[00:56.390 --> 00:57.290]  All right.
[00:57.290 --> 00:58.730]  Hey, what's up, everybody.
[01:01.410 --> 01:01.970]  All right.
[01:01.970 --> 01:06.250]  Let's get moving, if you all don't mind.
[01:07.710 --> 01:10.790]  Hope you're here to learn about Conditional Access and Intra.
[01:10.790 --> 01:14.210]  Thank you for hanging out with me until 8.30 at night.
[01:14.670 --> 01:23.590]  I've told everybody so far that I've met today that this time yesterday I was in my pajamas and ready to fall asleep.
[01:23.590 --> 01:30.030]  So I'm going to try to be as energetic as I may have been like four or five hours ago.
[01:30.250 --> 01:35.670]  Like our previous speaker, I'm really excited to get over to the casino party and drink several beers.
[01:36.650 --> 01:39.570]  But before that, I'm going to try to teach you guys a few things.
[01:41.050 --> 01:44.850]  I'll kind of whip through this and take some questions at the end.
[01:44.850 --> 01:51.610]  So without further ado, as our keynote speaker showed, you shouldn't show pictures of yourself, apparently.
[01:51.610 --> 01:53.410]  So I whipped this up real fast.
[01:53.590 --> 01:54.390]  That's not me.
[01:54.390 --> 01:55.510]  That's Johnny Christmas.
[01:55.670 --> 02:00.870]  But who I am is Brandon Colley, or Tech Brandon.
[02:00.870 --> 02:06.950]  You can find me on Twitter, on LinkedIn, YouTube, GitHub, all the good stuff.
[02:06.950 --> 02:15.510]  So I am a father, I'm a husband, and I am a founder of a small business that is B&R Consulting.
[02:15.570 --> 02:24.750]  We do small business consulting and remediation efforts for mostly Microsoft and intra-cloud services.
[02:24.750 --> 02:33.110]  I just started with TrustedSec like three weeks ago, so I am now a senior security consultant with them.
[02:33.110 --> 02:41.310]  If you follow TrustedSec or you've followed my previous company, Trimark Security, we recently merged with them, so we've kind of joined forces.
[02:41.310 --> 02:46.270]  And now I've kind of got a foot in both of those worlds right now, so things are a little nuts.
[02:46.690 --> 02:58.570]  But for both companies, I basically run a lot of their Active Directory security assessments, as well as their cloud or mostly intra-ID or their Microsoft 365 type stuff.
[02:58.570 --> 03:12.950]  So at Trimark, I was the service lead for our MCSA, which was our Microsoft Service Cloud Assessment, which basically is a whole lot of credentials to basically say, I've seen things, right?
[03:13.470 --> 03:21.190]  It's well over a thousand conditional access policies probably in the last several years that I've been working in intra.
[03:21.610 --> 03:34.390]  And so what we're going to do today, this is kind of my brief agenda slide, we're just going to walk through a few of the common misconfigurations that I've seen, something that hopefully you don't have in your environment, but if it looks familiar, hopefully you'll learn something with that.
[03:34.390 --> 03:36.890]  I'm going to walk through also why that matters.
[03:37.170 --> 03:42.830]  So we're going to talk through kind of how attackers may do that or why it's a misconfiguration.
[03:43.110 --> 03:45.270]  And then we're going to talk about what you can do about it.
[03:45.270 --> 03:50.930]  So the most important stuff is how you can find some of these holes that exist in conditional access.
[03:51.010 --> 03:58.610]  So without further ado, let's walk through our very first one, which is one that I love to talk to people about.
[03:58.610 --> 04:04.130]  So we're going to do, I know it's 8.30, but I'm up here, you guys are in here, so we're going to do some audience participation.
[04:04.390 --> 04:05.510]  Woo!
[04:06.170 --> 04:06.670]  Okay.
[04:06.670 --> 04:15.910]  So raise your hand if you think 129, 126 conditional access policies is too many policies.
[04:16.930 --> 04:18.470]  Everybody's hand should be raised.
[04:18.470 --> 04:18.770]  Guess what?
[04:18.770 --> 04:21.710]  Because Microsoft only allows 195.
[04:22.870 --> 04:31.690]  So if we cut that in half, being a little bit more realistic, 98 policies, probably still too many.
[04:32.910 --> 04:34.230]  We cut it down.
