Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure access to O365,SaaS and On-Premise apps with Azure AD & Intune

Published byAshley Cannon Modified over 5 years ago

Similar presentations

Presentation on theme: "Secure access to O365,SaaS and On-Premise apps with Azure AD & Intune"— Presentation transcript:

1 Secure access to O365,SaaS and On-Premise apps with Azure AD & Intune
Microsoft 2016 9/17/2018 6:35 PM BRK3225 Secure access to O365,SaaS and On-Premise apps with Azure AD & Intune Alex Weinert Principal Group Program Manager, Azure AD Dilip Radhakrishnan Principal PM manager, Microsoft Intune © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 Agenda Conditional Access Overview Secure access to O365 and SaaS apps
Secure access to on premise resources Risk based conditional access Roadmap

3 The Cloud & Mobile Promise
9/17/2018 The Cloud & Mobile Promise Easy access 24x7 connectivity Flexibility Global reach Seamless collaboration Agility Reduced friction 23% greater productivity, 100% higher employee satisfaction Is mobility the answer to better employee productivity?, Forbes Magazine, But what about Auditing? Security? Compliance & Assurance? © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4 The Cloud & Mobile Promise
9/17/2018 The Cloud & Mobile Promise Easy access 24x7 connectivity Flexibility Global reach Seamless collaboration Agility Reduced friction But what about Auditing? Security? Compliance & Assurance? But what about Auditing? Security? Compliance & Assurance? © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 Microsoft Enterprise Mobility + Security
Identity and access management User and entity behavioral analytics Mobile device and app management Information protection Cloud and SaaS app security Azure Active Directory Premium Advanced Threat Analytics Azure Information Protection Cloud App Security Intune Enterprise Mobility + Security (EMS)

6 Azure Active Directory
Microsoft Confidential NDA Only 9/17/2018 Azure Active Directory 90% of Fortune 500 companies use Microsoft Cloud (Azure, O365, CRM Online, and PowerBI) Azure AD Directories >10 M More than 750 M user accounts on Azure AD Microsoft “Identity Management as a Service (IDaaS)” for organizations. Millions of independent identity systems controlled by enterprise and government “tenants.” Information is owned and used by the controlling organization—not by Microsoft. Born-as-a-cloud directory for Office 365. Extended to manage across many clouds. Evolved to manage an organization’s relationships with its customers/citizens and partners (B2C and B2B). 33,000 Enterprise Mobility + Security | Azure AD Premium enterprise customers >110k third-party applications used with Azure AD each month >1.3 billion authentications every day on Azure AD Every Office 365 and Microsoft Azure customer uses Azure Active Directory © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7 Conditional Access User attributes Microsoft Azure Devices ALLOW
Group membership Devices Domain Joined compliant Platform type (Windows, iOS, Android) ENFORCE MFA ALLOW BLOCK Microsoft Azure Application Per app policy Type of client (Web, Rich, mobile) Cloud and On-premises applications Location IP Range Risk Session risk User risk Microsoft Confidential - Subject to NDA

8 Demo: Conditional access based on application and/or location

9

10 Conditional access based on device state

11 Wide range of Enterprise Mobility Scenarios
9/17/2018 Wide range of Enterprise Mobility Scenarios Level of Access Desired by Organization varies across the spectrum MDM Enabled Won’t’ Enable MDM Can’t Enable MDM Locked Down Device Managed Device Personal Device Unknown Device Example Point-of-sale or maintenance tablet or PC Company provided phone, tablet or PC Personal phone, tablet or PC Kiosk at a hotel Type of user Task Worker Information Worker © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12 Demo: Conditional Access for Mobile Devices
Dilip Radhakrishnan

13 Access control from mobile apps on iOS/Android
Office 365 service Azure AD Device object device id isManaged MDMStatus Set device management/ compliance status 5 9 Get Corporate 8 Get EAS service access token for user Outlook Cloud Service Intune 4 Register device in Azure AD Access Outlook Cloud service with AAD token 7 6 Issue Access token 10 delivered 1 Authenticate User and Device Enroll into Intune 4 Redirect to Intune 2 Unified Enrollment Quarantine Website Step 1: Enroll device (Workplace Join + management) 3 Outlook App

14 Access control to O365 from mobile browser
Device object Device ID isManaged MDMStatus Set device management/ compliance status 5 Office 365 service Intune 4 Register device in Azure AD Access Exchange Online service through sign-in cookie 7 8 Documents viewed & downloaded Issue authentication token 6 1 Authenticate user and device via TLS challenge Azure AD Redirect to Intune 2 Enroll into Intune 4 Site provides cookie to let user sign in (Workplace join + management) 3 Unified enrollment Quarantine website Step 1: Enroll device Browser Confidential under NDA

