Jet Mariano

Tag: Conditional Access

  • Terraform for M365 & Azure (With Real Examples)

    Title:

    Terraform for M365 and Azure — Infrastructure-as-Code Made Simple

    Introduction

    Terraform is one of the most powerful tools for managing cloud environments because it lets you declare what you want and Azure builds it. No guessing. No clicking. No forgetting what you changed.

    Even if M365 doesn’t support Terraform natively for all workloads, you can still automate Azure AD, Conditional Access, Groups, SPNs, Networking, Key Vault, and App Registrations through the Microsoft Graph provider.

    I used IaC principles while supporting Church systems — Terraform makes environments repeatable, auditable, and consistent.

    1. Installing Terraform

    choco install terraform

    2. Azure Login Block

    provider "azurerm" {
  features {}
}

provider "azuread" {
}

    3. Creating an Azure Resource Group

    resource "azurerm_resource_group" "rg1" {
  name     = "M365AutomationRG"
  location = "WestUS2"
}

    4. Creating an Azure AD Group

    resource "azuread_group" "security_group" {
  display_name     = "M365-Automation-Admins"
  security_enabled = true
}

    5. Creating an App Registration + Secret

    resource "azuread_application" "app" {
  display_name = "Terraform-Automation-App"
}

resource "azuread_service_principal" "sp" {
  application_id = azuread_application.app.application_id
}

resource "azuread_application_password" "sp_secret" {
  application_object_id = azuread_application.app.id
  display_name          = "secret1"
}

    6. Conditional Access via Terraform (Yes, possible!)

    Uses the Microsoft Graph Terraform provider.

    resource "msgraph_conditional_access_policy" "block_non_us" {
  display_name = "Block Non-US IP"
  state        = "enabled"

  conditions {
    users {
      include_users = ["all"]
    }
    locations {
      include_locations = ["All"]
      exclude_locations = ["US"]
    }
  }

  grant_controls {
    operator         = "OR"
    built_in_controls = ["block"]
  }
}

    7. Create an M365 Group (Unified Group)

    resource "msgraph_group" "m365_group" {
  display_name     = "Engineering Team"
  mail_nickname    = "engineering"
  security_enabled = false
  mail_enabled     = true
  group_type       = ["Unified"]
}

    8. Create Azure Key Vault

    resource "azurerm_key_vault" "kv" {
  name                = "m365-keyvault-prod"
  location            = azurerm_resource_group.rg1.location
  resource_group_name = azurerm_resource_group.rg1.name
  tenant_id           = data.azuread_client_config.current.tenant_id
  sku_name            = "standard"
}

    Conclusion

    Terraform is the “blueprint” of modern cloud administration.
    Clicking creates inconsistencies — IaC creates reliable, repeatable deployments.

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

  • CIS Hardening Standards in M365 (With Examples)

    Title:

    CIS for Microsoft 365 — Practical Hardening You Can Apply Today

    Introduction

    CIS (Center for Internet Security) publishes best-practice security baselines. In M365, CIS basically means:

    • Hardening Azure AD
    • Enforcing access control
    • Strengthening authentication
    • Improving logging
    • Locking down Exchange, SharePoint, and Teams
    • Using Conditional Access correctly
    • Reducing attack surface

    Below is the real-world version, not the theoretical one.

    1. Require MFA (CIS Level 1 Control)

    CIS Recommendation: MFA for all accounts.

    How to apply:
    Use Conditional Access:

    • Include: All users
    • Exclude: Break-glass admin
    • Require MFA
    • State: On

    2. Disable Legacy Authentication

    CIS Control: Block Basic Auth.

    Azure Example:
    CA Policy → Block legacy protocols
    Exchange → Disable POP/IMAP/SMTP AUTH

    3. Passwordless Authentication

    CIS: Prefer passwordless.

    Implementation:
    Enable:

    • Windows Hello
    • Authenticator App
    • FIDO2 keys

    4. Limit Global Admin Roles

    CIS: Admin roles must be minimized.

    How to do it:
    Assign:

    • GA = 2 accounts
    • Use PIM (Privileged Identity Management)
    • Require MFA + justification

    5. Require Compliant Devices

    CIS: Block unmanaged devices.

    Apply with Conditional Access:
    Grant → Require device to be:

    • Compliant
    • Hybrid joined
    • Or require approved apps

    6. Exchange Online Protections

    CIS: Anti-phishing, anti-malware, safe links, safe attachments.

    7. Audit Logging

    CIS: Must be enabled.

    Check:

    Get-AdminAuditLogConfig
Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled

    8. Session Control

    Use Conditional Access → Session Limits

    • 8 hour max
    • Force reauthentication

    Conclusion

    CIS is not complicated.
    It’s just applying security baselines consistently using tools already built into M365:

    • Conditional Access
    • Defender
    • PIM
    • MFA
    • Logging

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

error: Content is protected !!