14 - Conditional Access Policies¶

Create all of the necessary Conditional Access Policies in Microsoft Entra ID (entra.microsoft.us) under Conditional Access > Policies

1. Block Device Code Flow¶

1. Add New Policy

2. Name: CISA SCuBA - Block Device Code Flow

3. Users

   • Include: ALL
   • Exclude: Emergency Access Account

4. Target Resources

   • All Resources (formerly 'All cloud apps')

5. Network

   • Not Configured

6. Conditions

1. Access Controls

   • Grant > Block Access
   • Session > 0 controls selected

2. Enable Policy (ON) and CONFIRM that your account will be targeted and continue anyway

3. Save Policy

2. Block High Risk Sign-Ins¶

1. Add New Policy

2. Name: CISA SCuBA - Block High Risk Sign-Ins

3. Users

   • Include: ALL
   • Exclude: Emergency Access Account

4. Target Resources

   • All Resources (formerly 'All cloud apps')

5. Network

   • Not Configured

6. Conditions

1. Access Controls

   • Grant > Block Access
   • Session > 0 controls selected

2. Enable Policy (ON) and CONFIRM that your account will be targeted and continue anyway

3. Save Policy

3. Block High Risk Users¶

1. Add New Policy

2. Name: CISA SCuBA - Block High Risk Users

3. Users

   • Include: ALL
   • Exclude: Emergency Access Account

4. Target Resources

   • All Resources (formerly 'All cloud apps')

5. Network

   • Not Configured

6. Conditions

1. Access Controls

   • Grant > Block Access
   • Session > 0 controls selected

2. Enable Policy (ON) and CONFIRM that your account will be targeted and continue anyway

3. Save Policy

4. Block Legacy Auth¶

1. Add New Policy

2. Name: CISA SCuBA - Block Legacy Auth

3. Users

   • Include: ALL
   • Exclude: Emergency Access Account

4. Target Resources

   • All Resources (formerly 'All cloud apps')

5. Network

   • Not Configured

6. Conditions

1. Access Controls

   • Grant > Block Access
   • Session > 0 controls selected

2. Enable Policy (ON) and CONFIRM that your account will be targeted and continue anyway

3. Save Policy

5. Replay Resistant MFA¶

1. Add New Policy

2. Name: CISA SCuBA - Replay Resistant MFA for All Users - Excl. Managed Devices

3. Users

   • Include: ALL
   • Exclude: Emergency Access Account
   • Exclude: Users - MFA Pending - Static

4. Target Resources

   • All Resources (formerly 'All cloud apps')

5. Network

   • Not Configured

6. Conditions

1. Access Controls

Grant:

Session:

1. Enable Policy (REPORT-ONLY) and CONFIRM that your account will be targeted and continue anyway

2. Save Policy

6. Block Deactivated Users¶

1. Add New Policy

2. Name: Cloud Apps - Block ALL Deactivated Users

3. Users

   • Include: Users - DEACTIVATED USER - Static
   • Exclude: Emergency Access Account

4. Target Resources

   • All Resources (formerly 'All cloud apps')

5. Network

   • Not Configured

6. Conditions

   • 0 Conditions selected

7. Access Controls

   • Grant > Block Access
   • Session > 0 controls selected

8. Enable Policy (ON)

9. Save Policy

7. Block Mobile Devices¶

1. Add New Policy

2. Name: Cloud Apps - Block Mobile Devices

3. Users

   • Include: All Users
   • Exclude: Emergency Access Account

4. Target Resources

   • All Resources (formerly 'All cloud apps')

5. Network

   • Not Configured

6. Conditions

1. Access Controls

   • Grant > Block Access
   • Session > 0 controls selected

2. Enable Policy (ON)

3. Save Policy

8. Block Unmanaged Devices¶

1. Add New Policy

2. Name: Cloud Apps - Block Unmanaged Devices - Excl. MyAccount + Cloud PC

3. Users

   • Include: All Users
   • Exclude: Emergency Access Account

4. Target Resources

Include: All Resources (formerly 'All cloud apps')

Exclude:

1. Network

   • Not Configured

2. Conditions

1. Access Controls

   • Grant > Block Access
   • Session > 0 controls selected

2. Enable Policy (REPORT ONLY) and CONFIRM that your account will be targeted and continue anyway

   NOTE: MAKE SURE THIS IS ON REPORT ONLY OR YOU WILL LOCK YOURSELF OUT OF THE ENVIRONMENT OUTSIDE OF THE CLOUD PC. We will enable once environment is ready.

3. Save Policy

9. Require MFA for Cloud PC¶

1. Add New Policy

2. Name: Cloud PC - Require Replay Resistant MFA for Connection

3. Users

   • Include: All Users
   • Exclude: Emergency Access Account

4. Target Resources

1. Network

   • Not Configured

2. Conditions

1. Access Controls

Grant:

Session:

1. Enable Policy (ON) and CONFIRM that your account will be targeted and continue anyway

2. Save Policy

10. Allow MFA Registration for New Users¶

1. Add New Policy

2. Name: Onboarding - Allow MFA registration access for new users

3. Users

   • Include: Users - Pending MFA - Static
   • Exclude: Emergency Access Account

4. Target Resources

Include: All Resources (formerly 'All cloud apps')

Exclude:

1. Network

   • Not Configured

2. Conditions

   • 0 Conditions selected

3. Access Controls

   • Grant > Block Access
   • Session > 0 controls selected

4. Enable Policy (ON)

5. Save Policy