MANAGEABILITY

Taking Conditional Access

to the next level

Peter van der Woude Ronny de Jong@pvanderwoude @ronnydejong

MANAGEABILITY

Agenda

• Introductie conditional access

• Understand how conditional access can

protect your corporate services & data

• Understand which conditional access options

fits best to your needs

• Learn the key considerations and deployment steps

MANAGEABILITYMANAGEABILITY

Conditional Access,

een korte introductie

MANAGEABILITY

Conditional Access

On-Premises

applications

Application

Per-service

Managed client app

Other

Location (IP range)

Risk profile

Devices

Is domain joined

Is compliant

Platform type

Not lost/stolen

Health state

User attributes

User identity

Group memberships

Allow

Block

MFA

Enroll

MANAGEABILITY

De keuze is reuze…

MAM WE

Configuration Manager

Intune

Apps

Devices

Data

Users

Azure AD

ADFS

MANAGEABILITY

Conditional Access for

mobile devices

MANAGEABILITY

Conditional Access for mobile

devices

Ensure that only managed devices can access company resources

• Prevent access from devices which are unmanaged

• Ensure health state from managed devices

Define compliance criteria for devices managed by Intune or Configuration Manager

• Password

• Device Health

• Encryption

• OS versions

• App based threats

MANAGEABILITY

Deploying conditional access

• Dynamics CRM

• Exchange on-premises

• Exchange Online

• SharePoint Online

• Skype for Business Online

Devices must be enrolled in Intune / registered in Azure AD

• Azure AD Join for work-owned devices in Windows 10 (Mobile)

• Workplace Join for personal-owned devices in Windows 10 (Mobile)

• Add account, Workplace join in other Windows versions or platforms (iOS, Android)

MANAGEABILITY

Conditional Access for

Exchange on-premises

•• Exchange 2010 or later

•

MANAGEABILITY

Conditional Access for

SharePoint on-premises

••••

•

MANAGEABILITY

DemoAdvanced Conditional access based on

Microsoft Intune

MANAGEABILITY

Conditional Access for

domain joined PC’s

MANAGEABILITY

Conditional Access for domain

joined PC’s

Ensure that only domain joined PC’s can access company resources

• Prevent access from PC’s which has no active directory trust

• Prevent access from unhealthy domain joined PC’s

PC’s must have a trust relationship with local active directory (AD)

Requires Azure AD-registration (Azure AD Connect)

• Group Policy or SCCM can be used to enable auto-registration

• Windows 7 requires an MSI to be deployed

MANAGEABILITY

Conditional Access for domain

joined PC’s

Management Windows 7 Windows 8.1 Windows 10

AD domain joined* Supported Supported Supported

AD domain joined*

+ SCCM Managed

Supported Supported Supported

AAD registered +

Intune managed

Not supported Supported Supported

Azure Domain

Joined + Intune

managed

Not supported Not supported Supported

MANAGEABILITY

Preparing devices: domain

joined

Service Connection Point for discovery (all Windows versions!)

If federated, issuance transform rules for computer authentication upon registration

Windows Installer package for non-Windows 10/Windows Server 2016 computers

• Windows 7, 8.0, 8.1, Server 2008 R2, Server 2012 and Server 2012 R2

• Windows 10 Anniversary Update/Windows Server 2016 registers without policy set

• Windows 10 November 2015 Update requires the policy set to trigger registration

• Windows 8.1 responds to policy, can also use Windows Installer package

• Help with requirements setup – with caveats!

• Key for lifecycle management of computers and devices

MANAGEABILITY

Conditional Access for domain

joined PC’s

Office 2013 or Office 2016 with Modern Authentication enabled (ADAL)

ADFS claims rules to block down-level Office from external network locations

• Exchange Online and SharePoint Online will expose PS cmdlets to disable non-

modern authentication (EAS/MAPI)

MANAGEABILITY

DemoAdvanced Conditional access based on

Configuration Manager

MANAGEABILITY

Managed

Microsoft Intune

MANAGEABILITY

Device lost

MANAGEABILITY

Conditional Access for

MAM w/o MDM (MAM WE)

MANAGEABILITY

Conditional Access for MAM

w/o MDM (MAM WE)

Prevents company data leakage (DLP)

Ensure that only Intune MAM enabled applications can access O365/SaaS apps

• Prevent apps that aren’t MAM “enlightened”

• Prevent EAS mail clients (native iOS/Android mail clients)

• Intune MAM enabled apps are put on an “approved” list

• AAD validates the Client ID against the approved list

• Requires a broker app

• Android: Intune Company Portal

• iOS: Azure Authenticator

MANAGEABILITY

Mobile app management

Managed apps

Personal apps

Personal apps

Managed appsCorporate data

Personaldata

Multi-identity policy

Personal apps

Managed apps

Copy Paste Save

Save to

personal storage

Paste to

personal

app

Email attachment

MANAGEABILITY

DemoAdvanced Conditional access based on

Microsoft Intune MAM WE

MANAGEABILITY

Conditional Access for

cloud resources

MANAGEABILITYMANAGEABILITY

Conditional Access for

cloud resources

MANAGEABILITY

Conditional Access for Cloud

resources

Ensure that authorized users can access SaaS applications from known/trusted locations

Ensure that only managed devices can access SaaS applications

• Prevent access from malicious/non-trusted locations

• Prevent access from devices which are unmanaged/non-compliant

User based access rules requires Azure MFA

SaaS applications that do not support modern authentication

• Requires advanced conditional access for non-modern authentication apps

MANAGEABILITY

Deploying conditional access

Define user based access rules for authorized users/trusted locations

Define device based access criteria for a specific cloud services

Conditions Main options Defined where?

Mobile platforms iOS, Android, Windows 10 Mobile

Azure AD

Desktop platforms Windows 7, 8.1, 10, Mac OS X*

Client app types Exchange ActiveSync clients, Rich client apps,

Browser

O365 services Exchange Online, SharePoint Online, Skype for

Business, Dynamics CRM

Users All users in tenant, targeted SGs, exempted

SGs

MANAGEABILITY

Conditional Access for Azure

On-premise resources

Ensure that authorized users can access on-premise web applications from known/trusted locations

Ensure that only managed devices can access on-premise web applications

• Prevent access from malicious/non-trusted locations

• Prevent access from devices which are unmanaged/non-compliant

Requires Azure AD Application Proxy for on-premise web applications

User based access rules requires Azure MFA

MANAGEABILITY

DemoAdvanced Conditional access based on

Azure Active Directory

MANAGEABILITYMANAGEABILITY

Conditional Access for

advanced scenario’s (ADFS)

MANAGEABILITY

On-premises applications and

access control

Ensure that users can access on-premise company resources by advanced criteria

• Prevent from criteria which cannot defined by Azure AD

• Prevent access for allowed/non-managed apps

Require device write-back in Azure AD Connect

Advanced scenarios requires Active Directory Federation Services (ADFS)

• Windows Server 2016 required for Windows 10 authentication

@RuleName = “Allow extranet browser and browser dialog traffic”

c1:[Type == " http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] &&

c2:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");

MANAGEABILITY

DemoAdvanced Conditional access based on

Active Directory Federation Services

MANAGEABILITYMANAGEABILITY

FAQ

MANAGEABILITY

14:45 – 15:45

Ten most common mistakes when deploying ADFS & Hybrid Identity and how to avoid them

Raymond Comvalius & Sander Berkouwer