[04:34.230 --> 04:38.850]  I saw some heads like, yeah, 66, okay, 40.
[04:38.850 --> 04:42.350]  Some people I asked said less than 20.
[04:42.350 --> 04:44.410]  So we're kind of all over the place.
[04:44.410 --> 04:47.170]  And that's fine because the real answer is it depends.
[04:47.950 --> 04:50.870]  Because we are consultants after all, right?
[04:51.730 --> 05:08.230]  The reason it depends, at least in my opinion, is that if you do things really, really, really well, then 60 plus into the 80 policies, if they're really well managed, can be fine.
[05:08.230 --> 05:16.790]  If you really know what you're doing, if you're following this picture on the right-hand side there, is based off of Microsoft's zero trust conditional access.
[05:16.790 --> 05:18.110]  They use personas.
[05:18.210 --> 05:30.250]  So if you use global policies and you've got all these personas, that actually puts you at exactly 66 policies that exist in their Excel document that you can download.
[05:30.750 --> 05:36.410]  So I like to say we're kind of in that space of between 40 and 66.
[05:36.410 --> 05:37.870]  You know, you can deal with less.
[05:37.870 --> 05:41.490]  It kind of depends on size of an environment and stuff like that.
[05:47.940 --> 05:48.680]  Okay.
[05:48.680 --> 05:51.680]  The water break ruined my transition here.
[05:51.680 --> 06:00.240]  But basically, it can become a management nightmare.
[06:00.240 --> 06:17.940]  And some of the things that I've seen is when a company goes to make a change, or there's a problem, or they need to add something to a policy, or, you know, if you manage conditional access, Microsoft changes something or adds something, where do you go to modify?
[06:17.940 --> 06:19.720]  So which policy do you have to change?
[06:19.720 --> 06:20.880]  Do you have to change multiple?
[06:21.020 --> 06:24.680]  Or, even worse, maybe just add a new one, right?
[06:24.680 --> 06:30.800]  So I had a tenant recently whose policies really looked like they were written, like they came in as help desk tickets.
[06:30.800 --> 06:39.020]  So it was very much this person, this application, this block rule, or it requires MFA, and under all these conditions.
[06:39.020 --> 06:48.080]  And really, I think the best thing that we can do is continue to try to lean onto that privilege, the least privileged documentation that I talked about.
[06:48.600 --> 06:49.800]  I'm going to link that at the end.
[06:49.800 --> 06:52.620]  I've got a bunch of resources that I'll share with you all, too.
[06:53.400 --> 06:59.880]  But I don't have time to dig completely into that right now, because I could probably do 30 minutes on just that.
[07:01.320 --> 07:04.440]  Next one that I've got is probably my favorite one.
[07:04.440 --> 07:08.860]  So this is the requirements for administrators to use MFA.
[07:10.140 --> 07:16.260]  This one I like to point out that Microsoft was nice enough to give us a template.
[07:16.260 --> 07:23.180]  Also, if you are checking your policies in your tenant, you might notice that you have some Microsoft-managed policies.
[07:23.480 --> 07:29.780]  The downfall with these, though, is by default, it only has these 14 policies selected.
[07:29.940 --> 07:40.440]  And I'll tell you, in every single tenant that I've looked at over the last year, year and a half, it's only these 14 policies that are in all of those conditional access.
[07:40.440 --> 07:43.400]  So what I'm here to say is we need to add some.
[07:44.660 --> 07:52.200]  Anything that you're using, but also I think anything that's considered to be a highly privileged, is going to be important.
[07:52.200 --> 07:56.860]  So adding things like at least these nine is what I would recommend.
[07:56.860 --> 08:16.560]  So authentication policy administrator, directory writers, external identity, and then certainly the hybrid identity admin, which in my opinion is one of the most privileged roles that exists, because it gives access to manage all things that are the connection between Active Directory and intra-ID.
[08:16.560 --> 08:21.980]  And so if you're using any sort of intra-ID sync, it allows you to modify settings in there.
[08:21.980 --> 08:30.140]  Password hash sync settings, password authentication settings, seamless single sign-on configurations, so all the good stuff.
[08:30.960 --> 08:37.820]  The other one that I found really interesting is the Intune administrator is not included by default.
[08:37.860 --> 08:41.100]  However, SharePoint and Exchange administrator are.
