Upload
adam-hand
View
85
Download
2
Embed Size (px)
Citation preview
Conditional access to Office 365What options do you have?
• Identity overview• Options for conditional access• What to use when?
Conditional access to Office 365
Identity overview
Identity as the core of enterprise mobility
Single sign-onSelf-service
Simple connection
On-premises
Other directories
Windows ServerActive Directory
SaaSAzure
Publiccloud
CloudMicrosoft Azure Active Directory
CustomersPartners
The perimeter cannot help protect data stored in the cloud Access control to corporate data today
Controlling access to corporate data
Mobile devices
PCs
Web browsers
DataUsersDevice
sApps
On-premises
AppsData
“I need to control access to resources based on a variety of conditions”
Control anywhere access
On-premises applications
APPLICATIONPer app policy Type of clientBusiness sensitivity
OTHERNetwork locationRisk profile
DEVICESAre domain joinedAre compliantPlatform type (Windows, iOS, Android)
USER ATTRIBUTESUser identity Group membershipsAuth strength (MFA)
• Allow• Enforce MFA• Block
Azure AD is the control plane
Brute force attacksLeaked credentials
Infected devices
Suspicious sign-in activities
Configuration vulnerabilities
Conditions
Allow access or
Block access
Actions
Enforce MFA per user/per app
User, App sensitivity
Device state
LocationUser
NOTIFICATIONS, ANALYSIS, REMEDIATION, RISK-BASED POLICIES
CLOUD APP DISCOVERY
PRIVILEGED IDENTITY MANAGEMENT
MFA
IDENTITY PROTECTION
RiskOn-premisesapplications
Microsoft Azure
Conditional access overview
Options for conditional access
• You can configure conditional access in multiple places
• If you configure multiple policies, then all must be met for the user to gain access
• For full capabilities, ensure you are using and enforcing modern authentication
• Services such as ActiveSync are not supported, so you’ll need to deploy and use the Outlook app for email.
Options for conditional access
Legacy portal for InTune managed devices – manage.Microsoft.com
Microsoft Intune
(But, coming soon to the new Azure portal!)
Microsoft Intune
Current portal for Azure AD conditional access – manage.windowsazure.com
Azure AD legacy portal
Preview portal for Azure AD conditional access – portal.azure.com
Azure AD new portal
Portal for InTune MAM conditional access – portal.azure.com
InTune Mobile Application Management CA
• For lightweight, mobile only requirements with a third-party MDM, InTune MAM conditional access is simply to deploy and manage.
• If you use InTune today to manage PCs and mobile devices and don’t want to use preview technology, InTune based CA may be most suitable
• If you want to protect desktops and mobile devices, without a requirement for InTune to manage PCs, preview Azure AD-based conditional access is likely to be best
Which to use and when
• Azure AD conditional access is part of your Enteprise Mobility and Security (EMS) subscription
• Leverages InTune and Azure AD Premium functionality
• Rapidly growing in functionality and provides a number of options
• Consider which to use and where, before deploying
Summary