This conditional access baseline is based on the Microsoft Conditional Access Baseline by Claus Jespersen. This one is slightly minimized and less difficult to understand but still protects almost everything you could wish for. Use this baseline to start off with and expend or modify where needed.
Tip
There's no need to create policies, groups or named locations yourself. This can be done automated using Mick-K his Intune Management tool. This is described in Importing the baseline.
Important
Do not forget to add your break the glass/emergency access accounts to the exclusion group. When using this baseline that would be CA-BreakGlassAccounts - Exclude.
- Conditional access Baseline
- Table of Contents
- Resources
- Version history
- Changelog
- Persona's
- Conditional access policies
- CA000-Global-IdentityProtection-AnyApp-AnyPlatform-MFA
- CA001-Global-AttackSurfaceReduction-AnyApp-AnyPlatform-BLOCK-CountryWhitelist
- CA002-Global-IdentityProtection-AnyApp-AnyPlatform-Block-LegacyAuthentication
- CA003-Global-BaseProtection-RegisterOrJoin-AnyPlatform-MFA
- CA004-Global-IdentityProtection-AnyApp-AnyPlatform-AuthenticationFlows
- CA005-Global-DataProtection-Office365-AnyPlatform-Unmanaged-AppEnforcedRestrictions-BlockDownload
- CA006-Global-DataProtection-Office365-iOSenAndroid-RequireAppProtection
- CA100-Admins-IdentityProtection-AdminPortals-AnyPlatform-MFA
- CA101-Admins-IdentityProtection-AnyApp-AnyPlatform-MFA
- CA102-Admins-IdentityProtection-AllApps-AnyPlatform-SigninFrequency
- CA103-Admins-IdentityProtection-AllApps-AnyPlatform-PersistentBrowser
- CA200-Internals-IdentityProtection-AnyApp-AnyPlatform-MFA
- CA201-Internals-IdentityProtection-AnyApp-AnyPlatform-BLOCK-HighRisk
- CA202-Internals-IdentityProtection-AllApps-WindowsMacOS-SigninFrequency-UnmanagedDevices
- CA203-Internals-AppProtection-MicrosoftIntuneEnrollment-AnyPlatform-MFA
- CA204-Internals-AttackSurfaceReduction-AllApps-AnyPlatform-BlockUnknownPlatforms
- CA205-Internals-BaseProtection-AnyApp-Windows-CompliantorAADHJ
- CA206-Internals-IdentityProtection-AllApps-AnyPlatform-PersistentBrowser
- CA207-Internals-AttackSurfaceReduction-SelectedApps-AnyPlatform-BLOCK
- CA208-Internals-BaseProtection-AnyApp-MacOS-Compliant
- CA400-GuestUsers-IdentityProtection-AnyApp-AnyPlatform-MFA
- CA401-GuestUsers-AttackSurfaceReduction-AllApps-AnyPlatform-BlockNonGuestAppAccess
- CA402-GuestUsers-IdentityProtection-AllApps-AnyPlatform-SigninFrequency
- CA403-Guests-IdentityProtection-AllApps-AnyPlatform-PersistentBrowser
- CA404-Guests-AttackSurfaceReduction-SelectedApps-AnyPlatform-BLOCK
- Named locations
- Considerations
- Importing the baseline
➡ Microsoft Learn: https://learn.microsoft.com/en-us/azure/architecture/guide/security/conditional-access-framework
➡ Framework documentation by Claus Jespersen: https://github.com/microsoft/ConditionalAccessforZeroTrustResources/blob/main/ConditionalAccessGovernanceAndPrinciplesforZeroTrust%20October%202023.pdf
➡ Framework resources: https://github.com/microsoft/ConditionalAccessforZeroTrustResources
➡ idPowerToys for CA documentation: https://idpowertoys.merill.net/
| Version nr | Release date |
|---|---|
| 2024.4.1 | Released 10-04-2024 |
| 2024.6.1 | Released 26-06-2024 |
- CA208: Added this policy to require MacOS device compliance
- CA207: Added this policy to explicitly block certain apps on any platform for the internals persona.
- CA404: Added this policy to explicitly block certain apps on any platform for the guest persona.
- CA103: Added this policy to have never persistent browser sessions on any platform for admins persona
- CA206: Added this policy to have never persistent browser sessions on any platform for internals persona
- CA403: Added this policy to have never persistent browser sessions on any platform for admins persona
- CA006: Added this policy to require App Protection for iOS and Android devices when accessing Exchange Online and SharePoint Online.