[08:41.100 --> 08:49.980]  And I don't know how they're different, but I'm here to say add Intune administrators, and then as well as some of those other ones, I'm going to keep on this slide for just one second, too.
[08:50.680 --> 09:03.600]  So Microsoft does determine, if you guys notice that they've done this recently where the specific permissions that are granted to some of these roles actually make them tagged as privileged.
[09:04.160 --> 09:09.920]  And I like that, but I also don't think it's something that we should really fully trust.
[09:09.920 --> 09:11.220]  And this is part of the reason why.
[09:11.220 --> 09:14.780]  It's because only six of these are considered privileged.
[09:14.880 --> 09:24.880]  And the top one that's not, the authentication policy administrator, that actually gives you tenant-wide access to modify MFA settings as well as update the banned passwords.
[09:24.880 --> 09:26.820]  So that seems pretty darn privileged to me.
[09:31.880 --> 09:34.820]  And another fun transition meme.
[09:34.820 --> 09:43.520]  So it's easy to overlook these because you have these policies in place and you think that they're covering all of your administrative accounts.
[09:43.520 --> 09:49.860]  But in all of the reports that I do, I look at those specific accounts instead of just the roles.
[09:50.260 --> 09:54.160]  And I look and see what kind of MFA are they configured for.
[09:54.160 --> 09:57.420]  And what I find is that they're usually weak MFA methods, if any.
[09:57.420 --> 10:07.360]  I find some that are not even registered for MFA, so I question how they're logging in at all if they're supposedly following this requirement to use multifactor.
[10:08.920 --> 10:11.500]  So this one's another fun one for mine.
[10:11.500 --> 10:15.080]  This one kind of goes back into my sysadmin days.
[10:15.080 --> 10:20.880]  I was a systems administrator for about 15 years prior to doing security assessments.
[10:20.880 --> 10:24.680]  And named locations... that was loud.
[10:25.080 --> 10:30.140]  Named locations, and now they're changing them into networks and locations and stuff like that.
[10:30.800 --> 10:42.260]  This is where you go to configure your IP scopes as well as any of the countries that you may either want to explicitly deny or make sure that are set as trusted locations.
[10:42.620 --> 10:54.420]  And I posed the question to AI, and I actually did this back a long time ago, and asked AI, hey, remind me how to subnet, because I've forgotten, because I'm out of things.
[10:54.420 --> 10:57.620]  And it told me, go look at an online calculator.
[10:57.620 --> 11:00.000]  So AI wouldn't even subnet for me.
[11:00.000 --> 11:01.560]  It doesn't even want to do it anymore.
[11:01.580 --> 11:03.960]  And I said, well, how about a diagram, AI?
[11:03.960 --> 11:05.120]  How about you help me out?
[11:05.120 --> 11:09.540]  And so it gave me this diagram, which was gibberish and I thought was very appropriate.
[11:10.900 --> 11:16.180]  So I'm not here to poo-poo on location policies, because they're great.
[11:16.180 --> 11:20.120]  I feel like they're relied upon maybe a little bit too much.
[11:20.120 --> 11:32.280]  And what I'm here to say on this misconfiguration specifically is, look at those subnets, and look at the last time that those subnets may have been modified in your environment.
[11:32.320 --> 11:38.740]  Now, I realize that IP spaces, especially public IP spaces, don't change all that often.
[11:38.740 --> 11:51.160]  But as a sysadmin, the only time I looked in Active Directory sites and services, or as a SCCM administrator, the only time I looked at which distribution points were pointing toward IPs was when stuff was broken.
[11:51.160 --> 11:58.800]  It's because we changed IP schemes, we added or removed stuff, and we forgot about the trickle-down effect.
[11:58.860 --> 12:00.880]  So don't leave those open.
[12:00.880 --> 12:03.480]  Don't wait for bad things to happen.
[12:04.080 --> 12:05.740]  Keep an eye on those scopes.
[12:05.740 --> 12:07.420]  Make sure you're using narrow scopes.
[12:07.420 --> 12:14.580]  Make sure you know how to subnet that you're not using full class B subnets for when you should be using just very specific IP addresses.
[12:18.440 --> 12:23.760]  And the last misconfiguration I want to talk about is when you use multiple conditions.
[12:23.760 --> 12:28.540]  So a lot of people really like to compare conditional access to a firewall.
