-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathlab-11-ca-token-analysis
More file actions
128 lines (90 loc) · 3.14 KB
/
lab-11-ca-token-analysis
File metadata and controls
128 lines (90 loc) · 3.14 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
# Lab 11 — Conditional Access Enforcement & Token Outcome Analysis
## Purpose (Why This Lab Exists)
Establish a **clean, observable cause-and-effect link** between:
- Conditional Access (CA) policy evaluation
- Token issuance vs. non-issuance
- How success and failure are represented in Microsoft Entra ID sign-in logs
This lab is not about MFA setup.
It is about **understanding enforcement mechanics and log interpretation**.
---
## Core Architecture in Play
- **Identity Provider:** Microsoft Entra ID
- **Subject:** User 4 (human identity)
- **Client:** Browser (interactive sign-in)
- **Resource:** Microsoft Graph
- **Access Model:** Delegated permissions
- **Enforcement Layer:** Conditional Access
---
## Key Configuration State
- Security Defaults: **Disabled**
- Baseline MFA policy: **Disabled**
- Single Conditional Access policy used for enforcement:
- Target: User 4
- Cloud apps: All
- Condition: Device platform
- Grant control:
- Block access (mobile)
- Allow access (notebook)
This ensured **CA was the only decision point**.
---
## Observed Outcomes (Critical)
### 1. Notebook Sign-In (Allowed)
- Result: **Success**
- Conditional Access: **Success**
- MFA: Satisfied (prompted and completed)
- Token outcome: **Delegated access token issued**
- Interpretation:
- CA evaluated → allowed
- Grant controls satisfied
- Token issuance permitted
### 2. Phone Sign-In (Blocked)
- Result: **Failure**
- Conditional Access: **Failure**
- MFA: **Not reached**
- Token outcome: **No token issued**
- Interpretation:
- CA evaluated → blocked
- Block = enforcement success, but logged as “Failure”
- No authentication continuation
---
## Exam-Critical Semantics
- **“Failure” in sign-in logs does NOT mean misconfiguration**
- It means access was denied per policy
- **Conditional Access success ≠ user success**
- CA success means the policy applied
- **Blocked sign-ins never produce tokens**
- **MFA is only evaluated if CA allows authentication to proceed**
---
## Token Reasoning (Without Seeing Tokens)
You never see tokens in the portal.
Instead, infer them:
- If CA = Success + MFA satisfied → **token must exist**
- If CA = Failure → **no token exists**
- Delegated permission present + user sign-in → `scp` claim must exist
- Resource listed = token audience
This inference model is exactly what SC-300 tests.
---
## Logging Realities (Important)
- Sign-in logs can be **delayed by several minutes**
- Device platform (e.g., iOS) may appear after refresh
- Always verify:
- Device info
- Conditional Access tab
- Authentication Details
Do not draw conclusions from a single refresh.
---
## Final Mental Model
Conditional Access is a **gate in front of token issuance**.
- Allowed path → token issued
- Blocked path → token never exists
Logs record **decisions**, not secrets.
---
## Lab Outcome
The tenant can now:
- Enforce access based on device context
- Produce deterministic allow/deny outcomes
- Support future labs involving:
- Token reasoning
- App enforcement paths
- Conditional Access diagnostics
This lab establishes the enforcement foundation for all subsequent identity work.