This document discusses conditional access for managing access to resources. It provides an overview of conditional access for devices and mobile apps accessing Office 365. It also covers conditional access for on-premises Exchange and SharePoint. Upcoming features are previewed. Functionality and deployment of conditional access are discussed for mobile devices, domain joined PCs, mobile apps without MDM, and advanced scenarios using ADFS. FAQs about conditional access are also addressed.
Protect your business with a universal identity platform
The Azure Active Directory (Azure AD) enterprise identity service provides single sign-on and multi-factor authentication to help protect your users from 99.9 percent of cybersecurity attacks.
Gartner named Microsoft a leader in Magic Quadrant 2020 for Access Management
Single sign-on simplifies access to your apps from anywhere
Conditional Access and multi-factor authentication help protect and govern access
A single identity platform lets you engage with internal and external users more securely
Developer tools make it easy to integrate identity into your apps and services
Connect your workforce
Whether people are on-site or remote, give them seamless access to all their apps so they can stay productive from anywhere. Automate workflows for user lifecycle and provisioning. Save time and resources with self-service management.
Choose from thousands of SaaS apps
Simplify single sign-on. Azure AD supports thousands of pre-integrated software as a service (SaaS) applications.
Protect and govern access
Safeguard user credentials by enforcing strong authentication and conditional access policies. Efficiently manage your identities by ensuring that the right people have the right access to the right resources.
Engage with your customers and partners
Secure and manage customers and partners beyond your organizational boundaries, with one identity solution. Customize user journeys and simplify authentication with social identity and more.
Integrate identity into your apps
Accelerate adoption of your application in the enterprise by supporting single sign-on and user provisioning. Reduce sign-in friction and automate the creation, removal, and maintenance of user accounts.
Slides for my "Monitoring in Azure" talk at Zühlke Group DevOpsDays 2019 #DevOps #Azure #Monitoring
Demo repository: https://github.com/tknerr/zdod19-azure-monitoring-demo
Protect your business with a universal identity platform
The Azure Active Directory (Azure AD) enterprise identity service provides single sign-on and multi-factor authentication to help protect your users from 99.9 percent of cybersecurity attacks.
Gartner named Microsoft a leader in Magic Quadrant 2020 for Access Management
Single sign-on simplifies access to your apps from anywhere
Conditional Access and multi-factor authentication help protect and govern access
A single identity platform lets you engage with internal and external users more securely
Developer tools make it easy to integrate identity into your apps and services
Connect your workforce
Whether people are on-site or remote, give them seamless access to all their apps so they can stay productive from anywhere. Automate workflows for user lifecycle and provisioning. Save time and resources with self-service management.
Choose from thousands of SaaS apps
Simplify single sign-on. Azure AD supports thousands of pre-integrated software as a service (SaaS) applications.
Protect and govern access
Safeguard user credentials by enforcing strong authentication and conditional access policies. Efficiently manage your identities by ensuring that the right people have the right access to the right resources.
Engage with your customers and partners
Secure and manage customers and partners beyond your organizational boundaries, with one identity solution. Customize user journeys and simplify authentication with social identity and more.
Integrate identity into your apps
Accelerate adoption of your application in the enterprise by supporting single sign-on and user provisioning. Reduce sign-in friction and automate the creation, removal, and maintenance of user accounts.
Slides for my "Monitoring in Azure" talk at Zühlke Group DevOpsDays 2019 #DevOps #Azure #Monitoring
Demo repository: https://github.com/tknerr/zdod19-azure-monitoring-demo
Microsoft Information Protection: Your Security and Compliance FrameworkAlistair Pugin
Its one thing encrypting and protecting your data from prying eyes but what use is it, if it is not retained or protected against loss. With Microsoft Information Protection, Microsoft provides organisations the ability to:
• Protection content from deletion
• Adhere to compliance standards (GDPR, HIPAA, etc)
• Discover content for litigation
• Manage access to content based on rules
By implementing the correct rules, organisations are able to mitigate risk and remain compliant and at the same time ensure that content is identified, classified, retained and disposed of accordingly.