[12:29.260 --> 12:40.580]  And so what happens when you configure multiple conditions on the same policy is you're met with something called condition overkill, or here I've created one for an example.
[12:40.580 --> 12:52.780]  This is stuff that I've seen in environments actually quite often, where you have a user risk, which is set to high and medium, and then you have a sign-in risk that is set to trigger on high.
[12:52.780 --> 12:56.040]  And so this is actually per Microsoft best practices.
[12:56.040 --> 12:57.660]  That's what you want to be set.
[12:57.880 --> 13:03.080]  And, you know, maybe you want to set a location and say, you know, if you're on a trusted location, you know, my perimeter is fine.
[13:03.080 --> 13:04.540]  That's all good and dandy.
[13:04.640 --> 13:11.280]  But what actually happens when authentication occurs, it must match every single one of these conditions.
[13:11.280 --> 13:12.900]  It is not an or statement.
[13:12.900 --> 13:14.440]  It is an and statement.
[13:14.440 --> 13:24.960]  So when a user logs in and they have a high user risk, which means that they are 100% compromised, but they're from on prem, this doesn't apply.
[13:26.020 --> 13:27.540]  All right.
[13:27.540 --> 13:28.900]  Whole policy, not applying.
[13:30.020 --> 13:35.840]  This one played a lot better back in August when I gave this presentation, but I'm really glad I got giggles today.
[13:38.850 --> 13:39.410]  Okay.
[13:39.410 --> 13:40.650]  So now we're going to find the holes.
[13:40.650 --> 13:45.570]  So I've given you some of the misconfigurations and finding holes.
[13:45.570 --> 13:46.630]  They may be small holes.
[13:46.630 --> 13:49.550]  They may be small, little cute holes that we can do.
[13:49.830 --> 13:56.890]  Might take, you know, a team of people to actually kind of figure out where these holes are and what needs to be fixed.
[13:57.070 --> 14:01.550]  Or there may just be absolutely no way that we're going to find or fix these at all.
[14:01.550 --> 14:04.090]  So we're going to try.
[14:04.170 --> 14:06.170]  And we're going to try with several different methods.
[14:07.130 --> 14:11.290]  This is a busy slide, so now it's going to be a good time to get my throat wet.
[14:18.480 --> 14:18.860]  Okay.
[14:18.860 --> 14:23.700]  So first of all, we've got a lot of built-in tools that we can use at our disposal.
[14:23.780 --> 14:32.500]  The what-if tool is probably the first and most well-known tool, probably my favorite to really geek out and to dig into certain circumstances.
[14:32.760 --> 14:43.760]  So actually just, let's see, yesterday or the day before, I was doing an assessment for a tenant, and they really liked to use device platforms and the client types.
[14:43.760 --> 14:52.800]  And so I was able to find a hole in their conditional access because they were not accounting for something coming from a macOS and using, like, an approved application.
[14:52.800 --> 15:07.180]  So really easy to just plug those into the what-if tool, find out what policies would apply, what policies would not apply, to kind of figure out where those holes might exist or what may have happened in a specific situation.
[15:07.800 --> 15:16.580]  Another cool place is the security alerts, which is in the overview tab on the home screen of conditional access.
[15:16.740 --> 15:25.320]  So this is going to show things like that third one down there is the 94% of sign-ins lack multi-factor authentication in the last seven days.
[15:26.920 --> 15:39.640]  So something's going on, maybe your policies are a little too lax on that, that 94% of your users may be coming from on-prem, so maybe that's normal , but who knows.
[15:39.640 --> 15:46.420]  So that's a good place to look, a little bit of, I don't know, Microsoft AI, some co-pilot stuff, maybe helping out with that.
[15:46.700 --> 15:49.360]  The other place is that coverage tab.
[15:49.800 --> 15:54.940]  So coverage tab, you're going to lean on a lot of the application-specific stuff.
[15:54.940 --> 16:04.480]  So one of the best practices for conditional access is to have at least one policy that applies to all resources in the environment.
[16:04.540 --> 16:18.960]  If you've configured things to be very piecemeal and very targeted on specific applications and you just tell yourself, well, it's fine, I'm just going to add applications as we get new applications, I don't think that's a great way to continue to do this.
[16:18.960 --> 16:23.760]  And here you can see where some of those gaps are and what your coverage on applications might look like.
