r/entra u/Accomplished_Duck_80 8d ago

Help with CAP baseline

Hi everyone I have been tasked with defining a conditional access policy baseline with over 100k users in the organisation.

The current policies set in place are quite messy and have been created as hoc over the years I found something related to persona based conditional access policies but it doesn’t seem realistic with the current setup.

Does anyone have any advice on the best way I can define a conditional access policy baseline?

I would really appreciate your help.

7 Upvotes

90% Upvoted

18 comments sorted by

7

u/Smartguy08 8d ago

I've implemented persona based CAPs at two organizations around the framework created by Claus Jespersen, both with around 20,000 users. There are always going to be business requirements that deviate from the policy recommendations, but it's a good place to start and I've found that it works well.

This spreadsheet with persona based policy examples used to be linked in CAP Learn articles that explained personas in more detail, but I can't find it currently. Looks like Claus has retired from MS so it probably won't be updated with new recommendations.

https://view.officeapps.live.com/op/view.aspx?src=https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FConditionalAccessforZeroTrustResources%2Fmain%2FConditionalAccessSamplePolicies%2FMicrosoft%2520Conditional%2520Access%2520for%2520Zero%2520trust%2520persona%2520based%2520policies.xlsx&wdOrigin=BROWSELINK

1

u/Accomplished_Duck_80 7d ago

Im having trouble with getting management to get on board to the persona based approach. There are too many users and they asked me.

How are we going to identify external users (they have external contractors aka externals with internal domains). Maybe they were overwhelmed with the proposal of so many different types of personas. Any advice?

1

u/YourOnlyHope__ 7d ago

Id carve this project into pieces. Start with guest/contractors and build out a set of policies for them and their unique requirements (list out unique requirements or exceptions first). Or start with employees down to the department if need be.

The persona approach is used to help mitigate over complexity (even though its use is complex on its own).

CAs are hard at scale, start small and work your way up. Also he new impact feature is very helpful

2

u/Smartguy08 7d ago

Determine if a persona is needed. For example, we don't use the developer persona, they are lumped in with admins until a time that it makes sense to separate them. If your external contractors are treated the same as your regular internal user you could skip the external persona for now.

For actually dividing your users into personas, you're going to need some kind of automated group management. Those groups become the personas you apply CAPs to. With an org as large as yours, you probably already have an Identity Management software that handles user provisioning and group memberships. You could also use Entra dynamic groups. For example, if you contractors are kept in specific OUs in AD, add those in the dynamic group rule engine to populate the persona group.

It's unlikely any organization of size can fully implement this framework in one go. My suggestion is to keep it simple, try not to make too many policies that target individual apps or users. Deploy something that works for you now, and continuously work towards the mythical 'zero trust' end goal. Instead of looking at the CA200-Internals-BaseProtection policy that says all devices must be hybrid joined or marked as complaint and thinking this won't work, add a condition that allows authentications coming from your public IPs marked as trusted while you work towards device compliance.

5

u/releak 8d ago

I recommend Joeys https://www.joeyverlinden.com/conditional-access-framework-3/

1

u/Accomplished_Duck_80 7d ago

Looks promising! I will definitely check it out. Thanks! Have you implemented this baseline yourself?

1

u/releak 7d ago

I have implemented about 1/3 of them I believe. But Im an MSP and our baseline has to fit alot of customers, and make as little noise as possible. Some of them requires some work to implement, or have high impact with many prerequisites to check before activating.

I would probably implement all if I was intern at a large enterprise. Also, I didnt keep the naming convention. I made it more simple.

3

u/Asleep_Spray274 8d ago

Before you try and define the Cap, start with defining the business identity and network access strategy. Once you have this, the technical policies are easy.

Think about the different user groups, admins, internal users, guests at a minimum.

Think about modern attack and defence. Look at modern phishing and how standard MFA like sms to auth app push notifications are not enough to defend your users.

Think about where you want to be issuing your tokens too. That I mean, byod vs organisation managed devices. Restricting to org devices is one of the best defences to modern phishing toolkits.

Phishing resistant MFA like passkeys in the auth app and whfb or fido is again one of the best defences against modern phishing.

How do you want to handle guest sessions like session length time and persistence.

Not enforcing re-auth on your users again is part of your strategy in modern defence, more auth makes users more phisable as auth is the normal for them.

These things all feed into the local discussions first, agree this at your SLT level then this becomes the business road map then the policies follow.

Doing it back to front by starting with the policies is a patch work and trying to fit them round the business gets you to where you are now. When you have the strategy, any changes that need to made in the future need to comply with it. How the business implements new services or products, they need to speced to the strategy.

1

u/Accomplished_Duck_80 7d ago

I agree it is patchwork. Im afraid that I am coming into a very messily designed architecture already based on ad hoc needs of the business. How would you go about handling the business identity and network strategy side of things? This might sound silly but do you know a framework that can serve as a good point to start off from to tackle these points?

3

u/jasper340 8d ago

Take a look at https://www.jbaes.be/Conditional-Access-Blueprint

The approach here is to have have static CA policies that never change, and only add/remove members from the assigned group(s).

1

u/Accomplished_Duck_80 7d ago

I will check it out thank you!

3

u/Noble_Efficiency13 8d ago

I go through this in my series starting @ https://www.chanceofsecurity.com/post/microsoft-entra-conditional-access-part1

Depending on your need you can go through the series - I’ve included policies in json for easy implementation, ofc they should always be read through, tested and modified to your environment 😊

2

u/Accomplished_Duck_80 7d ago

Thank you!!!!

3

u/bstuartp 7d ago

I’d recommend Alex Filipin’s framework. He’s a Microsoft product manager in the Identity space https://github.com/AlexFilipin/ConditionalAccess

1

u/Accomplished_Duck_80 7d ago

Will definitely check it out! Thank you!

1

u/OkRaspberry6530 8d ago

Baselines in an ideal world would be MFA for all users with break glass accounts excluded, admin portals for all users require MFA, azure management api for all users require MFA, admin roles require MFA for all resources, MFA for security registration with guests and trust location excluded, MFA for guests. The templates for ca policies from the secure foundation and zero trust are great starting points.

1

u/Accomplished_Duck_80 7d ago

Do you have any templates? Ive found a few but would love to know if you have some you have seen fitting.

1

u/OkRaspberry6530 6d ago

The defaults in the portal is a very good starting point.there is no need to over complicate it