CONDITIONAL ACCESS FROM A TO Z Peter Daalmans PeterDaalmans.com, pds@ctglobalservices.com, Senior Consultant CTGlobal Jörgen Nilsson Ccmexec.com, jorgen.nilsson@onevinn.se, Principal Consultant Onevinn
Peter Daalmans Jörgen Nilsson @pdaalmans @ccmexec Enterprise Mobility MVP Enterprise Mobility MVP 20 years 10110 Beers, burgers and soccer Soccer, friends, beer
Conditional access
AGENDA Why Conditional Access? Where to find Conditional Access? Different layers of Conditional Access Conditional Access in action Notes from the field
WHY CONDITIONAL ACCESS? Future for all access scenarios
TRADITIONAL IT Azure Application Proxy
IDENTITY DRIVEN SECURITY: CONDITIONAL ACCESS User attributes User identity Group memberships Authentication strength Devices Authenticated MDM Managed (Intune) Compliant with policies Not lost/stolen Application Allow Enforce MFA Block Business sensitivity Other Inside corp. network Outside corp. network Risk profile On-Premises applications
EMS E5 EMS E3 ENTERPRISE MOBILITY + SECURITY LICENSES Identity and access management Identity Driven Security Managed Mobile Productivity Information Protection Azure Active Directory Premium P1 Microsoft Advanced Threat Analytics Microsoft Intune Azure Information Protection Premium P1 Single sign-on to cloud and onpremises applications. Basic conditional access security Identify suspicious activities & advanced attacks on premises. Mobile device and app management to protect corporate apps and data on any device. Encryption for all files and storage locations. Cloud based file tracking Existing Azure RMS capabilities Azure Active Directory Premium P2 Microsoft Cloud App Security Azure Information Protection Premium P2 Advanced risk based identity protection with alerts, analysis, & remediation. Bring enterprise-grade visibility, control, and protection to your cloud applications. Intelligent classification, & encryption for files shared inside & outside your organization Secure Islands acquisition
DIFFERENT WAYS OF CONDITIONAL ACCESS Active Directory Federation Services Microsoft Intune versus Azure Active Directory Azure Active Directory Different flavours Exchange ActiveSync Access Rules Intune app based conditional access Azure App Proxy
Demo Conditional Access
DIFFERENT LEVELS OF CONDITIONAL ACCESS FIT TOGETHER 1 2 Claim Rules via Active Directory Federation Services Conditional Access by Intune / Azure AD for Office 365 (Exchange, SharePoint, Skype for Business, CRM, and more) Device + User based Device based 3 Exchange ActiveSync Rules App Based CA App based
ACTIVE DIRECTORY FEDERATION SERVICES Part of Windows Server 2012/2016 In 2016 more fine grained options for device registration AD FS can be used to allow or block legacy protocols AD FS can be used to bock or allow the native mail apps on devices AD FS can be used to check if a device is enrolled (device write back needs to be configured)
CLAIMS IN AZURE AD IN AN AD FS SCENARIO User 2 10 1 Azure Active Directory Integrated Application Active Directory Domain Services On Premises 6 IdP relationship 5 7 4 Active Directory Federation Services (as STS) Azure AD Connect 3 8 9 Active Directory Federation Trust (WS-FED) Claim rules Internet Relying Party Trust Azure Active Directory Conditional Access Redirect Action Infrastructure action Infrastructure relation
AD FS
INTUNE VERSUS AZURE AD Intune CA = Azure AD CA CA versus Exchange On-premises CA versus Office 365
INTUNE COMPLIANCE Intune compliance versus CA Check if the device is compliant Compliance check options Threat protection (Lookout)
ARCHITECTURE 1. Lookout is federated with Azure AD, authentication is done via Azure AD or AD FS. 1 3 2 2. Device compliance state is shared between Azure AD and Microsoft Intune. 3. Lookout gets device and user information based in AAD Group membership via Intune Connector. Lookout is able to retrieve and set the device compliance state in Microsoft Intune. 5 4 4. Device is managed by Intune (gets compliance policy + mandatory Lookout for Work app) 5. Lookout for Work is activated and is managed by Lookout MTP
L4W NOT INSTALLED/ACTIVATED 2 4 1 3 1. Device is marked as non compliant in Intune and Azure AD 2. Office 365 gets compliance status from Azure AD and access to Office 365 is prohibited 3. After installing and/or activating L4W compliance device is marked as compliant 3 4. Office 365 retrieves new compliance status and access to Office 365 is allowed 2 3 3 1 4
L4W DETECTS VIRUS 1. Device has access to Office 365 2 2 5 4 4 2 1 2 3 2 4 5 2. Threat detected by Lookout, compliance state set to non compliant and access to Office 365 is prohibited 3. User fixes issue(s), Lookouk for Work reports state device. 4. Lookout MTP shares device compliance state with Intune (/Azure AD). 5. Office 365 gets compliance states from Azure AD. If okay access to Office 365 is allowed
Compliance
APP BASED CONDITIONAL ACCESS Exchange Online Microsoft Outlook for Android and ios. SharePoint Online Microsoft Word for ios and Android Microsoft Excel for ios and Android Microsoft PowerPoint for ios and Android Microsoft OneDrive for Business for ios and Android Microsoft OneNote for ios
App based CA
NETWORK ACCESS CONTROL Cisco Aruba (coming) Juniper (coming) Citrix F5 (coming) Pulse (Coming) Access Citrix Netscaler
MODERN AUTHENTICATION What is modern authentication? Active Directory Authentication Library, ADAL Required.
SERVER SIDE SUPPORT (O365) Modern Authentication: Turned off for Exchange Online by default. See Enable Exchange Online for modern authentication to turn it on. Turned on for SharePoint Online by default. Turned off for Skype for Business Online by default. See the Microsoft Connect form to request for your Skype for Business Online service to be enabled for modern authentication.
ONPREMISES CA
CONDITIONAL ACCESS SCENARIOS THAT REQUIRES ADFS Conditional Access for PC (Windows 7, Windows 8.1) Conditonal Access for PC where we want more than Domain Joined Windows 10 1607 and later GPO (NO ADFS requirements) Windows 7 & Windows 8.1 requires an agent installed(msi) Windows 7 & Windows 8.1 also requires ADFS to be able to register in Azure AD
CONDITIONAL ACCESS FOR PC (SCCM) Required for PC to be marked as Compliant and not only domain joined. Compliance policy deployed in SCCM Requires Intune in Hybrid
Conditional access PC
Troubleshooting Device Registration
NOTES FROM THE FIELD / LINKS Graph api troubleshooting Intune CA for EAS is the best way CA video - https://twitter.com/msftmechanics/status/839557885898051584 Limited CA for SharePoint - https://blogs.technet.microsoft.com/enterprisemobility/2017/03/09/conditional-accesslimited-access-policies-for-sharepoint-are-in-public-preview/ Conditional access troubleshooting flow-chart when using Intune connected with Configuration Manager - https://aka.ms/catsflowchartconfigmgr
www.houseoftails.org/support-us www.facebook.com/sthouseoftails info@houseoftails.org Dutch bank IBAN: NL87INGB0006669920 HOUSE OF TAILS 70 dogs!!! Safety, food, water, health, blankets, shade, love, fun $15 = 1 month food Donation box near registration area and participate in the raffle for huge rewards!