how azure ad secures office 365 - advania...microsoft’s identity solution for the cloud started as...
TRANSCRIPT
HOW AZURE AD SECURES OFFICE 365Andreas KjellmanChief Technical Architect [email protected]
AGENDA
■ Overview
■ Secure the front door, but allow mobility
■ Avoid user errors and unintentional leaks
■ Detect attacks and limit damage
Note: Additional licenses (EMS E3/E5 orAzure AD Premium P1/P2) might be required
HOW AZURE AD IS RELATED TO OFFICE 365
Self-service Singlesign on
•••••••••••
Username
Simple connection
Cloud
SaaSAzure
Office 365Publiccloud
Other Directories
Windows ServerActive Directory
On-premises Microsoft Azure Active Directory
■ Microsoft’s identity solution for the cloud
■ Started as a directory for Office 365, but has grown
■ If you use Office 365, then you also use Azure AD
AZURE AD IN NUMBERS
>85% of Fortune 500 use
Microsoft cloud
(Azure, O365,
Dynamics, PowerBI)
>1.3Billion daily sign-ins to Azure
AD
Azure AD “tenants”
>10 M
More than
750 Muser accounts in
Azure AD
Unregulated, unknown
Managed mobile environment
WHERE IS THE CONTROL?
On-premises
Perimeter protection
Identity, device management protection
Hybrid data = new normal It is harder to protect
■ Conditional Access▸ Restrict how a user can access cloud resources
■ Identity Protection▸ Identify identities with a high risk
▸ Make the sign-in stronger for high-risk users and sessions
■ Application proxy▸ Replaces UAG/TMG
▸ Access on-premises resources from any device anywhere
TECHNOLOGIESSecure the front door, but allow mobility
Limit access based on:
■ User attributes▸ Group memberships
■ The device▸ domain-joined, compliant, o/s
■ Application▸ Client type (web, mobile, app)
■ Location▸ IP (such as on-premises trusted network)
■ Risk▸ Session risk, user risk
CONDITIONAL ACCESSSecure the front door, but allow mobility
Take an action:
■ Allow
■ MFA
■ Block
■ Gain insights from a consolidated view of machine learning based threat detection
■ Remediation recommendations
■ Risk severity calculation
■ Risk-based conditional access automatically protects against suspicious logins and compromised credentials
AZURE INFORMATION PROTECTION
Leaked credentials
Infected devices Configuration
vulnerabilities Risk-based
policies
MFA Challenge Risky Logins
Block attacks
Change bad credentials
Machine-Learning Engine
Brute force attacks Suspicious sign-in activities
Secure the front door, but allow mobility
■ Access on-premises apps from the Internet
■ No firewall openings
■ Works with all devices using http/https
■ Replaces UAG/TMG (and VPN for some scenarios)
AZURE ACTIVE DIRECTORY APPLICATION PROXYSecure the front door, but allow mobility
AZURE ACTIVE DIRECTORY APPLICATION PROXY
DMZ
https://appX-contoso.msappproxy.net/
ApplicationProxy
User
Azure or 3rd Party IaaS
connector
connectorconnector
Microsoft AzureActive Directory
connector
app app app app
Secure the front door, but allow mobility
■ Single Sign-On▸ On-premises with Azure AD/Office 365
▸ Azure AD with other SaaS apps
■ Azure Information Protection▸ Classify and protect information
■ Work with partners in a secure way using B2B
TECHNOLOGIESAvoid user errors and unintentional leaks
■ Password sync ▸ With integrated Windows Authentication (seamless sign-on) (preview)
■ Pass-through authentication (preview)
■ Federation (ADFS)
SSO: ON-PREM TO AZURE ADAvoid user errors and unintentional leaks
Azure AD Connect
On-prem Microsoft Azure Active Directory
■ SSO to 2800+ pre-integrated SaaS apps
■ Store shared accounts credentials in Azure AD
SSO: TO ANY SAAS APPAvoid user errors and unintentional leaks
AZURE INFORMATION PROTECTION
DOCUMENT TRACKING
DOCUMENT REVOCATION
Monitor & Respond
LABELINGCLASSIFICATION
Classify & Label
ENCRYPTION
Protect
ACCESS CONTROL
POLICY ENFORCEMENT
Avoid user errors and unintentional leaks
Share without duplicating user
accounts
WORK WITH PARTNERS SECURELYAvoid user errors and unintentional leaks
Microsoft
Account
You mange all permissions
Works for all organization sizes
■ Users activates their roles when needed
■ MFA for privileged roles
■ Users have permissions for a limited time
■ Security admin can see all requests and review permissions
■ Also available on-premises with MIM2016
PRIVILEGED ACCESS MANAGEMENTDetect attacks and limit damage
THANK YOU!Andreas KjellmanChief Technical Architect [email protected]