Hey folks, hopefully at this point you have started or are starting to tackle the legacy authentication in your environment. A customer I work with disabled it for 80% of their environment and had 0 help desk calls because of how they did it. A quick Friday thread 1/
First they wanted to see what they had. They used the Legacy Auth report we have in Azure AD workbooks. One of the many excellent workbooks there. https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-use-azure-monitor-workbooks#sign-ins-using-legacy-authentication Anyone using Legacy today got put in the exclusion group to start with. 2/
Azure Monitor workbooks for reports

Learn how to use Azure Monitor workbooks for Azure Active Directory reports.

https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-use-azure-monitor-workbooks#sign-ins-using-legacy-authentication
Then they created the CA policy following https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication. But they put it in Report Only Mode. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-insights-reporting And let it sit for 2-3 months. They wanted a quarter of data to feel good. Anyone that would have gotten blocked, went into that exception group 3/
Conditional Access insights and reporting workbook - Azure Active Directory

Using the Azure AD Conditional Access insights and reporting workbook to troubleshoot policies

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication
After that time elapsed they felt good about it. They changed the CA policy from Report-Only to On. That's it. Really that's all they did. 80% weren't using it today and they didn't know the difference. The 20% are excluded while they work through moving to modern auth. 4/
They put an Access Review on the exclusion group to help track the progress https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion. They are just tackling it protocol by protocol and business unit by business unit. They have a target date set. And just marching towards it. That simple 5/.
Manage users excluded from Conditional Access policies - Azure AD

Learn how to use Azure Active Directory (Azure AD) access reviews to manage users that have been excluded from Conditional Access policies

https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
So if you haven't started on this today. Start collecting that data. You can do this. They literally just followed those few docs. No broken apps and help desk calls from users. And dont worry about trying to do all of it at once. Some is better than none! Chop away at it. 6/.
If you follow this same method send a thank you to @Daniel_E_Wood and @Caleb_B. Awesome work by them, the dev team and many others made it a non event. Start working on this TODAY! /fin.
You can follow @markmorow.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
Those who think consciousness raising & movement building are disconnected, or even a distraction from electoral politics have not paid attention to the history of social change.In this thread, we
Read more
The 2020s will be known as the Remote Work decadeA few predictions of what is likely to emerge[ a thread ] Third Space: Office and Working from Home will
Read more
1/29: Have you ever had a concept explained to you that helps frame complex issues you’ve been wrestling with and opens your eyes to new possibilities? A concept that I
Read more
By continuing to use the site, you are consenting to the use of cookies as explained in our Cookie Policy to improve your experience.