Retention Periods:** Entra ID log retention varies by license level: - **Free Level:** 7 days - **P1 License:** 30 days - **P2 License:** 90 days - **Data Retention Issues:** Upgrading your license does not retroactively extend log data retention. Important historical data may be unavailable during investigations if not properly retained. - **Recommendations:** - **Proactive Monitoring:** Regularly review and investigate risks to address issues promptly. - **Data Export:** Export log data to external solutions like Log Analytics or Microsoft Sentinel to preserve information beyond default retention periods. **Key Takeaways:** - **Configure Policies Accurately:** Understand how risk levels and conditions interact within conditional access policies to ensure they operate effectively. - **Accommodate Passwordless Users:** Adjust policies to support users who rely on passwordless authentication methods to prevent confusion and access issues. - **Customize Protection Strategies:** Tailor identity protection policies to different user groups based on their access levels and risk profiles. - **Include Guest Users in Protections:** Enhance security by applying appropriate protections to guest users, who may pose additional risks. - **Manage Log Retention Proactively:** Be aware of your license limitations regarding log retention and take steps to preserve essential data for security investigations. By addressing these common mistakes, organizations can strengthen their Entra ID Protection strategy, improve security posture, and reduce the risk of unauthorized access or breaches.

Great video, would this set up apply to BYOD devices which are domain registered, so those devices which have been enrolled via the company portal?

Is it possible to get TAP set for users in bulk?

Wow! This was great. I have been experiencing 'info overload' so many changes in just the last 2 yrs with MS 365 and beyond! Thank you😊

dont you need entra id p2 licenses for all users to do this ?

Great content! For the "Consumer VPN" bypassing Trusted Locations, appears you need to have Apps deployed with CA App Control. Any chance you can expand on that in a video in terms of covering the M365 Apps as opposed to custom apps?

Their is two different between mf and mfa

Thank you for the Conditional Access content.

Rod Trent's share sent me here. This was such an informative video. Thank you so much!