[16:25.320 --> 16:33.420]  And then a brand new one that just came out within the last month or so is this policy impact.
[16:33.420 --> 16:46.860]  So this is right on the policy itself, where before you even fully configure the policy, you can look to see what this would have done over the last month or the last seven days.
[16:46.980 --> 16:56.840]  So no more setting a policy in report-only mode and telling yourself that you're going to go look at the logs and decide whether or not it actually needs to be turned on or not.
[16:56.840 --> 17:05.940]  Because I have seen, we do repeat assessments for customers where I have had a finding for a conditional access that was in report-only mode, and guess what?
[17:05.940 --> 17:09.160]  Next year, still in report-only mode, they're still working on it.
[17:09.160 --> 17:13.860]  So this is pretty cool to see how something would have behaved.
[17:15.480 --> 17:23.560]  ID power toys, this is a tool by Merrill Fernando, this is a conditional access documenter.
[17:24.640 --> 17:28.160]  I think it's powertoys.net or something like that.
[17:28.620 --> 17:36.560]  This one's interesting, because this one spits out a PowerPoint presentation for all of the conditional access policies that exist.
[17:37.080 --> 17:48.300]  This, I like to say, is kind of just highly visual and maybe good for some of the less technical people to be able to comprehend and look at the difference between a few policies.
[17:48.340 --> 17:55.220]  So this is an example of the block legacy authentication policy that I have in my test tenant.
[17:55.740 --> 18:01.860]  And then here's an example of one that's the require password change for high risk users.
[18:02.120 --> 18:05.900]  Super, super, super simple to run this tool.
[18:05.900 --> 18:14.680]  You can just copy and paste some JSON that will be spit out from a web request, or you can run some direct PowerShell against your tenant.
[18:18.470 --> 18:27.230]  So the next cool tool, probably my favorite tool right now, is Meister.dev framework.
[18:27.230 --> 18:32.830]  This is also built by Merrill, as well as a friend of mine, Thomas Naheim and Fabian Bader.
[18:32.910 --> 18:38.990]  The tool now has 417 checks as of a few days ago when I re-ran it.
[18:39.110 --> 18:45.430]  And that's up about 150 checks since the last time I did this presentation back in August.
[18:45.430 --> 18:48.930]  So they're adding checks very, very quickly.
[18:49.290 --> 18:56.810]  Also, I just double checked, and they're up to 24 of those checks are specific to conditional access best practice.
[18:56.810 --> 18:59.870]  So check out this tool.
[18:59.910 --> 19:04.610]  The way this looks when it spits out is also fabulous.
[19:04.610 --> 19:07.470]  So a passing check looks like this.
[19:07.470 --> 19:11.210]  So this is a check for application coverage that I had mentioned earlier .
[19:11.590 --> 19:19.590]  All targeted apps in a conditional access policy shows you which ones are passing.
[19:19.690 --> 19:24.590]  And if you click on one that fails, you'll see failed.
[19:24.670 --> 19:30.050]  For device compliance, I don't have devices in my lab, so that's fine for me to fail it.
[19:30.110 --> 19:36.930]  But if you do fail one and you're not really sure, like, what is this best practice or what is it, it'll have you link directly to Microsoft.
[19:36.930 --> 19:46.030]  It'll also give you a link to their website, which is really good at explaining more about the specific test and the details of how to correct it.
[19:49.850 --> 19:50.630]  All right.
[19:50.630 --> 19:54.130]  Last thing I'm going to show off is a simple script that I wrote.
[19:54.870 --> 19:57.970]  So this is on my personal GitHub.
[19:58.230 --> 20:00.610]  So github.com slash tech Brandon.
[20:00.730 --> 20:03.070]  It's called just CAPS.
[20:03.070 --> 20:03.870]  You'll find it.
[20:03.870 --> 20:05.090]  There's not a lot of stuff on there.
[20:06.030 --> 20:13.350]  But this I wrote off to show a few different things that are fairly easy to look at in conditional access.
[20:13.430 --> 20:16.290]  I also like to write code that's easy to read.
[20:16.390 --> 20:18.310]  So I hope that it's easy to read for you.
[20:18.310 --> 20:19.390]  It's also very short.
[20:19.390 --> 20:21.230]  So it's about 200 lines of code.
