Download presentation
Presentation is loading. Please wait.
Published byAshley Cannon Modified over 5 years ago
1
Secure access to O365,SaaS and On-Premise apps with Azure AD & Intune
Microsoft 2016 9/17/2018 6:35 PM BRK3225 Secure access to O365,SaaS and On-Premise apps with Azure AD & Intune Alex Weinert Principal Group Program Manager, Azure AD Dilip Radhakrishnan Principal PM manager, Microsoft Intune © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
2
Agenda Conditional Access Overview Secure access to O365 and SaaS apps
Secure access to on premise resources Risk based conditional access Roadmap
3
The Cloud & Mobile Promise
9/17/2018 The Cloud & Mobile Promise Easy access 24x7 connectivity Flexibility Global reach Seamless collaboration Agility Reduced friction 23% greater productivity, 100% higher employee satisfaction Is mobility the answer to better employee productivity?, Forbes Magazine, But what about Auditing? Security? Compliance & Assurance? © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
4
The Cloud & Mobile Promise
9/17/2018 The Cloud & Mobile Promise Easy access 24x7 connectivity Flexibility Global reach Seamless collaboration Agility Reduced friction But what about Auditing? Security? Compliance & Assurance? But what about Auditing? Security? Compliance & Assurance? © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
5
Microsoft Enterprise Mobility + Security
Identity and access management User and entity behavioral analytics Mobile device and app management Information protection Cloud and SaaS app security Azure Active Directory Premium Advanced Threat Analytics Azure Information Protection Cloud App Security Intune Enterprise Mobility + Security (EMS)
6
Azure Active Directory
Microsoft Confidential NDA Only 9/17/2018 Azure Active Directory 90% of Fortune 500 companies use Microsoft Cloud (Azure, O365, CRM Online, and PowerBI) Azure AD Directories >10 M More than 750 M user accounts on Azure AD Microsoft “Identity Management as a Service (IDaaS)” for organizations. Millions of independent identity systems controlled by enterprise and government “tenants.” Information is owned and used by the controlling organization—not by Microsoft. Born-as-a-cloud directory for Office 365. Extended to manage across many clouds. Evolved to manage an organization’s relationships with its customers/citizens and partners (B2C and B2B). 33,000 Enterprise Mobility + Security | Azure AD Premium enterprise customers >110k third-party applications used with Azure AD each month >1.3 billion authentications every day on Azure AD Every Office 365 and Microsoft Azure customer uses Azure Active Directory © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
7
Conditional Access User attributes Microsoft Azure Devices ALLOW
Group membership Devices Domain Joined compliant Platform type (Windows, iOS, Android) ENFORCE MFA ALLOW BLOCK Microsoft Azure Application Per app policy Type of client (Web, Rich, mobile) Cloud and On-premises applications Location IP Range Risk Session risk User risk Microsoft Confidential - Subject to NDA
8
Demo: Conditional access based on application and/or location
10
Conditional access based on device state
11
Wide range of Enterprise Mobility Scenarios
9/17/2018 Wide range of Enterprise Mobility Scenarios Level of Access Desired by Organization varies across the spectrum MDM Enabled Won’t’ Enable MDM Can’t Enable MDM Locked Down Device Managed Device Personal Device Unknown Device Example Point-of-sale or maintenance tablet or PC Company provided phone, tablet or PC Personal phone, tablet or PC Kiosk at a hotel Type of user Task Worker Information Worker © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
12
Demo: Conditional Access for Mobile Devices
Dilip Radhakrishnan
13
Access control from mobile apps on iOS/Android
Office 365 service Azure AD Device object device id isManaged MDMStatus Set device management/ compliance status 5 9 Get Corporate 8 Get EAS service access token for user Outlook Cloud Service Intune 4 Register device in Azure AD Access Outlook Cloud service with AAD token 7 6 Issue Access token 10 delivered 1 Authenticate User and Device Enroll into Intune 4 Redirect to Intune 2 Unified Enrollment Quarantine Website Step 1: Enroll device (Workplace Join + management) 3 Outlook App
14
Access control to O365 from mobile browser
Device object Device ID isManaged MDMStatus Set device management/ compliance status 5 Office 365 service Intune 4 Register device in Azure AD Access Exchange Online service through sign-in cookie 7 8 Documents viewed & downloaded Issue authentication token 6 1 Authenticate user and device via TLS challenge Azure AD Redirect to Intune 2 Enroll into Intune 4 Site provides cookie to let user sign in (Workplace join + management) 3 Unified enrollment Quarantine website Step 1: Enroll device Browser Confidential under NDA
15
O365 Conditional Access for Windows PCs
16
Conditional Access for Windows PCs
Management options for Corp Owned PCs AD domain joined AD domain joined + SCCM management Azure Domain Joined + Intune management Management option for BYOD PCs Azure AD registered + Intune management Management Windows 7 Windows 8.1 Windows 10 AD domain joined Supported AD domain joined + SCCM Managed Azure Domain Joined + Intune managed Not supported AAD registered + Intune managed
17
Conditional Access in SCCM
18
Conditional Access in SCCM
19
Pre-requisites for CA with Office Desktop on Domain Joined Windows PCs
Office 2016 or Office 2013 with Modern Authentication enabled AAD auto-registration GP or SCCM can be used to enable auto-registration Windows 7 requires an MSI to be deployed ADFS claims rules to block down-level Office from external network locations In near future, EXO and SPO will expose PS cmdlets to disable non-modern authentication
20
