CONDITIONAL ACCESS FROM A TO Z

Similar documents
Use EMS to protect your mobile data and mobile app

Use Microsoft EMS. to Protect your Mobile Data and Mobile Apps. Chris Nackers Nackers Consulting

Conditional Access Policies

OMS, ATA AND AZURE SECURITY CENTER MIXER

Hybrid Identity de paraplu in de cloud

DATACENTER MANAGEMENT Goodbye ADFS, Hello Modern Authentication! Osman Akagunduz

Go mobile. Stay in control.

WORKPLACE Data Leak Prevention: Keeping your sensitive out of the public domain. Frans Oudendorp Ronny de Jong

Planning for and Managing Devices in the Enterprise: Enterprise Mobility Suite (EMS) & On-Premises Tools

Update on new Microsoft Cloud Technology

Securing Office 365 with MobileIron

Planning for and Managing Devices in the Enterprise: Enterprise Management Suite (EMS) & On-Premises Tools

[ Sean TrimarcSecurity.com ]

Windows 10 Azure AD / EMS

Planning for and Managing Devices in the Enterprise: Enterprise Mobility Suite (EMS) & On- Premises Tools

EXPERTS LIVE SUMMER NIGHT. Close your datacenter and give your users-wings

At Course Completion After completing this course, students will be able to:

Jay Ferron. CEHi, CISSP, CHFIi, C)PTEi, CISM, CRISC, CVEi, MCITP, MCSE, MCT, MVP, NSA-IAM blog.mir.

Identity as the Entrée to the Microsoft Cloud

Windows 10. scalable IT services & solutions. October 25, Bruce Ward, VP of Business Strategy. Dan Sharp, Senior Consultant

Office 365: Modern Workplace

Price list for Microsoft Office 365 from Swisscom. Valid from 1 may, 2016

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

A tale of Modern Management Part 1

ENABLING AND MANAGING OFFICE 365

20398: Planning for and Managing Devices in the Enterprise: Enterprise Mobility Suite (EMS) and On- Premises Tools

Azure Active Directory from Zero to Hero

WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365

What s new in System Center Configuration Manager Current Branch? Ievgen Liashov

Securing Office 365 with Conditional Access #ITDEVCONNECTIONS ITDEVCONNECTIONS.COM

How Microsoft s Enterprise Mobility Suite Provides helps with those challenges

Phil Schwan Technical

Windows ierīces Enterprise infrastruktūrā. Aris Dzērvāns Microsoft

Tracking changes in Hybrid Identity environments with both Active Directory and Azure Active Directory

MD-101: Modern Desktop Administrator Part 2

Managing Microsoft 365 Identity and Access

WHY WE WANT YOU TO MIGRATE TO SCOM 2016

Microsoft 365. A complete, intelligent, secure solution to empower employees. Integrated for simplicity. Built for teamwork. Unlocks creativity

Microsoft Graph API Deep Dive

Enabling and Managing Office 365

What s new in Configuration Manager 1702 and beyond. Jörgen Nilsson.

Cloud Security, Mobility and Current Threats. Tristan Watkins, Head of Research and Innovation

News and Updates June 1, 2017

Course Outline. Enabling and Managing Office 365 Course 20347A: 5 days Instructor Led

Identity as the core of enterprise mobility

Presented by Max Fritz Senior Systems Consultant, Now Micro. Office 365 for Education What to Use When

Office 365 and Azure Active Directory Identities In-depth

Maximize your investment in Microsoft Office 365 with Citrix Workspace

Microsoft Official Curriculum Enabling and Managing Office 365 (5 Days - English) Programme détaillé

ACTIVE DIRECTORY SERVICES WITH WINDOWS SERVER

Chart 2: Relationship Summary - Active Enrollments expiring by 12/31/2018 (as of 6/15/2018)

Who am I? Identity Product Group, CXP Team. Premier Field Engineer. SANS STI Student GWAPT, GCIA, GCIH, GCWN, GMOB

Modern Management of Windows - Intune & Autopilot

MCSA Office 365 Bootcamp

Windows 10 for enterprise. Pramiti Bhatnagar

Kent Agerlund Enterprise Mobility MVP & Microsoft Regional Director

IT Security Training MS-500: Microsoft 365 Security Administration. Upcoming Dates. Course Description. Course Outline $2,

WELCOME! Using Microsoft Office 365 for a Robust Mail and Conferencing System

Keeping Current with Windows 10. Jon Anderson Senior Systems Consultant, Now Micro December 5 th, 2018

Tech Dive: Microsoft Azure Identity Management and Office 365

Education and Support for SharePoint, Office 365 and Azure

SharePoint 2019 and Extranet User Manager

Office : Enabling and Managing Office 365. Upcoming Dates. Course Description. Course Outline

