Its been a while since I last posted. Mostly because I am on a new team at work. This is one of the things I recently was tasked with setting up that I can actually share. I was linked to this article by my manager and asked to set it up. I Unfortunately got stuck half way through so I decided to write a detailed post on how to set this up in my usual heavy screen shot style.
For the Project we will need to setup 3 Policies. One in conditional access and another within Cloud Apps. I will be linking to each area you will need but as we all know Microsoft loves to move things around (seriously Microsoft it doesn’t keep things new and fresh its just annoying) so if links don’t work check here for up-to-date shortcuts [cmd.ms]
Conditional Access
for Creating the conditional access policy head over to Conditional Access
Click New Policy
Chose a Name for your Policy
Click Specific Users Included. For myself I only have a handful of users selected for testing purposes.
You May also want to add users to the exclusion list such as a break glass account
You can specify which Apps this applies to. As we have no business case where our users would legitimately be accessing any services from an anonymization service we selected all cloud apps
Next select the devices you wish the policy to apply to. In my case the default had specified specific device types. Make sure you update this to any device.
For Session Check off “use Conditional Access App Control” and select “Use custom Policy.” Save your work then click “configure Custom Policy (will open a new tab) or click here
Cloud Apps
By Default no apps are specified. If this is already filled in you can skip ahead. otherwise follow the instructions below to setup the auto population.
Navigate down the menu to the right and click App onboarding/maintenance
Specify an account you would like to use. This can be any account that can access 365 services. I added my own account and a test account then started navigating through services. After a few hours Conditional Access App Control Apps should automatically be populated.
Next we will need to setup a policy. expand Cloud Apps > Policies > Policy Management or click here
Click Create Policy
Select Activity Policy
In my case I created one for Anonymous AccessProxy, Botnet, and TOR.
Note: Now if you were me you would also try to set one up for VPN. Unfortunately the VPN option is actually intended for your corporate VPN in azure and not for blocking Anonymizing VPN providers. Unfortunately Microsoft doesn’t have the functionality for blocking VPN providers as far as I can tell. This unfortunately means there are still a few holes you need to handle manualy.
From my testing it takes a few hours after the policy’s are enabled for them to fully come into effect. I would recommend waiting 24 hours before you fully test your configuration. If everything is successful you should see the following when you attempt to access 365 services from any anonymization service.