[20:21.390 --> 20:26.550]  So you're not going to have to work too hard before you run something that you don't necessarily trust.
[20:26.550 --> 20:37.890]  Back as a sysadmin, I really hated grabbing code off of a GitHub repository that didn't have a lot of stars or whatever, and without fully understanding exactly what was being run.
[20:37.890 --> 20:42.590]  So that's the intention of a lot of my code is I want it to be really short and sweet and to the point.
[20:44.750 --> 20:51.830]  So it's fairly infant stages still, but there are kind of three high-level things that it will spit out for you.
[20:51.830 --> 21:01.230]  So the first is it's going to give some high-level statistics, some information about how many policies exist, what state they're in, are they turned on, off, report only.
[21:01.250 --> 21:11.370]  And then it's going to list all of those policies for you, as well as the last time that they were modified, as well as created date, the state that they're in.
[21:12.570 --> 21:15.310]  And then it's going to attempt to place them into categories.
[21:15.310 --> 21:20.410]  So the categories are based on 13 of the best practices.
[21:20.410 --> 21:22.610]  Most of them are Microsoft best practices.
[21:22.610 --> 21:28.730]  Some of them may be mine or they come from the Meister framework or just kind of more general guidance.
[21:28.730 --> 21:38.330]  So this breaks them down into where it doesn't necessarily say that these are good policies, but they're at least trying to do these things, right?
[21:38.330 --> 21:42.990]  So it's at least trying to do legacy authentication being blocked.
[21:42.990 --> 21:45.470]  It's trying to do some MFA checks.
[21:46.550 --> 22:00.010]  And then some of the new ones that I added there on the right-hand side is some of the multi-factor for device join, as well as blocking authentication flows, which is also known as the device code authentication.
[22:00.010 --> 22:07.650]  So if you're all familiar with that sort of vulnerability that has existed for a while, it's now able to be blocked in conditional access.
[22:08.270 --> 22:10.590]  And then the... what was the last one?
[22:10.590 --> 22:11.930]  The secure registration.
[22:11.930 --> 22:14.310]  So that's one that I also added just recently, too.
[22:16.590 --> 22:22.890]  And then the last piece that I'm trying to do more of is actually add a little bit of intelligence inside of this.
[22:22.890 --> 22:27.350]  So I told you that the last screen was what it tries to do.
[22:27.830 --> 22:33.630]  This is digging a whole lot deeper and saying, okay, it does this well or it does not do this well.
[22:33.870 --> 22:36.550]  So these are two of the checks that I've got right now.
[22:36.550 --> 22:40.930]  It's going to look at any of the MFA policies that are targeting the administrative roles.
[22:40.990 --> 22:44.830]  It's going to look at those 14 default roles that I told you about.
[22:44.930 --> 22:50.130]  And then it's also going to compare that against the total number of roles that it's targeting.
[22:50.250 --> 22:56.910]  And so we can see in this top one, it's got the 14 of 14, but it's also got seven additional roles that it's using.
[22:57.030 --> 23:00.070]  And then some of the other ones are not quite as good.
[23:01.010 --> 23:05.530]  And then the second one, this is one that I also just added.
[23:05.530 --> 23:11.570]  This was some code I really didn't want to write, but I had to make myself do it because it was the one that I thought was the most important.
[23:11.570 --> 23:22.470]  So this, I've noticed that Microsoft has now changed a lot of their documentation from saying, require MFA for X or administrators must use MFA.
[23:22.470 --> 23:26.470]  They're now saying they must use authentication strengths.
[23:26.590 --> 23:31.330]  And they're also saying that they need to be passwordless capable or phishing resistant.
[23:31.390 --> 23:36.610]  So Microsoft has a great website that shows some of what those policies are.
[23:36.610 --> 23:42.670]  And so what this is doing is it's looking at any policy that has configured for authentication strengths.
[23:42.870 --> 23:56.990]  And it's checking to see if it includes like all MFA, because you can set it for authentication strengths, but then you can say, just use MFA and it's going to use all 17 different methods of MFA.
[23:56.990 --> 24:13.730]  Or that bottom one we have as a pass, because it only includes what's considered the phishing resistant or the passwordless, which is FIDO2 keys, Windows Hello for Business, Certificate Authentication, and Microsoft Authenticator Push.