Microsoft Enterprise Mobility Suite Presented by AtidanDavid J Rosenthal
Windows 10 is better with EMS
Windows 10 is the best Windows ever and provides a foundation for protection against modern threats and continuous management while enabling your users to be more productive. To get the most out of your mobile security and productivity strategy, integrate the Microsoft Enterprise Mobility Suite (EMS) with Windows 10 for greater protection of users, devices, apps, and data.
A key concern for you continues to be security, and rightly so. Identity is the control plane at the center of our solution helping you to be more secure. Only Microsoft offers cloud identity and access management solutions running at Internet scale and designed to help secure your IT environment. Microsoft Azure Active Directory has hundreds of millions of users, is available in 35 datacenters around the world, and has processed more than 1 trillion (yes, trillion) authentications. Our innovative new technology, Microsoft Advanced Threat Analytics is designed to help you identify advanced persistent threats in your organization before they cause damage.
KEY FEATURES
Threat detection: Detect abnormal user behavior, suspicious activities, known malicious attacks and security issues right away. Focus on what is important using a simple, convenient feed.
Conditional access: Control access to applications and other corporate resources like email and files with policy-based conditions that evaluate criteria such as device health, user location etc. This includes support for multi factor authentication (MFA).
Single sign-on: Sign in once to cloud and on-premises web apps from any device. Pre-integrated support for Salesforce, Concur, Workday, and thousands more popular SaaS apps.
Azure Arc offers simplified management, faster app development, and consistent Azure services. Easily organize, govern, and secure Windows, Linux, SQL Server, and Kubernetes clusters across data centers, the edge, and multicloud environments right from Azure. Architect, design, and build cloud-native apps anywhere without sacrificing central visibility and control. Get Azure innovation and cloud benefits by deploying consistent Azure data, application, and machine learning services on any infrastructure.
Gain central visibility, operations, and compliance
Centrally manage a wide range of resources including Windows and Linux servers, SQL server, Kubernetes clusters, and Azure services.
Establish central visibility in the Azure portal and enable multi-environment search with Azure Resource Graph.
Meet governance and compliance standards for apps, infrastructure, and data with Azure Policy.
Delegate access and manage security policies for resources using role-based access control (RBAC) and Azure Lighthouse.
Organize and inventory assets through a variety of Azure scopes, such as management groups, subscriptions, resource groups, and tags.
Learn more about hybrid and multicloud management in the Microsoft Cloud Adoption Framework for Azure.
Azure SQL Database (SQL DB) is a database-as-a-service (DBaaS) that provides nearly full T-SQL compatibility so you can gain tons of benefits for new databases or by moving your existing databases to the cloud. Those benefits include provisioning in minutes, built-in high availability and disaster recovery, predictable performance levels, instant scaling, and reduced overhead. And gone will be the days of getting a call at 3am because of a hardware failure. If you want to make your life easier, this is the presentation for you.
Enabling Transformation through Agility & Innovation - AWS Transformation Day...Amazon Web Services
Learn how AWS can help transform your business. With AWS, enterprises are becoming more agile, secure, and scalable. This helps to promote innovation, shorten cycles to respond to business requirements, increase employee productivity, and retain and recruit top talent.
Improve business performance, reduce costs, and reinvent your IT strategies. Topics include how to maximize the value of your Enterprise workloads with AWS, foster a culture of innovation, manage risk and security, and new ways to think about product development, how to modernize the delivery of IT services, and best practices for adopting the cloud at scale.
In this presentation, I have talked about Resiliency in Azure.
I have also talked about how you can do Azure VM Improvements and Maintenance. Along with that, I have also talked about Disaster Recovery with ASR.
Microsoft Information Protection: Your Security and Compliance FrameworkAlistair Pugin
Its one thing encrypting and protecting your data from prying eyes but what use is it, if it is not retained or protected against loss. With Microsoft Information Protection, Microsoft provides organisations the ability to:
• Protection content from deletion
• Adhere to compliance standards (GDPR, HIPAA, etc)
• Discover content for litigation
• Manage access to content based on rules
By implementing the correct rules, organisations are able to mitigate risk and remain compliant and at the same time ensure that content is identified, classified, retained and disposed of accordingly.