Intune & Windows 10 Device Health Attestation
9/17/2018 6:35 PM Intune & Windows 10 Device Health Attestation Verifies if a device is booted to a Factory Trusted state (firmware) Assures that MDM is talking to the same device Validates that the device is running a Trusted OS and provides a mechanism to monitor compliance. For example validates: Secure boot state (on/off) Bitlocker state (on/off) Firmware patch version OS security policy/state © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
21
Conditional Access for Intune managed applications
22
Mobile application management without MDM enrollment
9/17/2018 Mobile application management without MDM enrollment MAM policies Familiar Office experience Seamless “enrollment” into app management Use for personal and corporate accounts Comprehensive protection App encryption at rest App access control – PIN or credentials Save as/copy/paste restrictions App-level selective wipe MDM managed by Intune or third-party is optional Extend protection to a file level with Azure RMS Might be a good solution for these scenarios: BYOD when MDM is not required Extending app access to vendors and partners Already have an existing MDM solution Corporate apps MDM – Intune or 3rd party Optional Device Policies Personal apps © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
23
Demo: Conditional Access for MAM
24
Conditional Access for on-premise resources
25
On-Prem Exchange CA Architecture
2 Block non Managed devices On Prem Exchange Server 2010/2013 Intune Set device management/ compliance status 6 Azure AD DRS Device object device id isManaged MDMStatus EASIDs Azure AD 9 Allow Managed device 5 Enroll into Intune Attempt connection 1 10 If managed, access is granted Block If not managed, block device 3 Create EASID to device ID binding 8 Unified Enrollment 5 Register device in Azure AD Who does what? Intune: Evaluate policy, manage device state and mark device record in AAD Exchange Server: Provides API and infrastructure for quarantine (Workplace Join + management) 4 Register EAS client 7 Quarantine Step 1: Enroll device Step 2: Register EAS client EAS Client
26
AzureAD App Proxy + Conditional access
Publish Web, Sharepoint, LoB apps through App proxy Secure access using MFA Location based access policy Device compliance User and device risk Managed mobile app requirements Supports Browser based web apps using with both Windows Authentication or Forms based authentication Rich client (ADAL integrated) apps Non web apps are supported through remote desktop gateway Microsoft Cloud …. Azure Application Proxy Connector Connector
27
Network Access control
Extends EMS conditional access to network stack Partnerships Cisco – Available Aruba – Q4 2016 Citrix - Onboarding F5 – Onboarding Pulse - Onboarding
28
NetScaler Integration
Device enrolled in Intune User connects to SharePoint Netscaler checks Device state Is device compliant? Allow Access else Block Intune Intune managed browser will include NetScaler SDK SDK interoperability for LOB apps Intune MAM SDK Citrix NetScaler SDK (Micro VPN) Wrapper interoperability Intune and Citrix app wrapping tools will support inclusion of both SDKs to enable micro-vpn access to on-prem resources Preview planned in H1 2017 AAD On Premises AD 1 3 4 2 5 NetScaler
29
Conditional Access based on Device Risk
30
5 categories of suspicious/tampered Pokeman apps
31
MALWARE DETECTED CONDITIONAL ACCESS MALWARE DETECTED INTUNE CONSOLE
ALERT CONDITIONAL ACCESS STOP ACCESS LOCK MANAGED APPS LOOKOUT MTP CONSOLE MALWARE DETECTED
32
THREAT REMEDIATED THREAT REMEDIATED MALWARE DETECTED
ALERT CONDITIONAL ACCESS INTUNE CONSOLE THREAT REMEDIATED MALWARE DETECTED CONDITIONAL ACCESS USER REMEDIATION CONDITIONAL ACCESS STOP ACCESS LOCK MANAGED APPS LOOKOUT MTP CONSOLE THREAT REMEDIATED MALWARE DETECTED
33
Demo - Conditional Access based on device risk
34
Conditional Access based on session or user risk
35
Azure Active Directory Identity Protection
Consolidated view to examine suspicious user activities and configuration vulnerabilities Remediation recommendations Risk severity calculation Risk-based policies for protection for future threats Brute force attacks Leaked credentials Infected devices Suspicious sign-in activities Configuration vulnerabilities Risk-Based policies
36
Conditional Access – Road ahead
38
Enterprise Mobility +Security
The Microsoft solution Azure Active Directory Microsoft Cloud App Security Manage identity with hybrid integration to protect application access from identity attacks Extend enterprise-grade security to your cloud and SaaS apps Intune Protect your users, devices, and apps Detect threats early with visibility and threat analytics Advanced Threat Analytics Azure Information Protection Protect your data, everywhere
39
Free IT Pro resources To advance your career in cloud technology
Microsoft Ignite 2016 9/17/2018 6:35 PM Free IT Pro resources To advance your career in cloud technology Plan your career path Microsoft IT Pro Career Center Cloud role mapping Expert advice on skills needed Self-paced curriculum by cloud role $300 Azure credits and extended trials Pluralsight 3 month subscription (10 courses) Phone support incident Weekly short videos and insights from Microsoft’s leaders and engineers Connect with community of peers and Microsoft experts Get started with Azure Microsoft IT Pro Cloud Essentials Demos and how-to videos Microsoft Mechanics Connect with peers and experts Microsoft Tech Community © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
40
Please evaluate this session
9/17/2018 6:35 PM Please evaluate this session Your feedback is important to us! From your PC or Tablet visit MyIgnite at From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
41
9/17/2018 6:35 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.