- CA100: Added a few Admin roles to require MFA.
- CA101: Added a few Admin roles to require MFA.
Global is a persona/placeholder for policies that are general in nature or do not only apply to one persona. So it is used to define policies that apply to all personas or don't apply to one specific persona. The reason for having this persona is to be able to have a model where we can protect all relevant scenarios. It should be used to hold policies that apply to all users or policies that enforce protection on scenarios not covered by policies for other personas
We define admins in this context as any non-guest identity (cloud or synced) that have any Azure AD or other Microsoft 365 admin Role (like in MDCA, Exchange, Defender for Endpoints or Compliance). As guests who have such roles are covered in a separate persona, guests are excluded from this persona.
Internals cover all users who have an AD account synced to Azure AD who are employees of the company and work in a standard end-user role.
Guests holds all users who have an Azure AD guest account that has been invited into the customer tenant
This policy requires MFA for all cloud apps, from every platform. It captures all authentications in scope not captured by other MFA policies.
This policy blocks all countries, to all cloud apps, from every platform except for the countries configured in the named location ALLOWED COUNTRIES. This named location is excluded in this policy.
Important
Modify the named location with your approved countries. By default only Belgium, Luxembourgh and Netherlands are allowed to have access from.
This policy blocks legacy authentication for all users, to all cloud apps, from any platform.
This policy requires MFA for all users, to register or join a device to your tenant/environment.
Tip
Make sure to disable Require Multifactor Authentication to register or join devices with Microsoft Entra. This can be found under https://portal.azure.com -> Entra ID -> Devices -> Device settings.
This policy prevents all users from transfering authentication flows from PC to mobile for example. This feature is currently in preview.
This policy prevents all users from downloading, printing or syncing Office 365 data from an unmanaged device. It requires App Enforce Restrictions.
This policy requires App Protection policies for all users when accessing Office 365 data from iOS or Android devices. Admin roles are excluded to make sure the Microsoft 365 App's on the iOS and Android devices do work. This one is designed on the principle that admin roles are only assigned to admin accounts!
This policy requires MFA for certain admin roles when they access the access Admin Portals. This one is designed on the principle that admin roles are only assigned to admin accounts!
This policy requires MFA for certain admin roles when they access the any cloud app. This one is designed on the principle that admin roles are only assigned to admin accounts!
This policy sets a Sign-in frequency for certain admin roles to a maximum of 12 hours. Admins need to re-authenticate of logon after 12 hours.
This policy prevents having persistent browser sessions for admins from every device.
This policy requires MFA for all internal identities, for all cloud applications, from any platform.
Important
Verify the included group(s) and/or add your custom groups which have all internals in it. APP_Microsoft365_E5 is added as an example.
This policy blocks all internal users which have a high risk (sign-in and user risk) status, to all cloud apps, from all platforms.
Important
Verify the included group(s) and/or add your custom groups which have all internals in it. APP_Microsoft365_E5 is added as an example.
This policy sets a Sign-in frequency to a maximum of 12 hours for internals, to all cloud apps, using unmanaged Windows or MacOS devices.
Important
Verify the included group(s) and/or add your custom groups which have all internals in it. APP_Microsoft365_E5 is added as an example.
This policy requires MFA for internals when enrolling their devices in Intune.
Important
Verify the included group(s) and/or add your custom groups which have all internals in it. APP_Microsoft365_E5 is added as an example.
This policy blocks unknown/unsupported device platforms for internals.
Note
Currently only Windows, MacOS, Android and iOS are supported. If (for example) Linux or Windows Phone is allowed you need to modify the policy.
Important
Verify the included group(s) and/or add your custom groups which have all internals in it. APP_Microsoft365_E5 is added as an example.
This policy requires internals to make use of a Windows device that is compliant or AADHJ (Azure AD Hybrid Joined / Entra ID Hybrid Joined) while accessing any cloud app.
Important
Verify the included group(s) and/or add your custom groups which have all internals in it. APP_Microsoft365_E5 is added as an example.
This policy prevents having persistent browser sessions for internals from unmanaged devices. Managed and compliant devices are excluded from the policy.
Important
Verify the included group(s) and/or add your custom groups which have all internals in it. APP_Microsoft365_E5 is added as an example.