Microsoft Enterprise Mobility Suite Presented by AtidanDavid J Rosenthal
Windows 10 is better with EMS
Windows 10 is the best Windows ever and provides a foundation for protection against modern threats and continuous management while enabling your users to be more productive. To get the most out of your mobile security and productivity strategy, integrate the Microsoft Enterprise Mobility Suite (EMS) with Windows 10 for greater protection of users, devices, apps, and data.
A key concern for you continues to be security, and rightly so. Identity is the control plane at the center of our solution helping you to be more secure. Only Microsoft offers cloud identity and access management solutions running at Internet scale and designed to help secure your IT environment. Microsoft Azure Active Directory has hundreds of millions of users, is available in 35 datacenters around the world, and has processed more than 1 trillion (yes, trillion) authentications. Our innovative new technology, Microsoft Advanced Threat Analytics is designed to help you identify advanced persistent threats in your organization before they cause damage.
KEY FEATURES
Threat detection: Detect abnormal user behavior, suspicious activities, known malicious attacks and security issues right away. Focus on what is important using a simple, convenient feed.
Conditional access: Control access to applications and other corporate resources like email and files with policy-based conditions that evaluate criteria such as device health, user location etc. This includes support for multi factor authentication (MFA).
Single sign-on: Sign in once to cloud and on-premises web apps from any device. Pre-integrated support for Salesforce, Concur, Workday, and thousands more popular SaaS apps.
Azure Arc offers simplified management, faster app development, and consistent Azure services. Easily organize, govern, and secure Windows, Linux, SQL Server, and Kubernetes clusters across data centers, the edge, and multicloud environments right from Azure. Architect, design, and build cloud-native apps anywhere without sacrificing central visibility and control. Get Azure innovation and cloud benefits by deploying consistent Azure data, application, and machine learning services on any infrastructure.
Gain central visibility, operations, and compliance
Centrally manage a wide range of resources including Windows and Linux servers, SQL server, Kubernetes clusters, and Azure services.
Establish central visibility in the Azure portal and enable multi-environment search with Azure Resource Graph.
Meet governance and compliance standards for apps, infrastructure, and data with Azure Policy.
Delegate access and manage security policies for resources using role-based access control (RBAC) and Azure Lighthouse.
Organize and inventory assets through a variety of Azure scopes, such as management groups, subscriptions, resource groups, and tags.
Learn more about hybrid and multicloud management in the Microsoft Cloud Adoption Framework for Azure.
Azure SQL Database (SQL DB) is a database-as-a-service (DBaaS) that provides nearly full T-SQL compatibility so you can gain tons of benefits for new databases or by moving your existing databases to the cloud. Those benefits include provisioning in minutes, built-in high availability and disaster recovery, predictable performance levels, instant scaling, and reduced overhead. And gone will be the days of getting a call at 3am because of a hardware failure. If you want to make your life easier, this is the presentation for you.
Enabling Transformation through Agility & Innovation - AWS Transformation Day...Amazon Web Services
Learn how AWS can help transform your business. With AWS, enterprises are becoming more agile, secure, and scalable. This helps to promote innovation, shorten cycles to respond to business requirements, increase employee productivity, and retain and recruit top talent.
Improve business performance, reduce costs, and reinvent your IT strategies. Topics include how to maximize the value of your Enterprise workloads with AWS, foster a culture of innovation, manage risk and security, and new ways to think about product development, how to modernize the delivery of IT services, and best practices for adopting the cloud at scale.
In this presentation, I have talked about Resiliency in Azure.
I have also talked about how you can do Azure VM Improvements and Maintenance. Along with that, I have also talked about Disaster Recovery with ASR.
Buyers of businesses often use different levels of company earnings to define what price they are willing to pay for a company and what parts of the company balance sheet they are buying.
Who is your buyer? What type of earnings do they use to asses value? What multiples are applied? What are they buying?