15 O365 Conditional Access for Windows PCs

16 Conditional Access for Windows PCs
Management options for Corp Owned PCs AD domain joined AD domain joined + SCCM management Azure Domain Joined + Intune management Management option for BYOD PCs Azure AD registered + Intune management Management Windows 7 Windows 8.1 Windows 10 AD domain joined Supported AD domain joined + SCCM Managed Azure Domain Joined + Intune managed Not supported AAD registered + Intune managed

17 Conditional Access in SCCM

18 Conditional Access in SCCM

19 Pre-requisites for CA with Office Desktop on Domain Joined Windows PCs
Office 2016 or Office 2013 with Modern Authentication enabled AAD auto-registration GP or SCCM can be used to enable auto-registration Windows 7 requires an MSI to be deployed ADFS claims rules to block down-level Office from external network locations In near future, EXO and SPO will expose PS cmdlets to disable non-modern authentication

20 Intune & Windows 10 Device Health Attestation
9/17/2018 6:35 PM Intune & Windows 10 Device Health Attestation Verifies if a device is booted to a Factory Trusted state (firmware) Assures that MDM is talking to the same device Validates that the device is running a Trusted OS and provides a mechanism to monitor compliance. For example validates: Secure boot state (on/off) Bitlocker state (on/off) Firmware patch version OS security policy/state © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21 Conditional Access for Intune managed applications

22 Mobile application management without MDM enrollment
9/17/2018 Mobile application management without MDM enrollment MAM policies Familiar Office experience Seamless “enrollment” into app management Use for personal and corporate accounts Comprehensive protection App encryption at rest App access control – PIN or credentials Save as/copy/paste restrictions App-level selective wipe MDM managed by Intune or third-party is optional Extend protection to a file level with Azure RMS Might be a good solution for these scenarios: BYOD when MDM is not required Extending app access to vendors and partners Already have an existing MDM solution Corporate apps MDM – Intune or 3rd party Optional Device Policies Personal apps © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23 Demo: Conditional Access for MAM

24 Conditional Access for on-premise resources

25 On-Prem Exchange CA Architecture
2 Block non Managed devices On Prem Exchange Server 2010/2013 Intune Set device management/ compliance status 6 Azure AD DRS Device object device id isManaged MDMStatus EASIDs Azure AD 9 Allow Managed device 5 Enroll into Intune Attempt connection 1 10 If managed, access is granted Block If not managed, block device 3 Create EASID to device ID binding 8 Unified Enrollment 5 Register device in Azure AD Who does what? Intune: Evaluate policy, manage device state and mark device record in AAD Exchange Server: Provides API and infrastructure for quarantine (Workplace Join + management) 4 Register EAS client 7 Quarantine Step 1: Enroll device Step 2: Register EAS client EAS Client

26 AzureAD App Proxy + Conditional access
Publish Web, Sharepoint, LoB apps through App proxy Secure access using MFA Location based access policy Device compliance User and device risk Managed mobile app requirements Supports Browser based web apps using with both Windows Authentication or Forms based authentication Rich client (ADAL integrated) apps Non web apps are supported through remote desktop gateway Microsoft Cloud  …. Azure Application Proxy Connector Connector

27 Network Access control
Extends EMS conditional access to network stack Partnerships Cisco – Available Aruba – Q4 2016 Citrix - Onboarding F5 – Onboarding Pulse - Onboarding

28 NetScaler Integration
Device enrolled in Intune User connects to SharePoint Netscaler checks Device state Is device compliant? Allow Access else Block Intune Intune managed browser will include NetScaler SDK SDK interoperability for LOB apps Intune MAM SDK Citrix NetScaler SDK (Micro VPN) Wrapper interoperability Intune and Citrix app wrapping tools will support inclusion of both SDKs to enable micro-vpn access to on-prem resources Preview planned in H1 2017 AAD On Premises AD 1 3 4 2 5 NetScaler

29 Conditional Access based on Device Risk

30 5 categories of suspicious/tampered Pokeman apps

31 MALWARE DETECTED CONDITIONAL ACCESS MALWARE DETECTED INTUNE CONSOLE
ALERT CONDITIONAL ACCESS STOP ACCESS LOCK MANAGED APPS LOOKOUT MTP CONSOLE MALWARE DETECTED

32 THREAT REMEDIATED THREAT REMEDIATED MALWARE DETECTED
ALERT CONDITIONAL ACCESS INTUNE CONSOLE THREAT REMEDIATED MALWARE DETECTED CONDITIONAL ACCESS USER REMEDIATION CONDITIONAL ACCESS STOP ACCESS LOCK MANAGED APPS LOOKOUT MTP CONSOLE THREAT REMEDIATED MALWARE DETECTED

33 Demo - Conditional Access based on device risk

34 Conditional Access based on session or user risk

35 Azure Active Directory Identity Protection
Consolidated view to examine suspicious user activities and configuration vulnerabilities Remediation recommendations Risk severity calculation Risk-based policies for protection for future threats Brute force attacks Leaked credentials Infected devices Suspicious sign-in activities Configuration vulnerabilities Risk-Based policies