This policy prevents internals from accessing specific apps. In this example i've blocked a random app. You should review the included and excluded apps. Excluding office 365 is not necessary if its not included. This is just an example.
Important
Verify the included group(s) and/or add your custom groups which have all internals in it. APP_Microsoft365_E5 is added as an example.
This policy requires MacOS devices to be compliant for internals.
Important
Verify the included group(s) and/or add your custom groups which have all internals in it. APP_Microsoft365_E5 is added as an example.
This policy requires guest to use MFA, from any platform when accessing any cloud app.
This policy blocks access for guests to all cloud apps (except for those excluded), from any device.
Important
Make sure to exclude additional cloud apps if any guest needs access to these apps.
This policy sets a Sign-in frequency to a maximum of 12 hours for guests, to all cloud apps, using any device.
This policy prevents guest from having persistent browser sessions.
This policy prevents guests from accessing specific apps. In this example i've blocked a random app. You should review the included and excluded apps. Excluding office 365 is not necessary if its not included. This is just an example.
| Name | Location type | Assigned to policy |
|---|---|---|
| ALLOWED COUNTRIES | Countries (IP) | CA001-Global-AttackSurfaceReduction-AnyApp-AnyPlatform-BLOCK-CountryWhitelist |
-
You might want to remove the "CA - BreakGlassAccounts - Exclude" group from Admin MFA policies (CA101, CA102) if they use MFA and/or only exclude 1 single BreakGlass account.
-
You might want to lower the risk state in CA201 and/or separate User-Risk and Sign-in Risk in 2 single policies.
These PowerShell scripts are using Microsoft Authentication Library (MSAL), Microsoft Graph APIs and Azure Management APIs to manage objects in Intune and Azure. The scripts has a simple WPF UI and it supports operations like Export, Import, Copy, Download, Compare etc.
This makes it easy to backup or clone a complete Intune environment. The scripts can export and import objects including assignments and support import/export between tenants. The scripts will create a migration table during export and use that for importing assignments in other environments. It will create missing groups in the target environment during import. Group information like name, description and type will be imported based on the exported group e.g. dynamic groups are supported. There will be one json file for each group in the export folder.
The script also support dependencies e.g. an App Protection is depending on an App, Policy Sets are depending on Compliance Policies, objects has Scope Tags etc. Dependency support requires exported json files and that the dependency objects are imported in the environment. The script uses the exported json files to get the Id and name's of the exported object and uses that information and updates Id's before import an object from a json file. The Bulk Import form shows the import order of the objects. The objects with the lowest order number will be imported first.
Tip
The following tool is used: https://github.com/Micke-K/IntuneManagement. Always download the lastest version before importing or exporting data.
Start by downloading the files in GitHub. Extract the Github repo somewhere on your device. For example: C:\Intune\IntuneManagement.
Unblock all .cmd/.ps1/.psd files with the following PowerShell command.
Get-ChildItem -Path "C:\Intune\IntuneManagement\" -File -Recurse | Unblock-File
Start the IntuneManagementTool
cd C:\Intune\IntuneManagement\
.\Start-IntuneManagement.ps1
Start by authenticating to your tenant with the profile icon in the top right.
In the modern authentication window that pops up, sign in with an account that has appropriate permissions, if unsure use Global Administrator. After sign-in you will be prompted to accept permissions for Microsoft Intune PowerShell, DO NOT tick the box to consent on behalf of your organisation.
It's likely the first time you do this you'll still see you don't have access to the settings, you'll know this as the menu on the left-hand side will have all text in red, like so.
From here, select the profile icon in the top right corner and then Request Consent again.
Go ahead and accept the popup again, this should clear all the red text on the left hand-side. DO NOT tick the box to consent on behalf of your organisation.
Now we can start importing, exporting, or comparing tenant configurations.
1: Click on Bulk -> Import
2: Select the folder where you stored the conditional access policies.
3: Decide if you want to import all the assignments or assign all policies yourself.
4: Set "Conditional Access State" to Off or Report-only. Don't forget to enable these later! This should be done after MFA is setup for an Global Admin account and (if required) a Break the Glass account is created.
5: Click Import
Once the importing is complete, all policies will be available for you to modify and/or enable them.
Caution
Be careful activating the policies! Make sure you have decent exclusions and/or a break the glass account in place. Enable the policies one by one or start with report-only.
