“To group or not to group” is the question – talking about Conditional Access and specifically exclude groups

0

In this blog i talk about if it`s a good idea to discuss using exclusion groups for conditional Access Policies or maybe why not. Topics contain Roles in Entra, External tools not being able to get group membership for an evergreen Dashboard and more…

Don`t lie, this happened to you too

I didn`t know, that this user was still excluded from a certain conditional access rule – somebody must have tried something, when his/her new phone didn`t just work with the outlook app last month or so…

Thanks to guys like Kenneth van Surksum and Joey Verlinden it is pretty straightforward to implement an almost perfect conditional access framework. Just decide for either one and adapt it to your needs or licenses.

  • Entra ID P2 = Sign-In Risk – Enforce MFA
  • Entra ID P2 = User Risk – Reset Password
  • Defender for Cloud Apps – Route sessions behind a “proxy” and don`t let them download anything to unmanaged devices
  • Continuous Access Evaluation and still a Citrix Desktop – tough cookie
  • Trusted Location for Scanners, Password Resets only from Companys Headquarter in certain cases e.g.

Almost all frameworks use conditional access groups

It became the standard, and i guess almost everybody works with groups to exclude certain people or accounts from Conditional Access Policies. Hopefully at least the BreakGlass account/group in the right policies.

But, should you use groups, or should a qualified engineer directly exclude an account for a certain policy after checking Sign-In Logs and finding the cause for the problem ? I say qualified engineer, why ?

The reason behind is: are you sure, that everybody in the helpdesk team with an entra role capable of putting people into groups knows what it means to put people in these so risky conditional access exclusion groups, and do you have a process in place to keep an overview over the group memberships ?
Do heldpesk employess really only have the rights they need for their job or is it just GlobalAdmin – “this is fine”

Getting riskier roles in entra ID, needing more knowhow to allow users to circumvent policies

Wouldn`t it be easier and safer to allow only trained engineers with a higher role (Security Admin) to manipulate memberships and exclusions from essential Conditional Access Policies ? Not saying, that it can`t be the same person, just not with the hat on and being in the operations role, taking 5 calls per minute because of the flu going around in the team and then forgetting to document stuff.

Alternatively use access reviews, but… – rather go Privileged Identity Management

You can use access reviews on a weekly base to check for memberships, but maybe one week is already too late ? I`d rather work with special Entra groups and Privileged Identity Management to elevate helkpdesk users when needed to for example security administrator for an hour or so… (But this is another blog post in the pipeline)

Sample scenarios

  • The CEO of your most important client is fuming, he can`t work from his vacation overseas.
    He doesn`t remember, that he was supposes to let IT know that he`s travelling out of europe so they can exclude him from that EUROPE only Conditional Access policy.
    Quickly exclude him, forget about it – and long after his holidays are over somebody still logs in from that dubious hotelolobby PC…
  • Sign-In logs tell that a certain Conditional Access Policy blocks a user from working. No worries, got my GlobalAdmin rights, just put that slider over there (ON <-> OFF) et voilà – now it works…
  • Somebody told me (i just started to work here with this MSP at the helpdesk) – if something doesn`t work, just put that user in the CondAccess-Exclude group, but which one ?
    I guess the CondAccess-Exclude-BreakGlass sounds good, and now it works with the native MailApp and Calendar for the customer on his iPhone…

BaseLine Compliance tools not being able to see group memberships

Another thing, if you work with inforcer or another tool to keep your customers Intune ConfigProfiles and CondAccess up to date and inline with your BaseLine tenant – those tools usually don`t check for group memberships – but more on this in another post.

For me it`s pretty clear, i will transition away from Exclusion Groups – interested what bodies i`ll uncover…

ABOUT ME
Roman Jucker
Cloud Solution Architect & IT Sherpa
I work for Swiss IT Professional AG, located in Hettlingen, Switzerland. My main focus is helping customers on their journey into a safe Microsoft 365 cloud. I see myself as an IT sherpa, meaning, i take the internal IT with me and enable them to manage everything after it`s all up and done. Technologies allow us to enable users to work safely in a modern desktop with their data all safe and sound up in the cloud.

Helping customers understand and tackle the challenges on their cloud journeys. I see myself as an IT translator and sherpa

all rights reserved by Roman Jucker