Sell Your Business 101 Series
Kansainvälisenä Customer Experience Day -päivänä haluamme palkita niitä ihmisiä, jotka ovat antaneet merkittävän panoksen asiakkuuskokemusten kehittämisessä omassa yrityksessään tai yhteisössään ympäri maailmaa.
Suomen paras asiakasteko 2016 -palkinnolla annetaan tunnustusta erityisesti suomalaisyritysten vaikuttajille, jotka ovat auttaneet unohtumattomien asiakkuuskokemusten aikaansaamisessa erilaisissa asiakaskohtaamisissa.
Ehdokkaana voi olla asiakkuuskokemusten johtamisen ammattilainen yrityksen sisällä tai ulkopuolinen asiantuntija, rooliin ja organisaatiohierarkiaan katsomatta.
Cloud Security Fundamentals - St. Louis O365 Users GroupJ.D. Wade
This session will provide key Microsoft cloud security standards which will allow you to maximize your organization's security posture using existing licenses, align with Microsoft's cloud security strategy, and reduce attack surface from legacy technologies. The adoption of core cloud security standards included in this discussion are how to establish single sign-on, how to only allow modern authentication, what are trusted identities and trusted devices, how to classify and protect content, and how to monitor and report on security and breaches. All of this discussion will be done in mind with usage occurring on a zero trust network.
Modern Management for Identiteter og Enheter – Azure AD, Intune og Windows 10MVP Dagen
I denne sesjonen vil vi se på hvordan hvordan vi tilrettelegger for Modern Management med Azure Active Directory, Microsoft Intune og Windows 10. Vi vil se på hvordan vi med Azure AD etablerer Identitets- og Tilgangskontroll, Selvbetjening og tilgang til Applikasjoner. Videre vil vi se på hvordan nye Azure AD sammen med Intune fungerer i […]
How to auto enroll Windows 10 into Microsoft Intune with Azure AD join (Experience with coexistence of MDM authority)
Azure AD join – what is two-step verification/Microsoft Passport
Microsoft Intune and MDM joined devices
Limitations
Software Deployment
What are OMA-URI, policy CSP and how to use OMA-URI for configuration.
Windows Store for Business
System Center 2012 R2 Configuration Manager (SCCM) with Windows IntuneAmit Gatenyo
Microsoft has a history of providing rich IT-infrastructure solutions to help manage every aspect of enterprise operations. Microsoft’s people-centric solution consists of products and technologies that can help IT departments handle the influx of consumer-oriented technology and the work style expectations of users, thereby helping increase productivity and satisfaction for the people within their organizations.
Microsoft’s people-centric IT vision helps organizations enable and embrace the consumerization of IT by:
1. Enabling your end users by allowing users to work on the device(s) of their choice and providing consistent access to corporate resources from those devices.
2. Helping protect your data by protecting corporate information and managing risk.
3. Unifying your environment by delivering comprehensive application and device management from both your existing on-premises infrastructure, including System Center Configuration Manager, Windows Server, and Active Directory, as well as cloud-based services, including Windows Intune and Windows Azure.
Let’s discuss each of these areas in more detail.
During this session we will look into Windows 10 for the Enterprise.
Let’s explore the new management capabilities and choices.
Let’s understand the Windows 10 deployment infrastructure and mechanisms.
Let’s discover new Windows 10 features and improvements.
You are eager to learn about Windows 10 and want to gather early-stage info about this exciting Operating System… ?
Well you know what to do! See you there!
ECMDay2015 - Peter Daalmans – Master your Mac OS X Operating System with Conf...Kenny Buntinx
Learn how to use System Center 2012 R2 Configuration Manager to manage those sexy Apple Mac OS X devices. Learn how to deploy your Configuration Manager clients, wrap and deploy software and manage your OS X environment with Compliance Settings. A demo packed session with lots of tips and tricks along the way. Also we will have a look at the Parallels Mac Management for SCCM plugin for Configuration Manager 2012 R2 . Learn how to manage and control your Mac OS X devices with Configuration Manager 2012 R2. Learn and see how you can master your Mac OS X devices with simple scripts and Compliance Settings.
