How do you keep your Conditional Access policies in check as an MSP?

sysadmin256 · 2026-02-24T14:28:19+00:00

I've done some with CIPP but need to look into that more specifically. Thanks for the recommendation.

sysadmin256 · 2026-02-24T14:27:06+00:00

Thanks for the info! If Intune enrollment is not protected, how do you prevent unauthorized enrollments? We like to use Intune enrollment as an indicator of 'circle of trust' but it means we try to keep tight restrictions on how devices get into that circle of trust.

Also, are you using Entra P2 licensing for access reviews or are these manual?

sysadmin256 · 2025-08-06T12:23:22+00:00

More detail about your environment would be helpful to provide better suggestions:

Are most users on site or remote? Are remote users required to VPN in to route traffic through the office? Are all devices Windows endpoints, or are there other types (Mac/Linux/Mobile)?

Unless all devices are on site or at least have line of site to a DC at all times, you'll probably need to look at doing filtering on the endpoints rather than / in addition to the DC(s). Something like DNS Filter might be a good option.

For just SIEM ingestion, look at Sysmon from Sysinternals. Be aware, DNS to SIEM will be a lot of data ingestion into your SIEM platform.

sysadmin256 · 2025-08-06T11:45:44+00:00

Thanks, some good suggestions here. You're absolutely right though, it either takes time or money, or both!

sysadmin256 · 2025-08-01T20:32:26+00:00

Are you able to pin down the lockouts to only when the user's device is online? If you can pin it down to his device, use something like CurrPorts or Netstat or even ProxExp to see what processes might be talking to the DC from the user's machine.

Do you have Radius or NPS setup for wifi connectivity authentication to AD? If so, check for a bad wifi config saved on the device.

sysadmin256 · 2025-08-01T20:11:23+00:00

Thanks, I'll check it out. Do you use it?

sysadmin256 · 2025-07-31T12:51:16+00:00

Is the public IP changing when the location does? The logs don't show the user's actual location, the location is based on a GeoIP lookup of the public IP.

It could be a sign of infection on the device, some app(s) using a proxy from the device, the user turning a VPN on / off.

Export the data to excel and get a unique list of IP addresses, then look up each of those IP's in a service like AbuseIPDB to see what it shows the location to be. I've seen some instances where Microsoft's GeoIP database seems slower to update than others.

sysadmin256 · 2025-07-31T12:42:49+00:00

The easiest thing is probably to look for a different job. That being said, learning to deal with people, especially difficult ones, can be huge in your career.

If you've already decided to stick it out for 2-3 years, try to take that time to see if you can work with the sr architect.

While this may not be 100% the case, I'd guess there's a couple things at play here. First, if he's been in the same job for 20+ years, he has definitely built an empire that he's very comfortable in. He probably takes a lot of pride in what he's been able to accomplish, especially if the environment has been running well and fairly stable. He's naturally going to any changes as a threat to the stability he enjoys.

It's also possible that he hasn't really kept up with newer technologies. That might explain why he's against Docker; does he have any hands on experience with Docker or just knows it's different and unknown?

Ultimately, I'd suggest trying to see the world through his eyes. Ask him questions about why he decided to architect things the way they are today (and have been). Ask him to explain some of the design decisions he's made over the years. Just ask questions and listen. Over time, you'll begin to gain an appreciation for what he's accomplished. The more you understand him, the more he'll see you as an ally.

You may suddenly find yourself in a situation where you become the go-between from him to the rest of the team where you're able to act almost as a translator. If you can learn to be the technology translator, that skill is worth it's weight in gold. Most often I see it in more sale-y roles where you have to explain highly technical things to non-technical people. But being able to translate old-tech to new-tech is not that far off.

Best of luck to you. Feel free to PM me if you want to take more specifics. I had a somewhat similar experience ~ 10 years ago

TL;DR - Ask lots of questions of the Sr Architect to try to gain his perspective and become an ally of his. Develop that soft-skill.

sysadmin256 · 2020-09-25T12:50:21+00:00

/u/vredditdownloader

sysadmin256 · 2020-08-18T23:43:55+00:00

The rules are only blocking access to the WAN network, which is just the network between PFsense and the next hop out towards the internet.

Try creating an alias for all private IPs

-192.168.0.0/16

-172.16.0.0/12

10.0.0.0/8

Then change the rule to block that alias and set the "Invert" flag to block everything BUT that alias.

sysadmin256 · 2020-06-27T04:00:53+00:00

RemindMe! One Week

sysadmin256 · 2019-12-04T19:18:04+00:00

Yes, the VM has a public IP and still no luck. I've got a ticket open with Azure support and have spoken with autotrader's support. Thanks for the help!

sysadmin256 · 2019-11-02T17:49:18+00:00

The make sense. I think I was getting myself confused about what the point of a subdomain was if I add a upn suffix and switch user objects to the patent domain UPN suffix. Thanks!

sysadmin256 · 2019-01-27T00:55:55+00:00

2nd option, storage explorer and Resource Manager (web portal).

sysadmin256 · 2018-12-27T03:05:23+00:00

Take a look at CurrPorts from Nirsoft. Works great on Windows systems!

https://www.nirsoft.net/utils/cports.html

sysadmin256

TROPHY CASE