Forum Discussion

Fahadgul3333's avatar
Fahadgul3333
Copper Contributor
Aug 22, 2024

We have multiple Licenses I want to Implement Conditional Access Policy

Hello Everyone,

 

 

We have multiple Licenses I want to Implement Security on all users.

 

I created a Group, added all Company users to this group, and assigned a P1 license to this group.

 

I want to Implement a Conditional Access policy to block all new users excluded from this group.

 

means anyone who creates a user goes into the blocked mode.

 

when a new user is added to an excluded group, he will access their resources.

 

but is this possible to mean I have doubts is it working or not please anyone let me know if this formula is working or not.

 

 

Thanks and Regards:

Fahad Gul

best practices
business
enterprise
General
  • kyazaferr's avatar
    kyazaferr
    Steel Contributor
    Nov 19, 2024
    1. License Requirements:
      • Ensure that the group-based license assignment includes Azure AD Premium P1, as Conditional Access policies require it.
    2. User Provisioning Delays:
      • There may be a short delay in policy enforcement right after a user is added to the excluded group. Test and account for this in operational procedures.
    3. Break-Glass Account:
      • Always have an account excluded from all Conditional Access policies to prevent accidental lockout.
    4. Auditing and Monitoring:
      • Use Sign-in logs in Azure AD to monitor blocked sign-ins and validate the policy's effectiveness.
  • kyazaferr's avatar
    kyazaferr
    Steel Contributor
    Nov 19, 2024
    1. Create a Security Group:
      • You already created a group and assigned the P1 license to it. Ensure this group is used for granting access.
    2. Conditional Access Policy:
      • Navigate to Azure Active Directory > Security > Conditional Access and create a new policy.
      • In the Assignments section:
        • Users or workload identities: Include All Users, and exclude the group with licensed users (e.g., "Licensed Users Group").
      • Cloud Apps or Actions: Apply the policy to relevant applications (e.g., Office 365, Exchange Online, etc.).
      • Conditions: You can add conditions, like device platform or location, depending on your needs.
      • Access Controls: Set the policy to Block Access.
    3. Testing the Policy:
      • Before enabling the policy, ensure you have a break-glass account excluded from the policy for emergencies.
      • Test the policy with newly created users outside the group to verify they are blocked.
    4. Grant Access to New Users:
      • When a new user is created, they will initially be blocked.
      • To grant access, add the user to the "Licensed Users Group."

Resources