Experts Live Europe 2017 - Windows 10 and the cloud - why the future needs hy...Alexander Benoit
Cloud services have become firmly established in the working day of many companies. Almost everywhere, initiatives or projects are in progress that deal with the workplace of the future. Windows 10, Intune and Azure Active Directory open up new opportunities for cloud-based management, authentication, and administration. Scenarios such as BYOD and COPE let companies think about how users access business resources and apps.
Preparing your enteprise for Hybrid AD Join and Conditional AccessJason Condo
In the presentation learn what you need to do in AD FS, Active Directory, and Azure Active Directory to leverage domain joined machines in conditional access policies to O365 services.
Microsoft Intune y Gestión de Identidad Corporativa Plain Concepts
Gestiona todos tus dispositivos corporativos Windows 10 desde Microsoft Intune. Entornos híbridos de autenticación, autenticación multi factor y acceso seguro a aplicaciones SaaS. Por Jose María Genzor
Review the presentation from the Next Level Learning IT Track - Windows 10 in Education. Learn about the new features of Windows 10 and what they mean for your school.
Similar to Taking conditional access to the next level (20)
5. MANAGEABILITY
Functionality…
• CA for mobile devices;
• CA for domain joined PC’s;
• CA for mobile apps w/o MDM;
• CA for on-prem resources
• CA for advanced scenario’s (ADFS);
6. MANAGEABILITY
…by solution
• via Configuration Manager;
• via Microsoft Intune;
• via Microsoft Intune MAM w/o MDM;
• via Azure AD (SaaS);
• via ADFS (Advanced scenario’s);
14. MANAGEABILITY
Deploying conditional access
1.
• Define compliance criteria for devices managed by Intune or SCCM
2.
• Define access criteria for a specific O365 service
Conditions Main options Defined where?
Compliance criteria for managed devices Password, Encryption, Device
Health, OS versions
Intune compliance policy
SCCM compliance policy
Mobile platforms iOS, Android, Windows 10 Mobile
Conditional access policies
Desktop platforms Windows 7, 8.1, 10
Client app types Exchange ActiveSync clients, Rich
client apps, Browser
O365 services Exchange Online, SharePoint
Online, Skype for Business,
Dynamics CRM
Users All users in tenant, targeted SGs,
exempted SGs
15. MANAGEABILITY
Unified Enrollment
Azure AD
Device object
- device id
- isManage
d
- MDMStatu
s
Quarantine Website
Step 1: Enroll
device
Outlook App
Access control from Outlook for iOS and Android
4
Register device in
Azure AD
Outlook
Cloud
Service
1
(Workplace Join +
management)
3
Enroll into Intune
4
Intune
Set device
management/
compliance
status5
6Access Outlook
Cloud service
with
AAD token 7
8
Get EAS service
access token for
user
9Get Corporate
email
1
0
Email delivered
Redirect to
Intune
2
Office 365
Email service
16. MANAGEABILITY
Preparing devices: mobile
Azure AD Join for work-owned mobile devices in Windows 10
Add work or school account for personal devices in Windows 10
Add account, Workplace join in other Windows versions or platforms (iOS, Android)
Windows 10 with Microsoft Intune or 3rd party supported MDMs
Requires MDM app configuration in Azure AD for Windows 10
iOS and Android with Microsoft Intune
18. MANAGEABILITYConditional Access for PCs
1.
2.
3.
4.
