See the Explanation for the complete step by step solution.
Explanation:
To implement additional security checks for the Sg-Executive group members before they can access any company apps, you can use Conditional Access policies in Microsoft Entra. Here's a step-by-step guide:
* Sign in to the Microsoft Entra admin center:
* Ensure you have the role of Global Administrator or Security Administrator.
* Navigate to Conditional Access:
* Go to Security > Conditional Access.
* Create a new policy:
* Select + New policy.
* Name the policy appropriately, such as "Sg-Executive Security Checks".
* Assign the policy to the Sg-Executive group:
* Under Assignments, select Users and groups.
* Choose Select users and groups and then Groups.
* Search for and select the Sg-Executive group.
* Define the application control conditions:
* Under Cloud apps or actions, select All cloud apps to apply the policy to any company app.
* Set the device compliance requirement:
* Under Conditions > Device state, configure the policy to include devices marked as compliant by Microsoft Intune.
* Set the app protection policy requirement:
* Under Conditions > Client apps, configure the policy to include client apps that are protected by app protection policies.
* Configure the access controls:
* Under Access controls > Grant, select Grant access.
* Choose Require device to be marked as compliant and Require approved client app.
* Ensure that the option Require one of the selected controls is enabled.
* Enable the policy:
* Set Enable policy to On.
* Review and save the policy:
* Review all settings to ensure they meet the requirements.
* Click Create to save and implement the policy.
By following these steps, you will ensure that the Sg-Executive group members can only access company apps if they meet one of the specified conditions, either by using a compliant device or a protected client app.
This enhances the security posture of your organization by enforcing stricter access controls for executive- level users.