From 498cc8979f747ba5673a6a8b87a98fe5b5f80d3e Mon Sep 17 00:00:00 2001 From: r-c-steart Date: Tue, 16 Jul 2024 13:40:19 -0700 Subject: [PATCH] Updates based on ISSUE 142 --- ...Lab_23_AddTermsOfUseAcceptanceReporting.md | 5 ++-- ...PrivilegedIdentityManagementForAADRoles.md | 2 ++ .../Labs/Lab_28_MonitorIdentitySecureScore.md | 28 ++++++++++++++----- 3 files changed, 26 insertions(+), 9 deletions(-) diff --git a/Instructions/Labs/Lab_23_AddTermsOfUseAcceptanceReporting.md b/Instructions/Labs/Lab_23_AddTermsOfUseAcceptanceReporting.md index 7233616b..5e746376 100644 --- a/Instructions/Labs/Lab_23_AddTermsOfUseAcceptanceReporting.md +++ b/Instructions/Labs/Lab_23_AddTermsOfUseAcceptanceReporting.md @@ -99,7 +99,7 @@ Once you have finalized your terms of use document, use the following procedure 16. When the terms of use is created, you will automatically be redirected to the Conditional access policy page. On the page, in the **Name** box, enter **Enforce ToU**. -17. Under **Assignments**, select **Users or workload identities**. +17. Under **Assignments**, select **Users identities**. 18. On the include tab, select **Users and groups** check box. @@ -107,7 +107,7 @@ Once you have finalized your terms of use document, use the following procedure **Warning** - If you choose your administrator account, like all conditional access policies, be sure you have another account with enough permissions to change the conditional access policy. This is to ensure your administrator account will not be locked out should the conditional access policy result in an undesirable outcome. -20. Select **Cloud apps or actions.** +20. Select **Target resources.** 21. Select **All cloud apps**. @@ -202,6 +202,7 @@ You can edit some details of terms of use, but you can't modify an existing docu 3. In the left navigation menu, under **Entitlement management**, select **Terms of use**. 4. Select the terms of use you want to edit. + - Note: You have to click on open space, not directly on name of the Terms or Use. 5. On the top menu, select **Edit terms**. diff --git a/Instructions/Labs/Lab_26_ConfigurePrivilegedIdentityManagementForAADRoles.md b/Instructions/Labs/Lab_26_ConfigurePrivilegedIdentityManagementForAADRoles.md index c5782721..2b2d77e4 100644 --- a/Instructions/Labs/Lab_26_ConfigurePrivilegedIdentityManagementForAADRoles.md +++ b/Instructions/Labs/Lab_26_ConfigurePrivilegedIdentityManagementForAADRoles.md @@ -13,6 +13,8 @@ A Privileged role administrator can customize Privileged Identity Management (PI #### Estimated time: 30 minutes +NOTE - There have been on-going changes to requiring MFA in lab environments. When you switch between users to complete this lab, you may be prompted to set up MFA. + ### Exercise 1 - Configure Microsoft Entra role settings #### Task 1 - Open role settings diff --git a/Instructions/Labs/Lab_28_MonitorIdentitySecureScore.md b/Instructions/Labs/Lab_28_MonitorIdentitySecureScore.md index 5e88f287..66e5bf7b 100644 --- a/Instructions/Labs/Lab_28_MonitorIdentitySecureScore.md +++ b/Instructions/Labs/Lab_28_MonitorIdentitySecureScore.md @@ -35,16 +35,30 @@ Microsoft Entra Identity Protection provides automated detection and remediation 2. In the tile that opens, scroll down and select **Get Started**. -3. A new tab will open for **Identity Protection | Sign-in risk policy**. +3. A new tab will open for **Conditional Access**. + **Note** - by default the Get Started button will open in Azure Portal. You can use the portal or return to the Entra admin center. Either wil work. -4. Select **All users** under **Assignments**. +4. Select **+ New policy**. -5. Select **Medium and above** under **Sign-in risk**. +5. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. -6. Select **Allow** - **Require multi-factor authentication** under **Controls**. +6. Under Assignments, select Users or workload identities. -7. Turn the **Policy enforcement** to **Enabled** (if not done so already), and select **Save**. +7. Under Include, select All users. -8. You have created a Sign-in risk policy that should now increase your Identity Secure Score. This will take up to 24 hours to take affect in your Identity Secure Score. +8. Under Exclude, select Users and groups and choose any accounts that must maintain the ability to use legacy authentication. Microsoft recommends you exclude at least one account to prevent yourself from being locked out. -9. Review other improvement actions and the steps to create and enable them. +9. Under Target resources > Cloud apps > Include, select All cloud apps. + +10. Under Conditions > Client apps, set Configure to Yes. + - Check only the boxes Exchange ActiveSync clients and Other clients. + +11. Select Done. + +12. Under Access controls > Grant, select Block access. + +13. Select Select. + +14. Confirm your settings and set Enable policy to Report-only. + +15. Select Create to create to enable your policy.