Management Windows 7 Windows 8.1 Windows 10
AD domain joined* Supported Supported Supported
AD domain joined*
+ SCCM Managed
Supported Supported Supported
AAD registered +
Intune managed
Not supported Supported Supported
Azure Domain
Joined + Intune
managed
Not supported Not supported Supported
19. MANAGEABILITY
Pre-requisites for CA with Office Desktop on
Domain Joined Windows PCs
Office 2016 or Office 2013 with Modern Authentication
enabled
AAD auto-registration
■ GP or SCCM can be used to enable auto-registration
■ Windows 7 requires an MSI to be deployed
ADFS claims rules to block down-level Office from
external network locations
■ In near future, EXO and SPO will expose PS cmdlets to disable non-modern authentication
21. MANAGEABILITY
Mobile app management
MANAGED MOBILE PRODUCTIVITY
Managed
apps
Personal
apps
Personal apps
Managed apps
Corporate
data
Personal
data
Multi-identity policy
Personal apps
Managed
apps
Copy Paste Save
Save to
personal storage
Paste to
personal
app
Email
attachment
22. MANAGEABILITY
Customer Scenario
■Ensure that only Intune MAM enabled
applications can access O365/SaaS apps
■Prevent apps that aren’t MAM “enlightened”
■Prevent EAS mail clients (native iOS/Android mail
clients)
Considerations
■Intune MAM enabled apps are put on an
Conditional Access for
managed mobile apps
23. MANAGEABILITY
Preparing devices: domain
joinedService Connection Point for discovery (all Windows versions!)
If federated, issuance transform rules for computer authentication upon registration
Windows Installer package for non-Windows 10/Windows Server 2016 computers
Windows 7, 8.0, 8.1, Server 2008 R2, Server 2012 and Server 2012
R2
Windows 10 Anniversary Update/Windows Server 2016 registers without policy set
Windows 10 November 2015 Update requires the policy set to trigger registration
Windows 8.1 responds to policy, can also use Windows Installer package
Help with requirements setup – with caveats!
Key for lifecycle management of computers and devices
26. MANAGEABILITY
On-Prem Exchange CA
Architecture
EAS Client
Attempt email
connection
1
Block
If not managed,
block device
3
On Prem
Exchange Server
2010/2013
Who does what?
Intune: Evaluate policy,
manage device state and
mark device record in AAD
Exchange Server:
Provides API and
infrastructure for
quarantine
1
0
If managed,
email access is
granted
Unified Enrollment
Register EAS
email client
7
Create EASID to
device ID binding
8
Set device management/ compliance status
6
Azure AD DRS
Device
object
- device id
- isManage
d
- MDMStatu
s
- EASIDsAzure AD
Quarantine email
Step 1: Enroll
device
Step 2: Register
EAS client
(Workplace Join +
management)
4
Intune
5
Register device in
Azure AD
5 Enroll into Intune
2
Block non Managed
devices
9
Allow Managed device
28. MANAGEABILITY
Preparing devices for device-
based CA policyAutomatically register with Azure AD once requirements are set
Device is not associated with a user in Windows 10
Azure AD Connect for registration and lifecycle management of computers and devices
Windows Installer package for non-Windows 10/non-Windows Server 2016 computers
Device registers by an end-user initiated experience
Device is associated with user
Experience registers device with Azure AD and enrolls it with MDM
Alternative for personal devices is to use Mobile Application Management (MAM)
30. MANAGEABILITY
On-premises applications and
access controlYou can publish on-prem apps through Azure AD
They show in the ‘applications’ tab in the management portal and the ‘myapps’ portal for the user
You can set Device-based CA policy to control access the same way as O365 apps and SaaS apps
Don’t miss: EMS320: Using Azure AD to enable and manage access to on-premises applications
Require device write-back in Azure AD Connect
AD FS in Windows Server 2016 required for Windows 10 authentication
32. MANAGEABILITYFAQs
•
• No, CA will trump ABQ
•
1. Turn CA off for EAS with Basic Auth; but on for Android and iOS modern auth
apps
2. Configure ADFS to block EAS
3. Exchange ActiveSync ABQ to only allow the Outlook app
•
• We’re working on it.
• For now the main options are:
• Allow all Macs
• Block all Macs
• Exempt Mac users
33. MANAGEABILITYFAQs cont’d
•
• Recommended for reporting, but not required
•
• ADFS
• OWA app will soon leave the app stores
•
• Azure AD admin console will include Device CA polices (public preview soon)
• Both write to the same back-end AAD policy
• Azure AD console also includes MFA and network based policy
• Plan to consolidate in the new Azure admin console (aka Ibiza)
34. MANAGEABILITY
14:45 – 15:45
Ten most common mistakes
when deploying ADFS & Hybrid
Identity and how to avoid them
Raymond Comvalius & Sander Berkouwer