Secure your Infrastructure with Azure Multi-Factor Authentication Server

Adnan Cloud Solutions Architect. SAFFA living in Netherlands, work globally. Microsoft Trainer +25y (xrl MSLearning)

Microsoft 365 Business FAQs

Active Directory Services with Windows Server

[MS20347]: Enabling and Managing Office 365

RHM Presentation. Maas 360 Mobile device management

Microsoft Security Management

20347: Enabling and Managing Office hours

Active Directory Services with Windows Server

This module provides an overview of multiple Access and Information Protection (AIP) technologies

OFFICE 365 GOVERNANCE: Top FAQ s & Best Practices. Internal Audit, Risk, Business & Technology Consulting

CAN MICROSOFT HELP MEET THE GDPR

905M 67% of the people who use a smartphone for work and 70% of people who use a tablet for work are choosing the devices themselves

Enterprise Mobility + Security

Deployment Genval November 2018

Ten most common Mistakes with AD FS and Hybrid Identity. Sander Berkouwer MVP, DirTeam.com

Glossary. Balu N Ilag 2018 B.N. Ilag, Introducing Microsoft Teams,

President Interlink Cloud Advisors. Mike Wilson Vice President Interlink Cloud Advisors. Kirk Terrell Consultant Interlink Cloud Advisors

Why Choose MS Azure?

Mobility Windows 10 Bootcamp

Course Content of Office 365:

COURSE OUTLINE: OD10969B Active Directory Services with Windows Server

Active Directory Services with Windows Server

Enabling and Managing Office 365 (NI152) 40 Hours MOC 20347A

The Device Has Left the Building

COURSE OUTLINE MOC 10969: ACTIVE DIRECTORY SERVICES WITH WINDOWS SERVER MODULE 1: OVERVIEW OF ACCESS AND INFORMATION PROTECTION

Microsoft. MS-101 EXAM Microsoft 365 Mobility and Security. m/ Product: Demo File

Data Protection in Practice

"Charting the Course... MOC B Active Directory Services with Windows Server Course Summary

Simplify Application Access with Azure Active Directory

ENABLING AND MANAGING OFFICE 365

DOWNLOAD OR READ : OFFICE 365 SECURITY AND TRUST STANDARD REQUIREMENTS PDF EBOOK EPUB MOBI

SafeNet Authentication Client

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

Enabling and Managing Office 365

ShareFile Technical Presentation

Enabling Office 365 Services (347)

Transcription:

CONDITIONAL ACCESS FROM A TO Z Peter Daalmans PeterDaalmans.com, pds@ctglobalservices.com, Senior Consultant CTGlobal Jörgen Nilsson Ccmexec.com, jorgen.nilsson@onevinn.se, Principal Consultant Onevinn

Peter Daalmans Jörgen Nilsson @pdaalmans @ccmexec Enterprise Mobility MVP Enterprise Mobility MVP 20 years 10110 Beers, burgers and soccer Soccer, friends, beer

Conditional access

AGENDA Why Conditional Access? Where to find Conditional Access? Different layers of Conditional Access Conditional Access in action Notes from the field

WHY CONDITIONAL ACCESS? Future for all access scenarios

TRADITIONAL IT Azure Application Proxy

IDENTITY DRIVEN SECURITY: CONDITIONAL ACCESS User attributes User identity Group memberships Authentication strength Devices Authenticated MDM Managed (Intune) Compliant with policies Not lost/stolen Application Allow Enforce MFA Block Business sensitivity Other Inside corp. network Outside corp. network Risk profile On-Premises applications

EMS E5 EMS E3 ENTERPRISE MOBILITY + SECURITY LICENSES Identity and access management Identity Driven Security Managed Mobile Productivity Information Protection Azure Active Directory Premium P1 Microsoft Advanced Threat Analytics Microsoft Intune Azure Information Protection Premium P1 Single sign-on to cloud and onpremises applications. Basic conditional access security Identify suspicious activities & advanced attacks on premises. Mobile device and app management to protect corporate apps and data on any device. Encryption for all files and storage locations. Cloud based file tracking Existing Azure RMS capabilities Azure Active Directory Premium P2 Microsoft Cloud App Security Azure Information Protection Premium P2 Advanced risk based identity protection with alerts, analysis, & remediation. Bring enterprise-grade visibility, control, and protection to your cloud applications. Intelligent classification, & encryption for files shared inside & outside your organization Secure Islands acquisition

DIFFERENT WAYS OF CONDITIONAL ACCESS Active Directory Federation Services Microsoft Intune versus Azure Active Directory Azure Active Directory Different flavours Exchange ActiveSync Access Rules Intune app based conditional access Azure App Proxy

Demo Conditional Access

DIFFERENT LEVELS OF CONDITIONAL ACCESS FIT TOGETHER 1 2 Claim Rules via Active Directory Federation Services Conditional Access by Intune / Azure AD for Office 365 (Exchange, SharePoint, Skype for Business, CRM, and more) Device + User based Device based 3 Exchange ActiveSync Rules App Based CA App based

