Controlling Access to M365 Resources Using Conditional Access and Named Locations

Feature Coming Soon!

Prerequisites

• Minimum Entra P1 license 
• Security defaults must be disabled in Entra
• Office 365 Connector configured in ThreatLocker
• Named Locations must be configured in ThreatLocker

Known Microsoft Limitations

• Can only have 195 Named Locations
• A Named Location can't contain more than 2000 IP addresses or ranges
• Named Locations can't be updated incrementally - ThreatLocker recommends creating multiple smaller Named Locations instead of a single large one

Disabling Security Defaults

Navigate to the Microsoft Entra admin center.

Select Identity.

In the Identity console, select Overview > Properties.

At the bottom of the Properties tab, select the "Manage Security Defaults" hyperlink.

In the sidebar, select "Disabled" from the dropdown and then press "Save".

Directions for recreating the security defaults can be found at the bottom of this article.

Creating a Conditional Access Policy to Deny All Access to 365 Resources Except for Named Locations

Please Note: Named Locations must first be created in ThreatLocker before creating Conditional Access policies in Entra using them. 

In Entra, navigate to Protection > Conditional Access > Overview.

On the Overview tab, select "Create new policy".

Provide a name for the policy.

Under "Users", select the users to include and/or exclude from the policy. We selected to include all users with no exclusions.

In the "Target resources" section, choose to control access based on specific apps, user actions, or authentication, and select what to include and/or exclude. We selected to include all resources, with no exclusions.

In the "Network" section, change the toggle to "Yes". In the Include tab, select "Any network or location". 

In the Exclude tab, select "Selected networks and locations". A sidebar will open that contains the Named Locations that were created in ThreatLocker and any created directly in Entra. Select which Named Locations you want to exclude from this deny all policy (permitting access to the target resources) and then click "Save".

No additional "Conditions" are needed.

Under "Grant", choose "Block access", and then press "Select".

No Session controls are needed.

At the bottom of the policy, select to enable the policy in a "Report-only" state, or "On". By using Report-only, you can observe how this policy impacts the tenant.

Click the "Create" button to save the policy.

Please Note: Microsoft recommends excluding at least one administrator from this policy to serve as a break-glass account.

After enabling this policy in a Report-only state, it can be monitored in Entra by navigating to Protection > Conditional Access > Sign-in logs. There may be up to a 15-minute delay between the action occurring and appearing in the Sign-in logs.

Creating Conditional Access Policies to Replicate Microsoft's Security Defaults

Please Note: Microsoft recommends revoking all existing tokens when switching to Conditional Access policies. This will force users to reauthenticate and ensure the new policies are applied.

From the Microsoft Entra admin center, in the left-hand side menu, expand "Protection".  Select Conditional Access.

In the "Overview" tab, select "Create new policy from templates" at the top.

The 3 policies that make up the security defaults are:

• Require multifactor authentication for admins
• Block legacy authentication
• Require multifactor authentication for all users

Select the radio button next to the template name, then press "Review + create" or "Next:Review + Create"

On the following screen, select the desired Policy state. The Report only state will place the policy into a monitoring state, allowing you to observe how the policy will impact your tenant before turning it on.  Once the desired state has been selected, click "Create".

Repeat the above process, applying all 3 policies listed above.

For more information or assistance with creating Conditional Access policies, please reach out to the Cyber Hero team.

References: