Conditional access to office 365 what options do you have
1.
2.
3.
4. Identity as the core of enterprise mobility
Single sign-onSelf-service
Simple connection
On-premises
Other
directories
Windows Server
Active Directory
SaaSAzure
Public
cloud
CloudMicrosoft Azure Active Directory
Customers
Partners
5. The perimeter cannot help protect data stored in the cloudAccess control to corporate data today
Mobile devices
PCs
Web browsers
AppsData
6. “I need to control access to resources based on a variety of conditions”
On-premises
applications
APPLICATION
Per app policy
Type of client
Business sensitivity
OTHER
Network location
Risk profile
DEVICES
Are domain joined
Are compliant
Platform type (Windows,
iOS, Android)
USER ATTRIBUTES
User identity
Group memberships
Auth strength (MFA)
• Allow
• Enforce MFA
• Block
Brute force attacks
Leaked credentials
Infected devices
Suspicious sign-in activities
Configuration vulnerabilities
7. Conditions
Allow access or
Block access
Actions
Enforce MFA per
user/per app
User, App sensitivity
Device state
LocationUser
NOTIFICATIONS, ANALYSIS, REMEDIATION,
RISK-BASED POLICIES
CLOUD APP DISCOVERY PRIVILEGED IDENTITY MANAGEMENT
MFA
IDENTITY
PROTECTION
Risk
On-premises
applications
Microsoft Azure
Editor's Notes
Microsoft has a solution for this
[Click] Traditional identity and access management solutions providing sing-sign on to on-premises applications and directory services such as Active Directory and others are used from the vast majority of organizations and huge investments were made to deploy and maintain them. These solutions are perfect for the on-premises world.
[Click] Now, as we have discussed, there are new pressing requirements to provide the same experience to cloud applications hosted in any public cloud.
[Click] Azure Active Directory can be the solution to this new challenge by extending the reach of on-premises identities to the cloud in a secure and efficient way.
[Click] In order to do that, one simple connection is needed from on-premises directories to Azure AD.
[Click] and everything else will be handled by Azure AD. Secure single sign-on to thousands of SaaS applications hosted in any cloud by using the same credentials that exist on-premises
[Click] And we don’t forget the users. Azure AD provides Self-service capabilities and easy access to all the application, consumer or business, they need.
in the cloud but on-premises too (Application Proxy)
The first question we ask is how to protect the data
Used to be all on-prem. But now it’s in cloud. So having a gateway no longer works.
We believe that our solution--CA
In the past, almost all the corporate data was stored on-premises which means that organizations could use the perimeter to manage access to the corporate data. Typically, this was a challenging project, that often required email gateways, servers in the perimeter network, lots of configuration, and custom scripts. However, a lot of corporate data today is stored in the cloud either because of the organization’s decision or because employees themselves intentionally or unintentionally stored in the cloud by using apps like Dropbox or SalesForce. This creates a security risk where the corporate data might end up in the wrong hands, and most of the EMM vendors in the market today don’t really have a good solution for this.
With EMS CA you can secure access to O365 and on-prem.
AAD: to authenticate the user and makes decision at user level--authentication, and at the device level (Intune), sensitivity of app (do we need MFA). And checking risk profile—AIP is where we get this
The main message is that this is the new way to manage access to your stuff. It’s powerful because you can check for so many different things before you allow access to your stuff.
In this slide talk about the conditions that apply
Does the policy apply to the user
Does the policy apply to the app
Does the policy apply to the device type
Does the policy apply to the location
Then what about evaluation
Is the device domain joined
Is the device Azure AD joined (in some circumstances)
Is the device compliant – ie. Managed by InTune
Is the device in an allowed location
What is the sign in risk (e.g. is this location likely to be the user)
Should MFA be mandated
We can then use the conditions together to make an evaluation
#1 requirement here is that you will expect all these devices to be managed by InTune
This covers specific services, such as Exchange Online, SharePoint Online and Skype for Business
This works with Exchange ActiveSync, and for EAS, manages the Exchange Online quarantine. Nothing else does this for CA.
You may be able to join the preview
The legacy portal has Azure-AD based conditional access policies
These must be created on a per-application basis
This has the benefit of allowing you to secure other registered Azure AD apps, and could be used in combination with InTune policies
It is more complex to configure though and manage on an ongoing basis, especially if you want to lock down everything
Compliant devices = InTune Managed, rather than Azure AD joined
New Azure AD portal offers the next-gen of the Azure AD conditional access
Policies can be created to cover all Azure AD apps
You can have multiple policies to determine compliance
For example
Allow domain joined clients and / or compliant devices from anywhere, without MFA
Lock down internal and external access, perhaps?
Require MFA for users outside the network accessing from a non-domain joined device
Or maybe only allow a compliant/domain joined, but enforce MFA when they are outside the network
Or use it to block access to apps
Deny access to OneDrive for Business for specific groups of people, unless they are on the LAN
Use it with other services, like Azure Application Proxy, and third-party apps – you could enforce MFA to ServiceNow, for example
Very simple, straightforward MAM-based Conditional Access
Requires Azure AD join by devices before granting access
Devices must install Company app (Android) or Azure Authenticator (iOS)
Blocks all Exchange ActiveSync access, you MUST use the Outlook App
First time usage redirects to Azure AD enrolment
After enrolment, access is allowed
Based on this condition you can ensure that only particular apps (such as OneDrive, Office Apps, Skype for Business and Outlook) can access Office 365 on mobile
Use in combination with MAM to ensure that data cannot leave the “walled garden” of apps