36 Conditional Access – Road ahead

37

38 Enterprise Mobility +Security
The Microsoft solution Azure Active Directory Microsoft Cloud App Security Manage identity with hybrid integration to protect application access from identity attacks Extend enterprise-grade security to your cloud and SaaS apps Intune Protect your users, devices, and apps Detect threats early with visibility and threat analytics Advanced Threat Analytics Azure Information Protection Protect your data, everywhere

39 Free IT Pro resources To advance your career in cloud technology
Microsoft Ignite 2016 9/17/2018 6:35 PM Free IT Pro resources To advance your career in cloud technology Plan your career path Microsoft IT Pro Career Center Cloud role mapping Expert advice on skills needed Self-paced curriculum by cloud role $300 Azure credits and extended trials Pluralsight 3 month subscription (10 courses) Phone support incident Weekly short videos and insights from Microsoft’s leaders and engineers Connect with community of peers and Microsoft experts Get started with Azure Microsoft IT Pro Cloud Essentials Demos and how-to videos Microsoft Mechanics Connect with peers and experts Microsoft Tech Community © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

40 Please evaluate this session
9/17/2018 6:35 PM Please evaluate this session Your feedback is important to us! From your PC or Tablet visit MyIgnite at From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

41 9/17/2018 6:35 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Secure access to O365,SaaS and On-Premise apps with Azure AD & Intune"

Similar presentations

SharePoint Server Exchange Server CORPORATE NETWORK Mobile devices PCs Browsers INTERNET DMZ Active Directory Policies Filter EAS Filter web access.

SharePoint Server Exchange Server CORPORATE NETWORK Mobile devices PCs Browsers INTERNET DMZ Active Directory Policies Filter EAS Filter web access.
Microsoft Virtual Academy Preparing for the Windows 8.1 MCSA Module 5: Managing Devices & Resource Access.

Microsoft Virtual Academy Preparing for the Windows 8.1 MCSA Module 5: Managing Devices & Resource Access.
Identity & Access Management for a cloud-first, mobile-first world

Identity & Access Management for a cloud-first, mobile-first world
2/20/2018 7:04 PM BRK1038 Meet Azure Information Protection customers and learn about their success stories Jeffrey Kalfut Strategy & Architecture Manager,

2/20/2018 7:04 PM BRK1038 Meet Azure Information Protection customers and learn about their success stories Jeffrey Kalfut Strategy & Architecture Manager,
The time to address enterprise mobility is now

The time to address enterprise mobility is now
Deployment Planning Services

Deployment Planning Services
Secure Android devices and apps with Microsoft Intune

Secure Android devices and apps with Microsoft Intune
Azure Information Protection

Azure Information Protection
Deployment Planning Services

Deployment Planning Services
Microsoft Ignite 2016 4/27/2018 9:00 AM THR2016

Microsoft Ignite /27/2018 9:00 AM THR2016
Conduct a successful pilot deployment of Microsoft Intune

Conduct a successful pilot deployment of Microsoft Intune
Examine information management in Cortana Intelligence

Examine information management in Cortana Intelligence
5/21/2018 9:40 PM BRK3021 Learn about modern infrastructure roles in RDS: Next generation Windows desktop & app virtualization Clark Nicholson - Principal.

5/21/2018 9:40 PM BRK3021 Learn about modern infrastructure roles in RDS: Next generation Windows desktop & app virtualization Clark Nicholson - Principal.
Identity & Access Management for a cloud-first, mobile-first world

Identity & Access Management for a cloud-first, mobile-first world
Deployment Planning Services

Deployment Planning Services
Microsoft 2016 6/2/2018 3:42 PM BRK3129 Query Big Data using the Expanded T-SQL footprint with PolyBase in SQL Server 2016 Casey Karst Program Manager.

Microsoft /2/2018 3:42 PM BRK3129 Query Big Data using the Expanded T-SQL footprint with PolyBase in SQL Server 2016 Casey Karst Program Manager.
Microsoft 2016 6/4/2018 8:21 AM BRK3082 Build solutions and apps with Microsoft OneDrive API and Microsoft Graph API Ryan Gregg Principal Program Manger,

Microsoft /4/2018 8:21 AM BRK3082 Build solutions and apps with Microsoft OneDrive API and Microsoft Graph API Ryan Gregg Principal Program Manger,
Azure Information Protection Strategy and Roadmap

Azure Information Protection Strategy and Roadmap
Conduct a successful pilot deployment of Microsoft Intune

Conduct a successful pilot deployment of Microsoft Intune
6/10/2018 5:07 PM THR2218 Deploying Windows Defender AV and more with Intune and Configuration Manager Amitai Rottem @AmitaiTechie Senior Program Manager,

6/10/2018 5:07 PM THR2218 Deploying Windows Defender AV and more with Intune and Configuration Manager Amitai Senior Program Manager,

Similar presentations

Ads by Google