Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (19)
Destacado
Destacado (20)
Similar a Conditional access to office 365 what options do you have
Similar a Conditional access to office 365 what options do you have (20)
Último
Último (20)
Conditional access to office 365 what options do you have
- 4. Identity as the core of enterprise mobility Single sign-onSelf-service Simple connection On-premises Other directories Windows Server Active Directory SaaSAzure Public cloud CloudMicrosoft Azure Active Directory Customers Partners
- 5. The perimeter cannot help protect data stored in the cloudAccess control to corporate data today Mobile devices PCs Web browsers AppsData
- 6. “I need to control access to resources based on a variety of conditions” On-premises applications APPLICATION Per app policy Type of client Business sensitivity OTHER Network location Risk profile DEVICES Are domain joined Are compliant Platform type (Windows, iOS, Android) USER ATTRIBUTES User identity Group memberships Auth strength (MFA) • Allow • Enforce MFA • Block Brute force attacks Leaked credentials Infected devices Suspicious sign-in activities Configuration vulnerabilities
- 7. Conditions Allow access or Block access Actions Enforce MFA per user/per app User, App sensitivity Device state LocationUser NOTIFICATIONS, ANALYSIS, REMEDIATION, RISK-BASED POLICIES CLOUD APP DISCOVERY PRIVILEGED IDENTITY MANAGEMENT MFA IDENTITY PROTECTION Risk On-premises applications Microsoft Azure
Notas del editor
- Microsoft has a solution for this [Click] Traditional identity and access management solutions providing sing-sign on to on-premises applications and directory services such as Active Directory and others are used from the vast majority of organizations and huge investments were made to deploy and maintain them. These solutions are perfect for the on-premises world. [Click] Now, as we have discussed, there are new pressing requirements to provide the same experience to cloud applications hosted in any public cloud. [Click] Azure Active Directory can be the solution to this new challenge by extending the reach of on-premises identities to the cloud in a secure and efficient way. [Click] In order to do that, one simple connection is needed from on-premises directories to Azure AD. [Click] and everything else will be handled by Azure AD. Secure single sign-on to thousands of SaaS applications hosted in any cloud by using the same credentials that exist on-premises [Click] And we don’t forget the users. Azure AD provides Self-service capabilities and easy access to all the application, consumer or business, they need. in the cloud but on-premises too (Application Proxy)
- The first question we ask is how to protect the data Used to be all on-prem. But now it’s in cloud. So having a gateway no longer works. We believe that our solution--CA In the past, almost all the corporate data was stored on-premises which means that organizations could use the perimeter to manage access to the corporate data. Typically, this was a challenging project, that often required email gateways, servers in the perimeter network, lots of configuration, and custom scripts. However, a lot of corporate data today is stored in the cloud either because of the organization’s decision or because employees themselves intentionally or unintentionally stored in the cloud by using apps like Dropbox or SalesForce. This creates a security risk where the corporate data might end up in the wrong hands, and most of the EMM vendors in the market today don’t really have a good solution for this.
- With EMS CA you can secure access to O365 and on-prem. AAD: to authenticate the user and makes decision at user level--authentication, and at the device level (Intune), sensitivity of app (do we need MFA). And checking risk profile—AIP is where we get this The main message is that this is the new way to manage access to your stuff. It’s powerful because you can check for so many different things before you allow access to your stuff.
- In this slide talk about the conditions that apply Does the policy apply to the user Does the policy apply to the app Does the policy apply to the device type Does the policy apply to the location Then what about evaluation Is the device domain joined Is the device Azure AD joined (in some circumstances) Is the device compliant – ie. Managed by InTune Is the device in an allowed location What is the sign in risk (e.g. is this location likely to be the user) Should MFA be mandated We can then use the conditions together to make an evaluation
- #1 requirement here is that you will expect all these devices to be managed by InTune This covers specific services, such as Exchange Online, SharePoint Online and Skype for Business This works with Exchange ActiveSync, and for EAS, manages the Exchange Online quarantine. Nothing else does this for CA.
- You may be able to join the preview
- The legacy portal has Azure-AD based conditional access policies These must be created on a per-application basis This has the benefit of allowing you to secure other registered Azure AD apps, and could be used in combination with InTune policies It is more complex to configure though and manage on an ongoing basis, especially if you want to lock down everything Compliant devices = InTune Managed, rather than Azure AD joined
- New Azure AD portal offers the next-gen of the Azure AD conditional access Policies can be created to cover all Azure AD apps You can have multiple policies to determine compliance For example Allow domain joined clients and / or compliant devices from anywhere, without MFA Lock down internal and external access, perhaps? Require MFA for users outside the network accessing from a non-domain joined device Or maybe only allow a compliant/domain joined, but enforce MFA when they are outside the network Or use it to block access to apps Deny access to OneDrive for Business for specific groups of people, unless they are on the LAN Use it with other services, like Azure Application Proxy, and third-party apps – you could enforce MFA to ServiceNow, for example
- Very simple, straightforward MAM-based Conditional Access Requires Azure AD join by devices before granting access Devices must install Company app (Android) or Azure Authenticator (iOS) Blocks all Exchange ActiveSync access, you MUST use the Outlook App First time usage redirects to Azure AD enrolment After enrolment, access is allowed Based on this condition you can ensure that only particular apps (such as OneDrive, Office Apps, Skype for Business and Outlook) can access Office 365 on mobile Use in combination with MAM to ensure that data cannot leave the “walled garden” of apps