taking conditional access to the next level
TRANSCRIPT
![Page 1: Taking conditional access to the next level](https://reader031.vdocument.in/reader031/viewer/2022022414/587547e81a28abb8208b6945/html5/thumbnails/1.jpg)
MANAGEABILITY
Taking Conditional Access
to the next level
Peter van der Woude & Ronny de Jong
![Page 2: Taking conditional access to the next level](https://reader031.vdocument.in/reader031/viewer/2022022414/587547e81a28abb8208b6945/html5/thumbnails/2.jpg)
MANAGEABILITY
![Page 3: Taking conditional access to the next level](https://reader031.vdocument.in/reader031/viewer/2022022414/587547e81a28abb8208b6945/html5/thumbnails/3.jpg)
MANAGEABILITY
Session objectives and
takeaways
Overview of conditional access for devices and mobile apps accessing O365
Overview of conditional access to on-prem Exchange and SharePoint
Sneak-peak into upcoming features
![Page 4: Taking conditional access to the next level](https://reader031.vdocument.in/reader031/viewer/2022022414/587547e81a28abb8208b6945/html5/thumbnails/4.jpg)
MANAGEABILITY
Conditional Access
On-Premises
applications
Application
Per-service
Managed client app
Other
Location (IP range)
Risk profile
Devices
Is domain joined
Is compliant
Platform type
Not lost/stolen
User attributes
User identity
Group memberships
Allow
Block
MFA
Enroll
![Page 5: Taking conditional access to the next level](https://reader031.vdocument.in/reader031/viewer/2022022414/587547e81a28abb8208b6945/html5/thumbnails/5.jpg)
MANAGEABILITY
Functionality…
• CA for mobile devices;
• CA for domain joined PC’s;
• CA for mobile apps w/o MDM;
• CA for on-prem resources
• CA for advanced scenario’s (ADFS);
![Page 6: Taking conditional access to the next level](https://reader031.vdocument.in/reader031/viewer/2022022414/587547e81a28abb8208b6945/html5/thumbnails/6.jpg)
MANAGEABILITY
…by solution
• via Configuration Manager;
• via Microsoft Intune;
• via Microsoft Intune MAM w/o MDM;
• via Azure AD (SaaS);
• via ADFS (Advanced scenario’s);
![Page 7: Taking conditional access to the next level](https://reader031.vdocument.in/reader031/viewer/2022022414/587547e81a28abb8208b6945/html5/thumbnails/7.jpg)
MANAGEABILITY
![Page 8: Taking conditional access to the next level](https://reader031.vdocument.in/reader031/viewer/2022022414/587547e81a28abb8208b6945/html5/thumbnails/8.jpg)
MANAGEABILITY
![Page 9: Taking conditional access to the next level](https://reader031.vdocument.in/reader031/viewer/2022022414/587547e81a28abb8208b6945/html5/thumbnails/9.jpg)
MANAGEABILITY
![Page 10: Taking conditional access to the next level](https://reader031.vdocument.in/reader031/viewer/2022022414/587547e81a28abb8208b6945/html5/thumbnails/10.jpg)
MANAGEABILITY
![Page 11: Taking conditional access to the next level](https://reader031.vdocument.in/reader031/viewer/2022022414/587547e81a28abb8208b6945/html5/thumbnails/11.jpg)
MANAGEABILITY
![Page 12: Taking conditional access to the next level](https://reader031.vdocument.in/reader031/viewer/2022022414/587547e81a28abb8208b6945/html5/thumbnails/12.jpg)
MANAGEABILITY
![Page 13: Taking conditional access to the next level](https://reader031.vdocument.in/reader031/viewer/2022022414/587547e81a28abb8208b6945/html5/thumbnails/13.jpg)
MANAGEABILITYMANAGEABILITY
Conditional Access for
mobile devices
![Page 14: Taking conditional access to the next level](https://reader031.vdocument.in/reader031/viewer/2022022414/587547e81a28abb8208b6945/html5/thumbnails/14.jpg)
MANAGEABILITY
Deploying conditional access1.• Define compliance criteria for devices managed by Intune or SCCM
2.• Define access criteria for a specific O365 service
Conditions Main options Defined where?
