CA Policy for Internals Registering Security Information
Update
For the latest version of this code please visit msgraph-sdk-powershell-examples.
Deprecated Content
An Azure AD Conditional Access Policy for Internals to use a joined device or be in a trusted location to perform Registration of Security Information.
Suggested name:
CA2{XX}-Internals-IdentityProtection-RegisterSecurityInfo-BYODOrUntrustedLocation-MFA
Assignments
Users
| Users and groups | |
|---|---|
| Include users | CA-Persona-Internals |
| Exclude users | Break-glass (emergency access) accounts |
Cloud apps or actions
| User actions |
|---|
| Register security information |
Conditions
| Locations | |
|---|---|
| Include | Any location |
| Exclude | All trusted locations |
| Filter for devices | |
|---|---|
| Exclude | device.trustType -eq “AzureAD” -or device.trustType -eq “ServerAD” |
Access controls
| Grant access | |
|---|---|
| Require | Multifactor authentication |
User Experience
BYOD in an Untrusted Location
References
https://learn.microsoft.com/en-us/azure/architecture/guide/security/conditional-access-architecture https://learn.microsoft.com/en-us/azure/architecture/guide/security/conditional-access-framework https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common