taking conditional access to the next level · taking conditional access to the next level peter...
TRANSCRIPT
MANAGEABILITY
Taking Conditional Access
to the next level
Peter van der Woude Ronny de Jong@pvanderwoude @ronnydejong
MANAGEABILITY
Agenda
• Introductie conditional access
• Understand how conditional access can
protect your corporate services & data
• Understand which conditional access options
fits best to your needs
• Learn the key considerations and deployment steps
MANAGEABILITYMANAGEABILITY
Conditional Access,
een korte introductie
MANAGEABILITY
Conditional Access
On-Premises
applications
Application
Per-service
Managed client app
Other
Location (IP range)
Risk profile
Devices
Is domain joined
Is compliant
Platform type
Not lost/stolen
Health state
User attributes
User identity
Group memberships
Allow
Block
MFA
Enroll
MANAGEABILITY
De keuze is reuze…
MAM WE
Configuration Manager
Intune
Apps
Devices
Data
Users
Azure AD
ADFS
MANAGEABILITY
Conditional Access for
mobile devices
MANAGEABILITY
Conditional Access for mobile
devices
Ensure that only managed devices can access company resources
• Prevent access from devices which are unmanaged
• Ensure health state from managed devices
Define compliance criteria for devices managed by Intune or Configuration Manager
• Password
• Device Health
• Encryption
• OS versions
• App based threats
MANAGEABILITY
Deploying conditional access
• Dynamics CRM
• Exchange on-premises
• Exchange Online
• SharePoint Online
• Skype for Business Online
Devices must be enrolled in Intune / registered in Azure AD
• Azure AD Join for work-owned devices in Windows 10 (Mobile)
• Workplace Join for personal-owned devices in Windows 10 (Mobile)
• Add account, Workplace join in other Windows versions or platforms (iOS, Android)
MANAGEABILITY
Conditional Access for
Exchange on-premises
•• Exchange 2010 or later
•
MANAGEABILITY
Conditional Access for
SharePoint on-premises
••••
•
MANAGEABILITY
DemoAdvanced Conditional access based on
Microsoft Intune
MANAGEABILITY
Conditional Access for
domain joined PC’s
MANAGEABILITY
Conditional Access for domain
joined PC’s
Ensure that only domain joined PC’s can access company resources
• Prevent access from PC’s which has no active directory trust
• Prevent access from unhealthy domain joined PC’s
PC’s must have a trust relationship with local active directory (AD)
Requires Azure AD-registration (Azure AD Connect)
• Group Policy or SCCM can be used to enable auto-registration
• Windows 7 requires an MSI to be deployed
MANAGEABILITY
Conditional Access for domain
joined PC’s
Management Windows 7 Windows 8.1 Windows 10
AD domain joined* Supported Supported Supported
AD domain joined*
+ SCCM Managed
Supported Supported Supported
AAD registered +
Intune managed
Not supported Supported Supported
Azure Domain
Joined + Intune
managed
Not supported Not supported Supported
MANAGEABILITY
Preparing devices: domain
joined
Service Connection Point for discovery (all Windows versions!)
If federated, issuance transform rules for computer authentication upon registration
Windows Installer package for non-Windows 10/Windows Server 2016 computers
• Windows 7, 8.0, 8.1, Server 2008 R2, Server 2012 and Server 2012 R2
• Windows 10 Anniversary Update/Windows Server 2016 registers without policy set
• Windows 10 November 2015 Update requires the policy set to trigger registration
• Windows 8.1 responds to policy, can also use Windows Installer package
• Help with requirements setup – with caveats!
• Key for lifecycle management of computers and devices
MANAGEABILITY
Conditional Access for domain
joined PC’s
Office 2013 or Office 2016 with Modern Authentication enabled (ADAL)
ADFS claims rules to block down-level Office from external network locations
• Exchange Online and SharePoint Online will expose PS cmdlets to disable non-
modern authentication (EAS/MAPI)
MANAGEABILITY
DemoAdvanced Conditional access based on
Configuration Manager
MANAGEABILITY
Managed
Microsoft Intune
MANAGEABILITY
Device lost
MANAGEABILITY
Conditional Access for
MAM w/o MDM (MAM WE)
MANAGEABILITY
Conditional Access for MAM
w/o MDM (MAM WE)
Prevents company data leakage (DLP)
Ensure that only Intune MAM enabled applications can access O365/SaaS apps
• Prevent apps that aren’t MAM “enlightened”
• Prevent EAS mail clients (native iOS/Android mail clients)
• Intune MAM enabled apps are put on an “approved” list
• AAD validates the Client ID against the approved list
• Requires a broker app
• Android: Intune Company Portal
• iOS: Azure Authenticator
MANAGEABILITY
Mobile app management
Managed apps
Personal apps
Personal apps
Managed appsCorporate data
Personaldata
Multi-identity policy
Personal apps
Managed apps
Copy Paste Save
Save to
personal storage
Paste to
personal
app
Email attachment
MANAGEABILITY
DemoAdvanced Conditional access based on
Microsoft Intune MAM WE
MANAGEABILITY
Conditional Access for
cloud resources
MANAGEABILITYMANAGEABILITY
Conditional Access for
cloud resources
MANAGEABILITY
Conditional Access for Cloud
resources
Ensure that authorized users can access SaaS applications from known/trusted locations
Ensure that only managed devices can access SaaS applications
• Prevent access from malicious/non-trusted locations
• Prevent access from devices which are unmanaged/non-compliant
User based access rules requires Azure MFA
SaaS applications that do not support modern authentication
• Requires advanced conditional access for non-modern authentication apps
MANAGEABILITY
Deploying conditional access
Define user based access rules for authorized users/trusted locations
Define device based access criteria for a specific cloud services
Conditions Main options Defined where?
Mobile platforms iOS, Android, Windows 10 Mobile
Azure AD
Desktop platforms Windows 7, 8.1, 10, Mac OS X*
Client app types Exchange ActiveSync clients, Rich client apps,
Browser
O365 services Exchange Online, SharePoint Online, Skype for
Business, Dynamics CRM
Users All users in tenant, targeted SGs, exempted
SGs
MANAGEABILITY
Conditional Access for Azure
On-premise resources
Ensure that authorized users can access on-premise web applications from known/trusted locations
Ensure that only managed devices can access on-premise web applications
• Prevent access from malicious/non-trusted locations
• Prevent access from devices which are unmanaged/non-compliant
Requires Azure AD Application Proxy for on-premise web applications
User based access rules requires Azure MFA
MANAGEABILITY
DemoAdvanced Conditional access based on
Azure Active Directory
MANAGEABILITYMANAGEABILITY
Conditional Access for
advanced scenario’s (ADFS)
MANAGEABILITY
On-premises applications and
access control
Ensure that users can access on-premise company resources by advanced criteria
• Prevent from criteria which cannot defined by Azure AD
• Prevent access for allowed/non-managed apps
Require device write-back in Azure AD Connect
Advanced scenarios requires Active Directory Federation Services (ADFS)
• Windows Server 2016 required for Windows 10 authentication
@RuleName = “Allow extranet browser and browser dialog traffic”
c1:[Type == " http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] &&
c2:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");
MANAGEABILITY
DemoAdvanced Conditional access based on
Active Directory Federation Services
MANAGEABILITYMANAGEABILITY
FAQ
MANAGEABILITY
14:45 – 15:45
Ten most common mistakes when deploying ADFS & Hybrid Identity and how to avoid them
Raymond Comvalius & Sander Berkouwer