2020 Edition of the Recommended Conditional access policy design guide is available nowAlex Fields
I just finished updating the Conditional access design guide, part of the Microsoft 365 Best practices checklists. The new updates reflect some carefully considered feedback from my clients (real-world scenarios), as well as some new additions and a better organizational structure, in three major groups:
- Authentication Baseline policies – Replaces the Security Defaults feature and contains settings every organization should start with such as enforcing Multi-Factor Authentication (MFA)
- Device Management policies – These policies will strengthen your identity requirements to include managed devices and/or apps; implement along with Microsoft Endpoint Manager / Intune.
- Strict Security policies – Highly sensitive or regulated businesses should consider enforcing additional access controls with these policies.
We are now on version 3 of this policy set, which is a significant update for the New Year. Recent announcements prompted me to get on these updates:
- The free baseline policies will be going away in February, to be replaced with the new Security defaults feature
- Additionally the OneDrive client for MacOS will soon support Conditional access as well, so this policy set will support those changes when they go live (and it’s okay to implement them before that too).
Regarding Security Defaults: it is my understanding that these will be enabled by default eventually–as the name implies. However, they cannot co-exist with custom Conditional access policies (custom policies are preferred since you can make exceptions for things like emergency access accounts, trusted locations, trusted devices, service accounts, etc.).
Remember: your job is not necessarily to implement every one of these policies, but to review and consider them when implementing your own. I don’t always implement every single one for every customer, but it is my preferred baseline from which I begin my conversations with the client.
And a reminder that all of my guides and publications are available to everyone for free right here at ITProMentor.com. You don’t have to spend money to get access to this information, but I’ve been blessed with an enthusiastic fan base willing to put some tips in my jar over at GumRoad, just so they can own a downloadable copy (updates included). So Thank You for your support, community members!