Skip to content

Latest commit

 

History

History
34 lines (19 loc) · 2.91 KB

06-conditional-access.md

File metadata and controls

34 lines (19 loc) · 2.91 KB

Challenge #6 - Conditional Access - Are You Who You Say You Are?

< Previous Challenge - Home - Next Challenge>

Description

As a result of incorporating the CMC Consultant ID Verify-inator, QA has been satisfied with the fixes and CMC IT Leadership is happy again......BUT (here we go), they have realized that the site might need a little more tightening up.

IT Leadership has requested that we (you) incorporate policies in your SignUp / SignIn User Flow that will require users to verify who they are, using either a code sent to their phone or to their email address.

As a result, during the sign in process, a user should be prompted to enter a verification code (acquired either via a phone call, text message, or email). IT Leadership wants the conditional access policy to be based on user location, although for now, they want all locations to force a MFA challenge.

After some tests, IT Leadership decided to change your conditional access policies to only force a MFA challenge for all locations but only for users using Android devices. (Most of leadership has iPhones, so there's that.)

Lastly, IT Leadership has asked to block risky users, which we've decided to rely on Azure AD's risk detection in order to determine what users are risky. Leadership has decided to upgrade our B2C tenant to a P2 pricing tier (if it wasn't there already) and have asked you to implement an additional Conditional Access policy to detect medium and high risk users and block them from logging in to any application. A typical scenario for medium and high risk user activities could be using anonymous browsers (such as a Tor browser) to access our apps.

Success Criteria

CMC IT Leadership considers your efforts a success (and your odds of a promotion more likely) if you accomplish the following:

  • You've implemented a Conditional Access policy that prompts for a MFA challenge for users from any location and on any device;
  • You then modify your Conditional Access policy to only force a MFA for users from an Android device;
  • You've created another Conditional Access policy to block users from accessing any B2C app for Medium and High risk users

Learning Resources

Advanced Challenges (Optional)

Too comfortable? Eager to do more? Try these additional challenges!

  • You can create several different app registrations in your B2C tenant and then configure Conditional Access policies that are specific to each app registration. For one app reg, always force MFA; for another, only force MFA for iOS devices; for a third, force MFA for risky behaviors.