ACTIVE DIRECTORY FEDERATION SERVICES Part of Windows Server 2012/2016 In 2016 more fine grained options for device registration AD FS can be used to allow or block legacy protocols AD FS can be used to bock or allow the native mail apps on devices AD FS can be used to check if a device is enrolled (device write back needs to be configured)

CLAIMS IN AZURE AD IN AN AD FS SCENARIO User 2 10 1 Azure Active Directory Integrated Application Active Directory Domain Services On Premises 6 IdP relationship 5 7 4 Active Directory Federation Services (as STS) Azure AD Connect 3 8 9 Active Directory Federation Trust (WS-FED) Claim rules Internet Relying Party Trust Azure Active Directory Conditional Access Redirect Action Infrastructure action Infrastructure relation

AD FS

INTUNE VERSUS AZURE AD Intune CA = Azure AD CA CA versus Exchange On-premises CA versus Office 365

INTUNE COMPLIANCE Intune compliance versus CA Check if the device is compliant Compliance check options Threat protection (Lookout)

ARCHITECTURE 1. Lookout is federated with Azure AD, authentication is done via Azure AD or AD FS. 1 3 2 2. Device compliance state is shared between Azure AD and Microsoft Intune. 3. Lookout gets device and user information based in AAD Group membership via Intune Connector. Lookout is able to retrieve and set the device compliance state in Microsoft Intune. 5 4 4. Device is managed by Intune (gets compliance policy + mandatory Lookout for Work app) 5. Lookout for Work is activated and is managed by Lookout MTP

L4W NOT INSTALLED/ACTIVATED 2 4 1 3 1. Device is marked as non compliant in Intune and Azure AD 2. Office 365 gets compliance status from Azure AD and access to Office 365 is prohibited 3. After installing and/or activating L4W compliance device is marked as compliant 3 4. Office 365 retrieves new compliance status and access to Office 365 is allowed 2 3 3 1 4

L4W DETECTS VIRUS 1. Device has access to Office 365 2 2 5 4 4 2 1 2 3 2 4 5 2. Threat detected by Lookout, compliance state set to non compliant and access to Office 365 is prohibited 3. User fixes issue(s), Lookouk for Work reports state device. 4. Lookout MTP shares device compliance state with Intune (/Azure AD). 5. Office 365 gets compliance states from Azure AD. If okay access to Office 365 is allowed

Compliance

APP BASED CONDITIONAL ACCESS Exchange Online Microsoft Outlook for Android and ios. SharePoint Online Microsoft Word for ios and Android Microsoft Excel for ios and Android Microsoft PowerPoint for ios and Android Microsoft OneDrive for Business for ios and Android Microsoft OneNote for ios

App based CA

NETWORK ACCESS CONTROL Cisco Aruba (coming) Juniper (coming) Citrix F5 (coming) Pulse (Coming) Access Citrix Netscaler

MODERN AUTHENTICATION What is modern authentication? Active Directory Authentication Library, ADAL Required.

SERVER SIDE SUPPORT (O365) Modern Authentication: Turned off for Exchange Online by default. See Enable Exchange Online for modern authentication to turn it on. Turned on for SharePoint Online by default. Turned off for Skype for Business Online by default. See the Microsoft Connect form to request for your Skype for Business Online service to be enabled for modern authentication.

ONPREMISES CA

CONDITIONAL ACCESS SCENARIOS THAT REQUIRES ADFS Conditional Access for PC (Windows 7, Windows 8.1) Conditonal Access for PC where we want more than Domain Joined Windows 10 1607 and later GPO (NO ADFS requirements) Windows 7 & Windows 8.1 requires an agent installed(msi) Windows 7 & Windows 8.1 also requires ADFS to be able to register in Azure AD

CONDITIONAL ACCESS FOR PC (SCCM) Required for PC to be marked as Compliant and not only domain joined. Compliance policy deployed in SCCM Requires Intune in Hybrid

Conditional access PC

Troubleshooting Device Registration

NOTES FROM THE FIELD / LINKS Graph api troubleshooting Intune CA for EAS is the best way CA video - https://twitter.com/msftmechanics/status/839557885898051584 Limited CA for SharePoint - https://blogs.technet.microsoft.com/enterprisemobility/2017/03/09/conditional-accesslimited-access-policies-for-sharepoint-are-in-public-preview/ Conditional access troubleshooting flow-chart when using Intune connected with Configuration Manager - https://aka.ms/catsflowchartconfigmgr

www.houseoftails.org/support-us www.facebook.com/sthouseoftails info@houseoftails.org Dutch bank IBAN: NL87INGB0006669920 HOUSE OF TAILS 70 dogs!!! Safety, food, water, health, blankets, shade, love, fun $15 = 1 month food Donation box near registration area and participate in the raffle for huge rewards!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback