Beta
Prerequisites
- Minimum Entra P1 license
- Before using Conditional Access, the security defaults must be disabled in Entra
- Office 365 Connector configured in ThreatLocker
- Named Locations must be configured in ThreatLocker
Known Microsoft Limitations
- Can only have 195 Named Locations
- A Named Location can't contain more than 2000 IP addresses or ranges
- Named Locations can't be updated incrementally - ThreatLocker recommends creating multiple smaller Named Locations instead of a single large one
- Microsoft can take up to 15 minutes to apply Conditional Access changes
Please Note: If you are currently using Conditional Access in Entra, you can skip the "Disabling Security Defaults" section and go to the "Creating Conditional Access Policies in 365" section.
Disabling Security Defaults
Navigate to the Microsoft Entra admin center.
Select Identity.
In the Identity console, select Overview > Properties.
At the bottom of the Properties tab, select the "Manage Security Defaults" hyperlink.
In the sidebar, select "Disabled" from the dropdown and then press "Save".
Directions for recreating the security defaults can be found at the bottom of this article.
Creating Conditional Access Policies in 365
Conditional Access policies allow for very granular control over the 365 environment. ThreatLocker Cloud Control provides the ability to dynamically update IP addresses on computers with the ThreatLocker Agent installed. The ThreatLocker Access App extends this ability to mobile devices with the app installed. By creating Named Locations in the ThreatLocker portal, ThreatLocker will automatically update Access Control policies in 365 with the most up-to-date IP addresses of your trusted devices.
Depending on your individual needs, select one of the following policies to create in 365.
Creating a Conditional Access Policy to Control Access to 365 Resources by Blocking Access From Selected Countries and Permitting Access From Those Countries by Named Location
Please Note: Named Locations must first be created in ThreatLocker before creating Conditional Access policies in Entra using them.
Using this policy configuration, you will create a named location that contains untrusted countries. Then, a policy will be configured to deny access to 365 resources by the untrusted named location and permit access by trusted IPs which are collected and dynamically updated by ThreatLocker and the ThreatLocker Access App.
Creating a Static Named Location in Entra Containing Countries to Block Access From
In Entra, navigate to Protection > Conditional Access > Named locations.
Select + Countries location.
Provide a name for the Named location.
Under Country lookup method, select "Determine location by IP address (IPv4 and IPv6)"
Please Note: If you select the checkbox next to "Include unknown countries/regions", IPs that don't directly map to a country will be included (This is common with VPNs).
Select the countries you wish to include in your deny access list.
Select the Create button to save the changes.
Creating a Conditional Access Policy to Block Access from Selected Countries and Allow Access from Trusted IPs
Navigate to the Overview tab, and select "Create new policy".
Provide a name for the policy.
Under "Users", select the users to include and/or exclude from the policy. We selected to include all users with no exclusions.
In the "Target resources" section, you can control access based on specific apps, user actions, or authentication and select what to include and/or exclude. We selected to include all resources, with no exclusions.
In the "Network" section, change the toggle to "Yes". In the Include tab, select "Selected networks".
A sidebar will open containing the Named Locations created in ThreatLocker and any created directly in Entra. Select which Named Locations you want to include in this block policy.
Select Save to save your selection.
In the policy, select the "Exclude" tab.
Select "Selected networks and locations", and in the sidebar holding the named locations, select the named locations that contain the IPs of the devices you wish to allow access, even if they are connecting from a blocked country.
No additional "Conditions" are needed.
Under "Grant", choose "Block access", and then press "Select".
No Session controls are needed.
At the bottom of the policy, select to enable the policy in a "Report-only" state, or "On". By using Report-only, you can observe how this policy impacts the tenant. Microsoft recommends all new Conditional Access policies are set to "Report-only" initially.
Click the "Create" button to save the policy.
Creating a Conditional Access Policy to Deny All Access to 365 Resources Except for Named Locations
Please Note: Named Locations must first be created in ThreatLocker before creating Conditional Access policies in Entra using them.
In Entra, navigate to Protection > Conditional Access > Overview.
On the Overview tab, select "Create new policy".
Provide a name for the policy.
Under "Users", select the users to include and/or exclude from the policy. We selected to include all users with no exclusions.
In the "Target resources" section, choose to control access based on specific apps, user actions, or authentication, and select what to include and/or exclude. We selected to include all resources, with no exclusions.
In the "Network" section, change the toggle to "Yes". In the Include tab, select "Any network or location".
In the Exclude tab, select "Selected networks and locations".
In the "Select" section, outlined in red below, click on the blue "None" link.
A sidebar will open containing the Named Locations created in ThreatLocker and any created directly in Entra. Select which Named Locations you want to exclude from this deny-all policy (permitting access to the target resources) and then click "Save."
No additional "Conditions" are needed.
Under "Grant", choose "Block access", and then press "Select".
No Session controls are needed.
At the bottom of the policy, select to enable the policy in a "Report-only" state, or "On". By using Report-only, you can observe how this policy impacts the tenant. Microsoft recommends all new Conditional Access policies are set to "Report-only" initially.
Click the "Create" button to save the policy.
Please Note: Microsoft recommends excluding at least one administrator from this policy to serve as a break-glass account.
After enabling this policy in a Report-only state, it can be monitored in Entra by navigating to Protection > Conditional Access > Sign-in logs. There may be up to a 15-minute delay between the action occurring and appearing in the Sign-in logs.
Creating Conditional Access Policies to Replicate Microsoft's Security Defaults
Please Note: Microsoft recommends revoking all existing tokens when switching to Conditional Access policies. This will force users to reauthenticate and ensure the new policies are applied.
From the Microsoft Entra admin center, in the left-hand side menu, expand "Protection". Select Conditional Access.
In the "Overview" tab, select "Create new policy from templates" at the top.
The 3 policies that make up the security defaults are:
- Require multifactor authentication for admins
- Block legacy authentication
- Require multifactor authentication for all users
Select the radio button next to the template name, then press "Review + create" or "Next: Review + Create"
On the following screen, select the desired Policy state. The Report only state will place the policy into a monitoring state, allowing you to observe how the policy will impact your tenant before turning it on. Once the desired state has been selected, click "Create".
Repeat the above process, applying all 3 policies listed above.
For more information or assistance with creating Conditional Access policies, please reach out to the Cyber Hero team.
References:
MicrosoftGuyJFlo. (n.d.). Microsoft Entra Conditional Access documentation - Microsoft Entra ID. Microsoft Learn. https://learn.microsoft.com/en-us/entra/identity/conditional-access/