Compliance criteria for managed devices Password, Encryption, Device
Health, OS versions
Intune compliance policy
SCCM compliance policy
Mobile platforms iOS, Android, Windows 10 Mobile
Conditional access policies
Desktop platforms Windows 7, 8.1, 10
Client app types Exchange ActiveSync clients, Rich
client apps, Browser
O365 services Exchange Online, SharePoint
Online, Skype for Business,
Dynamics CRM
Users All users in tenant, targeted SGs,
exempted SGs
![Page 15: Taking conditional access to the next level](https://reader031.vdocument.in/reader031/viewer/2022022414/587547e81a28abb8208b6945/html5/thumbnails/15.jpg)
MANAGEABILITY
Unified Enrollment
Azure AD
Device object
- device id
- isManage
d
- MDMStatu
s
Quarantine Website
Step 1: Enroll
device
Outlook App
Access control from Outlook for iOS and Android
4Register device in
Azure AD
Outlook
Cloud
Service
1(Workplace Join +
management)
3
Enroll into Intune
4
Intune
Set device
management/
compliance
status5
6Access Outlook
Cloud service
with
AAD token 7
8
Get EAS service
access token for
user
9Get Corporate
1
0
Email delivered
Redirect to
Intune
2
Office 365
Email service
![Page 16: Taking conditional access to the next level](https://reader031.vdocument.in/reader031/viewer/2022022414/587547e81a28abb8208b6945/html5/thumbnails/16.jpg)
MANAGEABILITY
Preparing devices: mobile
Azure AD Join for work-owned mobile devices in Windows 10
Add work or school account for personal devices in Windows 10
Add account, Workplace join in other Windows versions or platforms (iOS, Android)
Windows 10 with Microsoft Intune or 3rd party supported MDMs
Requires MDM app configuration in Azure AD for Windows 10
iOS and Android with Microsoft Intune
![Page 17: Taking conditional access to the next level](https://reader031.vdocument.in/reader031/viewer/2022022414/587547e81a28abb8208b6945/html5/thumbnails/17.jpg)
MANAGEABILITYMANAGEABILITY
Conditional Access for
domain joined PCs
![Page 18: Taking conditional access to the next level](https://reader031.vdocument.in/reader031/viewer/2022022414/587547e81a28abb8208b6945/html5/thumbnails/18.jpg)
MANAGEABILITYConditional Access for PCs
1.2.3.4.
Management Windows 7 Windows 8.1 Windows 10
AD domain joined* Supported Supported Supported
AD domain joined*
+ SCCM Managed
Supported Supported Supported
AAD registered +
Intune managed
Not supported Supported Supported
Azure Domain
Joined + Intune
managed
Not supported Not supported Supported
![Page 19: Taking conditional access to the next level](https://reader031.vdocument.in/reader031/viewer/2022022414/587547e81a28abb8208b6945/html5/thumbnails/19.jpg)
MANAGEABILITY
Pre-requisites for CA with Office Desktop on
Domain Joined Windows PCs
Office 2016 or Office 2013 with Modern Authentication
enabled
AAD auto-registration■ GP or SCCM can be used to enable auto-registration
■ Windows 7 requires an MSI to be deployed
ADFS claims rules to block down-level Office from
external network locations■ In near future, EXO and SPO will expose PS cmdlets to disable non-modern authentication
![Page 20: Taking conditional access to the next level](https://reader031.vdocument.in/reader031/viewer/2022022414/587547e81a28abb8208b6945/html5/thumbnails/20.jpg)
MANAGEABILITYMANAGEABILITY
Condition Access for mobile
apps w/o MDM
![Page 21: Taking conditional access to the next level](https://reader031.vdocument.in/reader031/viewer/2022022414/587547e81a28abb8208b6945/html5/thumbnails/21.jpg)
MANAGEABILITY
Mobile app management
MANAGED MOBILE PRODUCTIVITY
Managed apps
Personal apps
Personal apps
Managed appsCorporate data
Personaldata
Multi-identity policy
Personal apps
Managed apps
Copy Paste Save
Save to
personal storage
Paste to
personal
app
Email attachment
![Page 22: Taking conditional access to the next level](https://reader031.vdocument.in/reader031/viewer/2022022414/587547e81a28abb8208b6945/html5/thumbnails/22.jpg)
MANAGEABILITY
Customer Scenario
■Ensure that only Intune MAM enabled
applications can access O365/SaaS apps
■Prevent apps that aren’t MAM “enlightened”
■Prevent EAS mail clients (native iOS/Android mail
clients)
Considerations
■Intune MAM enabled apps are put on an
“approved” list
Conditional Access for
managed mobile apps
![Page 23: Taking conditional access to the next level](https://reader031.vdocument.in/reader031/viewer/2022022414/587547e81a28abb8208b6945/html5/thumbnails/23.jpg)
MANAGEABILITY
Preparing devices: domain
joinedService Connection Point for discovery (all Windows versions!)
If federated, issuance transform rules for computer authentication upon registration
Windows Installer package for non-Windows 10/Windows Server 2016 computers
Windows 7, 8.0, 8.1, Server 2008 R2, Server 2012 and Server 2012 R2
Windows 10 Anniversary Update/Windows Server 2016 registers without policy set
Windows 10 November 2015 Update requires the policy set to trigger registration
Windows 8.1 responds to policy, can also use Windows Installer package
Help with requirements setup – with caveats!
Key for lifecycle management of computers and devices
![Page 24: Taking conditional access to the next level](https://reader031.vdocument.in/reader031/viewer/2022022414/587547e81a28abb8208b6945/html5/thumbnails/24.jpg)
MANAGEABILITYMANAGEABILITY
Condition Access for on-
prem resources
![Page 25: Taking conditional access to the next level](https://reader031.vdocument.in/reader031/viewer/2022022414/587547e81a28abb8208b6945/html5/thumbnails/25.jpg)
MANAGEABILITY
Conditional Access for
Exchange on-premises•• Exchange 2010 or later
••
![Page 26: Taking conditional access to the next level](https://reader031.vdocument.in/reader031/viewer/2022022414/587547e81a28abb8208b6945/html5/thumbnails/26.jpg)
MANAGEABILITY
On-Prem Exchange CA
Architecture
EAS Client
Attempt email
connection1
Block
If not managed,
block device3
On Prem
Exchange Server
2010/2013
Who does what?
