KubeQuest

Appearance

Lab 03: Solution - Portal Walkthrough

Only refer to this after attempting the tasks yourself!

Pre-Lab Setup

Create Break-Glass Account

  1. Go to Entra IDUsers+ New userCreate new user
  2. Configure:
    • User principal name: breakglass1
    • Display name: Break Glass Admin 1
    • Auto-generate password: Yes (copy and store securely!)
  3. Click Next: Properties
    • Leave minimal info (this is emergency only)
  4. Click Next: Assignments
    • Add role: Global Administrator
  5. Create

Store the password in a physical safe or secure offline location.

Create Exclusion Group

  1. Go to Entra IDGroups+ New group
  2. Configure:
    • Group type: Security
    • Group name: CA-Exclude-BreakGlass
    • Description: Emergency accounts excluded from all Conditional Access
    • Membership type: Assigned
    • Members: Add Break Glass Admin 1
  3. Create

Create Pilot Group

  1. Same process:
    • Group name: CA-Pilot-Users
    • Members: Add 2-3 test users

Task 2: Create Named Locations

Corporate Office IPs

  1. Go to Entra IDSecurityConditional Access
  2. Click Named locations in left menu
  3. Click + IP ranges location
  4. Configure:
    • Name: Corporate-Office-IPs
    • Mark as trusted location: Yes
    • Click + to add IP range
    • Enter: YOUR.PUBLIC.IP/32 (e.g., 203.0.113.50/32)
    • For multiple IPs/ranges, add each one
  5. Create

Blocked Countries

  1. Still in Named locations
  2. Click + Countries location
  3. Configure:
    • Name: Blocked-High-Risk-Countries
    • Determine location by: IP address (recommended)
    • Select countries (example: North Korea, Russia, China - adjust per your policy)
    • Include unknown countries/regions: Yes
  4. Create

Task 3: Block High-Risk Countries Policy

  1. Go to Conditional AccessPolicies
  2. Click + New policy

Name

  • Enter: BLOCK - High Risk Countries

Assignments - Users

  1. Under Users, click 0 users and groups selected
  2. Include tab → Select All users
  3. Exclude tab → Check Users and groups
    • Click Select excluded users and groups
    • Search and select: CA-Exclude-BreakGlass
    • Click Select

Target Resources

  1. Under Target resources, click No target resources selected
  2. Select what this policy applies to: Cloud apps
  3. Include tab → Select All cloud apps

Conditions

  1. Under Conditions, click 0 conditions selected
  2. Click Locations
  3. Configure: Yes
  4. Include tab → Select Selected locations
    • Check: Blocked-High-Risk-Countries
  5. Done

Access Controls

  1. Under Grant, click 0 controls selected
  2. Select Block access
  3. Select

Enable Policy

  1. At bottom, Enable policy: Select Report-only
  2. Click Create

Task 4: Require MFA for All Users Policy

  1. + New policy

Configuration

  • Name: GRANT - Require MFA for All Users

  • Users:

    • Include: All users
    • Exclude: CA-Exclude-BreakGlass

  • Target resources:

    • Include: All cloud apps

  • Conditions:

    • Leave all as Not configured

  • Grant:

    • Select Grant access
    • Check: Require multifactor authentication
    • Click Select

  • Enable policy: Report-only

  1. Create

Task 5: MFA When Not in Office Policy

  1. + New policy

Configuration

  • Name: GRANT - MFA When Not in Office

  • Users:

    • Include: All users
    • Exclude: CA-Exclude-BreakGlass

  • Target resources:

    • Include: All cloud apps

  • Conditions:

    • Click Locations → Configure: Yes
    • Include: Any location
    • Exclude: Selected locations → Check Corporate-Office-IPs
    • Done

  • Grant:

    • Grant access
    • Check: Require multifactor authentication
    • Select

  • Enable policy: Report-only

  1. Create

Task 6: Strong Auth for Azure Management

  1. + New policy

Configuration

  • Name: GRANT - Strong Auth for Azure Management

  • Users:

    • Include: Click Select users and groups
    • Check Directory roles
    • Select roles:
      • Global Administrator
      • User Administrator
      • Application Administrator
      • (Add others as needed)
    • Exclude: CA-Exclude-BreakGlass

  • Target resources:

    • Select what this policy applies to: Cloud apps
    • Include: Select apps
    • Click None → Search for Microsoft Azure Management
    • Select it → Select

  • Conditions:

    • Leave all as Not configured

  • Grant:

    • Grant access
    • Select Require authentication strength
    • Choose: Phishing-resistant MFA
    • Select

  • Enable policy: Report-only

  1. Create

Task 7: Block Legacy Authentication

  1. + New policy

Configuration

  • Name: BLOCK - Legacy Authentication

  • Users:

    • Include: All users
    • Exclude: CA-Exclude-BreakGlass

  • Target resources:

    • Include: All cloud apps

  • Conditions:

    • Click Client apps → Configure: Yes
    • UNCHECK: Browser, Mobile apps and desktop clients
    • CHECK: Exchange ActiveSync clients, Other clients
    • Done

  • Grant:

    • Select Block access
    • Select

  • Enable policy: Report-only

  1. Create

Task 8: Test Using Sign-in Logs

Accessing Sign-in Logs

  1. Go to Entra IDSign-in logs (under Monitoring)

Finding Relevant Entries

  1. Click Add filters
  2. Add filter: User → Enter test user's name
  3. Add filter: Date → Last 24 hours
  4. Click Apply

Analyzing a Sign-in

  1. Click on a sign-in entry
  2. In the details pane, click Conditional Access tab
  3. You'll see a list of policies and their result:
StatusMeaning
SuccessPolicy applied, user met requirements
FailurePolicy applied, user blocked/failed
Not appliedPolicy conditions didn't match this sign-in
Report-only: SuccessWould have succeeded if policy was on
Report-only: FailureWould have failed if policy was on

What to Look For

  • Are any legitimate sign-ins showing "Report-only: Failure"?
  • Are expected policies being evaluated?
  • Is the location detected correctly?

Task 9: Enabling Policies

Safe Enablement Process

For each policy:

  1. Go to Conditional AccessPolicies
  2. Click the policy name
  3. Scroll to Enable policy
  4. Change from Report-only to On
  5. Click Save
  6. Monitor for 24 hours before enabling next policy

Emergency Rollback

If users report being locked out:

  1. Sign in with break-glass account
  2. Go to the problematic policy
  3. Change to Report-only or Off
  4. Save
  5. Investigate sign-in logs to understand what happened

Common Mistakes to Avoid

  1. Forgetting to exclude break-glass - Always exclude emergency accounts
  2. Testing on yourself first - Don't lock out your only admin account
  3. Enabling all policies at once - Enable one at a time
  4. Not testing Report-only first - Always test before enforcing
  5. Blocking "All locations" instead of specific ones - Be precise
  6. Not considering mobile apps - Client apps affect what's blocked
  7. Conflicting policies - Two policies requiring different things = most restrictive wins

Released under the MIT License.

Copyright © 2026 OpsAlchemy