[24:13.990 --> 24:18.590]  So it's going to kind of give you a little bit of a pass fail information as far as that goes.
[24:19.870 --> 24:20.770]  All right.
[24:20.770 --> 24:24.550]  And with that, I made up a little bit of time.
[24:24.610 --> 24:27.890]  I've got my thank you squirrel slide.
[24:27.890 --> 24:32.770]  And then here is some of the resources.
[24:33.830 --> 24:42.250]  I haven't uploaded this version of the presentation, but the previous one has all except for that very last link.
[24:42.250 --> 24:43.790]  That's on my GitHub as well.
[24:43.790 --> 24:46.030]  So you can grab the slides from there.
[24:46.030 --> 24:51.070]  They've been slightly changed a few additions, but most of the content is pretty much the same as it was.
[24:51.070 --> 24:56.550]  So I'll try to get that updated maybe sometime tomorrow, since I have other plans tonight.
[24:56.550 --> 24:59.030]  So with that, thank you all for being here.
[24:59.030 --> 25:05.430]  I swear I expected 10 people in the audience this late, but I really appreciate you all coming and sticking around.
[25:05.730 --> 25:11.930]  Would love to answer any questions in a few minutes that I've got or on the way to grab a beer.
[25:11.930 --> 25:13.190]  So thanks.
[25:24.850 --> 25:29.010]  If you have a question, you can raise your hand or you can come up here.
[25:35.050 --> 25:35.810]  Yes.
[25:35.810 --> 25:40.150]  The question was, I'm nervous about locking out my break class account.
[25:41.350 --> 25:48.310]  So as far as conditional access goes, I like to see it excluded absolutely everywhere.
[25:48.510 --> 25:53.270]  I've seen a lot of customers who really want to obfuscate what the name is.
[25:53.270 --> 26:01.670]  So they've got, I've had some that literally name it like numbers and letters that are randomized and they say, Hey, that can't appear in the report.
[26:01.810 --> 26:03.930]  Like they really want to protect it.
[26:04.190 --> 26:07.250]  Personally, I, I'm not as afraid of that.
[26:07.250 --> 26:08.130]  That should be detected.
[26:08.290 --> 26:19.470]  So your break glass accounts should always be monitored for login, because if they log in, there damn better will be a fire someplace for that break glass to be used.
[26:19.510 --> 26:22.670]  So if it's getting locked out, I would say same sort of thing.
[26:22.670 --> 26:27.070]  There's, there's a fire that's happening someplace or somebody's trying to start one, right?
[26:49.510 --> 26:53.750]  That's so that's a, I haven't, I'm not familiar with that, but that sounds fantastic.
[26:53.750 --> 26:56.310]  So the, is it mostly a comment?
[26:56.310 --> 27:07.210]  Um, uh, Microsoft MVP has been saying that they prefer to use certificate authentication on a user object and probably not even a user identity.
[27:07.210 --> 27:21.570]  I'm guessing like an application identity, uh, application identity to use as a break glass account because they're able to log in and still get to the Microsoft graph and leverage and possibly, you know, fix whatever is broken there to that.
[27:21.570 --> 27:26.370]  I, I guess I would just say like, yeah, secondary would be fantastic.
[27:26.370 --> 27:26.590]  Yeah.
[27:26.590 --> 27:28.310]  I would say I don't want to do that in a panic .
[27:28.310 --> 27:30.250]  Like I'm going to freak out anyway.
[27:30.710 --> 27:31.330]  Yeah.
[27:59.470 --> 28:00.310]  Yeah.
[28:01.950 --> 28:02.370]  Yeah.
[28:02.370 --> 28:16.950]  He was just adding extra context around, uh, the slide that I had that talked about a persona of the, um, no, I can't even think basically that the application accounts are the workflow, uh, workflow identities, workload identities.
[28:16.950 --> 28:17.790]  I was close.
[28:17.850 --> 28:20.910]  Um, and, and yeah, so the personas are cool.
[28:20.910 --> 28:25.570]  Cause if you've got those personas again, if you're using the break glass and yeah, there's going to be exceptions.
[28:25.950 --> 28:29.210]  And so you're going to have to be careful, but, but yeah.
[28:29.250 --> 28:29.950]  Um, okay.
[28:29.950 --> 28:32.670]  I think I'm going to bounce, but like I said, I'll be around.