Intune: Evaluate policy,
manage device state and
mark device record in AAD
Exchange Server:Provides API and
infrastructure for
quarantine
1
0If managed,
email access is
granted
Unified Enrollment
Register EAS
email client
7
Create EASID to
device ID binding
8
Set device management/ compliance status
6
Azure AD DRS
Device
object
- device id
- isManage
d
- MDMStatu
s
- EASIDsAzure AD
Quarantine email
Step 1: Enroll
device
Step 2: Register
EAS client
(Workplace Join +
management)4
Intune
5
Register device in
Azure AD
5 Enroll into Intune
2
Block non Managed
devices
9
Allow Managed device
![Page 27: Taking conditional access to the next level](https://reader031.vdocument.in/reader031/viewer/2022022414/587547e81a28abb8208b6945/html5/thumbnails/27.jpg)
MANAGEABILITY
Azure Web App Proxy
•••
![Page 28: Taking conditional access to the next level](https://reader031.vdocument.in/reader031/viewer/2022022414/587547e81a28abb8208b6945/html5/thumbnails/28.jpg)
MANAGEABILITY
Preparing devices for device-
based CA policyAutomatically register with Azure AD once requirements are set
Device is not associated with a user in Windows 10Azure AD Connect for registration and lifecycle management of computers and devices
Windows Installer package for non-Windows 10/non-Windows Server 2016 computers
Device registers by an end-user initiated experience
Device is associated with userExperience registers device with Azure AD and enrolls it with MDM
Alternative for personal devices is to use Mobile Application Management (MAM)
![Page 29: Taking conditional access to the next level](https://reader031.vdocument.in/reader031/viewer/2022022414/587547e81a28abb8208b6945/html5/thumbnails/29.jpg)
MANAGEABILITYMANAGEABILITY
Conditional Access for
advanced scenario’s (ADFS)
![Page 30: Taking conditional access to the next level](https://reader031.vdocument.in/reader031/viewer/2022022414/587547e81a28abb8208b6945/html5/thumbnails/30.jpg)
MANAGEABILITY
On-premises applications and
access controlYou can publish on-prem apps through Azure AD
They show in the ‘applications’ tab in the management portal and the ‘myapps’ portal for the user
You can set Device-based CA policy to control access the same way as O365 apps and SaaS apps
Don’t miss: EMS320: Using Azure AD to enable and manage access to on-premises applications
Require device write-back in Azure AD Connect
AD FS in Windows Server 2016 required for Windows 10 authentication
![Page 31: Taking conditional access to the next level](https://reader031.vdocument.in/reader031/viewer/2022022414/587547e81a28abb8208b6945/html5/thumbnails/31.jpg)
MANAGEABILITYMANAGEABILITY
FAQ
![Page 32: Taking conditional access to the next level](https://reader031.vdocument.in/reader031/viewer/2022022414/587547e81a28abb8208b6945/html5/thumbnails/32.jpg)
MANAGEABILITYFAQs•• No, CA will trump ABQ
•1. Turn CA off for EAS with Basic Auth; but on for Android and iOS modern auth
apps
2. Configure ADFS to block EAS
3. Exchange ActiveSync ABQ to only allow the Outlook app
•• We’re working on it.
• For now the main options are:
• Allow all Macs
• Block all Macs
• Exempt Mac users
![Page 33: Taking conditional access to the next level](https://reader031.vdocument.in/reader031/viewer/2022022414/587547e81a28abb8208b6945/html5/thumbnails/33.jpg)
MANAGEABILITYFAQs cont’d•• Recommended for reporting, but not required
•• ADFS
• OWA app will soon leave the app stores
•
• Azure AD admin console will include Device CA polices (public preview soon)
• Both write to the same back-end AAD policy
• Azure AD console also includes MFA and network based policy
• Plan to consolidate in the new Azure admin console (aka Ibiza)
![Page 34: Taking conditional access to the next level](https://reader031.vdocument.in/reader031/viewer/2022022414/587547e81a28abb8208b6945/html5/thumbnails/34.jpg)
MANAGEABILITY
14:45 – 15:45
Ten most common mistakes when deploying ADFS & Hybrid Identity and how to avoid them
Raymond Comvalius & Sander Berkouwer
![Page 35: Taking conditional access to the next level](https://reader031.vdocument.in/reader031/viewer/2022022414/587547e81a28abb8208b6945/html5/thumbnails/35.jpg)
MANAGEABILITY
![Page 36: Taking conditional access to the next level](https://reader031.vdocument.in/reader031/viewer/2022022414/587547e81a28abb8208b6945/html5/thumbnails/36.jpg)
MANAGEABILITY
<Titel>
<Tekst>