Confirm your settings and set Enable policy to Report-only.Under Access controls > Session, select Require token protection for sign-in sessions and select Select.Under Modern authentication clients, only select Mobile apps and desktop clients.Not configuring the Client Apps condition, or leaving Browser selected may cause applications that use MSAL.js, such as Teams Web to be blocked. Under Select, select the following applications supported by the preview: Under Target resources > Cloud apps > Include > Select apps.Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.Under Include, select the users or groups who are testing this policy.Under Assignments, select Users or workload identities.We recommend that organizations create a meaningful standard for the names of their policies. Browse to Protection > Conditional Access.Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.The steps that follow help create a Conditional Access policy to require token protection for Exchange Online and SharePoint Online on Windows devices. We recommend piloting with a small subset to begin. Users who perform specialized roles like those described in Privileged access security levels are possible targets for this functionality. This process helps to assess your users’ client and app compatibility for token protection enforcement. Add known good users to an enforcement policy.Analyze these logs for long enough to cover normal application use.Capture both Interactive and Non-interactive sign in logs.Create a Conditional Access policy in report-only mode before moving to enforcement of token protection.Start with a pilot group of users, and expand over time.To minimize the likelihood of user disruption due to app or device incompatibility, we highly recommend: Deploymentįor users, the deployment of a Conditional Access policy to enforce token protection should be invisible when using compatible client platforms on registered devices and compatible applications. Token Protection enforcement is part of Microsoft Entra ID Protection and will be part of the P2 license at general availability. To find the right license for your requirements, see Compare generally available features of Microsoft Entra ID. Using this feature requires Microsoft Entra ID P2 licenses.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |