Post on 19-Dec-2015
Spark the future.
May 4 – 8, 2015Chicago, IL
Securing Access to O365 and other apps with Enterprise Mobility Suite Dilip Radhakrishnan Principal PM Manager, Microsoft Intune
Samuel Devasahayam,Principal PM Manager, Azure Active Directory
Christopher GreenSenior PM, Microsoft Intune
BRK3856
Access control in the new world of cloud and mobility
Secure access to O365 services Secure access to SaaS apps Secure access to on premise resources Roadmap
Agenda
Access control to corporate data today
SharePoint
Server
Exchange Server
CORPORATE NETWORK
Mobile devices
PCs
Browsers
INTERNETDMZ
Active Directory
Policies• Filter EAS• Filter web access• Filter or block mobile app
access• Block unmanaged devices• Prevent downloads• Force multi-factor
authentication• Require domain joined• Force traffic via proxy/VPN
EC2
On-Premises
Private Cloud
Managed devices
The current reality…
SharePoint
Server
Exchange Server
CORPORATE NETWORK
Mobile devices
PCs
Browsers
INTERNETDMZ
Active Directory
The perimeter can not help protect data
Challenge
Protecting data in a mobile first, cloud first world
Solution
Access control and data containment integrated natively in the apps, devices, and the cloud.
SaaS Apps
Data protection with EMS
SharePoint
Server
Exchange
Server
CORPORATE NETWORKPerimeter
network
Active Directory
SharePointOnline
Native device MDM
Intune App SDK/ToolAD Authentication library
Standard on-premises
integration
Native clo
ud
integration
Managed Office productivity and security
O365: Mobile productivityAzure AD: Identity and Access control to O365, SaaS apps and on prem apps.Intune: Data container for Office mobile appsAzure RMS: Information protection at file level
Fir
ew
all
Fir
ew
all
SaaS Apps
Extensibility: Enable business apps to interoperate with Office Mobile
Intune: Mobile device management
On-Premises applications
Introducing ‘Conditional Access Control’
ApplicationBusiness sensitivity
OtherNetwork Location
Risk profile
DevicesAuthenticatedMDM Managed Compliant with policiesNot lost/stolen
User attributesUser identity Group membershipsAuth strength (MFA)
Conditional access control
Secure O365 Email & Collaboration services
Securing O365 Services with EMS
Secure Data in TransitEncrypt emails/attachments shared
externally
Track/Audit Rights protected document usage
Remote kill document access
Revoke AccessRevoke company resource
access from lost/stolen devices or ex employee
scenariosSelectively wipe corp data
Employees
Control AccessBlock Email/SharePoint until enrolled and Compliant to IT
policiesSimple end user experience
Revoke access on policy violations
Prevent data leaksEncrypt application data at rest
Restrict data sharing to managed apps
Enforce application level policiesBuilt in data protection for
Office apps
Demo – Secure email & Collaboration in O365Chris Green
Unified Enrollment
Azure AD
Device object- device id- isManage
d- MDMStatu
s
Quarantine Website
Step 1: Enroll device
Outlook App
Office 365 EAS Service
Access control to Outlook clients on iOS/Android
4Register device in
Azure AD
OutlookCloud
Service
1
Authen
ticat
e
User a
nd
Device
(Workplace Join + management)
3
Enroll into Intune
4
Intune
Set device managemen
t/ compliance
status5
6Iss
ue A
cces
s
toke
nAccess Outlook Cloud service
withAAD token 7
8
Get EAS service access token for user
9Get Corporate email
10
Email delivered
Redirect to Intune
2
Access control to SharePoint from OneDrive mobile apps
Azure AD
OneDrive App
Unified Enrollment
Device object- device id- isManage
d- MDMStatu
s
Quarantine Website
Step 1: Enroll device
Office 365 SharePoint
Online service Intune
4Register device in
Azure AD
1
Authen
ticat
e
User a
nd
Device
(Workplace Join + management)
3
Enroll into Intune
4
Set device managemen
t/ compliance
status5
8
Documents Synced
Redirect to Intune
2Access SPO service withAAD token
7Iss
ue A
cces
s
toke
n 6
Secure SaaS apps
Conditional access to Azure AD connected applications
2000+ applications pre-configured in Azure AD. Secure access with:• Per-app MFA
• Per-app MFA from extranet
• Block extranet
Target specific groups of users or exclude specific groups of usersTargeting can be standard groups or dynamic groups in Azure AD
ABAC
Microsoft
ADD
fabrikam
DASHBOARD USERS GROUPS DEVICES APPLICATIONS REPORTS CONFIGURE
1&1 Control Panel
1010data
15Five
1to1Real
24SevenOffice
4Imprint
5pm
etc…
1&1 control panel
Access Rules
APPLY TO
RULES
STATUS
Selected Groups:
All Users
Configure “work” network location.
None Selected
Add Group Remove Group
Except:
Add Group Remove Group
None Selected
DASHBOARD CONFIGURE ACCESS RULES OWNERS
OFF MONITOR
ON
Require multi-factor authentication
Require multi-factor authentication when not at work
Block access when not at work
Require a compliant device
Require multi-factor authentication when device is not authenticated
Monitor will generate statistics but not impact user access.
Demo
Conditional access to apps connected to Azure AD
Owner: udayPresenter: sam
Secure on-premises resources
Azure AD Proxy - SSO from the cloud
Single Sing-on experience from Azure Active Directory to on-prem applications
Same conditional access policies available to other SaaS applications using Azure AD
Connectors use the AAD token data to impersonate as the end user to the backend applications using Kerberos Constrained Delegation (KCD)
Support any application that uses Integrated Windows Authentication (IWA) such as SharePoint, Outlook Web Access and CRM.
No need to change the application, install agents on the application or expose it directly to the Internet
Azure Active Directory
Resource ResourceResource
Corp
ora
te
Netw
ork
DM
Z
Connector Connector
Application Proxy
AAD Token: UPN=joe@contoso.com
Kerberos Ticket: joe@contoso.com
AD FS and Hybrid Conditional Access
Active Director
y
AD FS 2012 R2 or higher
Device AuthN
MFA adapte
r
Conditional access policy (claim rules)
Device MDM compliance
Intune
Enroll device in IntuneRegister device in Azure AD
Azure AD registered devices
write-back
Azure AD
Device based conditional access on premises
Active Director
y
AD FS 2012 R2 or higher
Device AuthN
MFA adapte
r
Conditional access policy (claim rules)
Inspect device
certificate
MFA required for un-
registered device
Check device object
Prompt MFA if device not registered
PermitApplication access
Enable Access only from devices that are managed and/or compliant as reported by Intune
Support for down-level managed PC’s Auto-Workplace join for Win7/Win8.1 domain joined PC’s now will be
marked with DJ flag and marked as ‘managed’
Revocation of Access & SSO when device attributes change User prompted for fresh credentials
Support Web Application Pre-authentication for EAS with both Username/Pwd & Device credential
Device Conditional Access
Demo – Secure access using ADFS
Owner: SamPresenter: sam
VPN & Wifi ManagementSupport for major SSL VPN
vendors:• Cisco• Juniper• Checkpoint• SonicWall• F5• Custom VPN Payloads
Support for Native VPN standards• PPTP• L2TP• IKEv2
Automatic VPN connection• App-triggered VPN: Windows 8.1
and Windows Phone 8.1• Per-app VPN for iOS
Support multiple Wifi Authentication types:• WEP• WPA/WPA2 Personal• WPA/WPA2
Enterprise
Specify certificate to be used for Wi-Fi connection
Certificate management lifecycle with Intune
Deployment
Usage with Resource Access profiles
Renewal
Revocation
Certificate Deployment – SCEP approach
Intune
SCEP Server(NDES) +
Intune Connector
CA
1. Deploy SCEP certificate profile. Intune generates a challenge string.
2. Device gets SCEP profile that contains URI for NDES. Device contacts NDES and presents challenge.
3. NDES forwards to NDES Connector policy module, which validates the request
4. If valid, NDES passes on request to issue Cert “on behalf”
5. Cert is delivered to the device and event is reported back to Intune
6. NDES Connector reports event back to Intune
12
34
5
5
6
Certificate Deployment – PFX approach
Intune
Intune Connector
CA
1. Intune cloud service contacts on premise Certificate connector.
2. Intune connector requests certificate on behalf of user
3. CA issues certificate and private key
4. Connector sends it up to Intune service
5. PFX(Cert+Private key) is delivered to the device and event is reported back to Intune
1
42
35
EAS Client
Attempt email
connection
2
Quarantine
If not managed, Push
device into quarantine
3
On Prem Exchange
Server 2010/2013
Who does what?
Intune: Evaluate policy, manage device state and mark device record in AAD
Exchange Server: Provides API and infrastructure for quarantine
10If managed,
email access is granted
Secure Email in On-Prem Exchange
Unified Enrollment
Register EAS email client
7
Create EASID to device ID binding
8
Set device management/ compliance status
6
Azure AD DRS
Device object- device id- isManage
d- MDMStatu
s
- EASIDsAzure AD
Quarantine email
Step 1: Enroll device
Step 2: Register EAS client
(Workplace Join + management)
4
Intune
5
Register device in Azure AD
5 Enroll into Intune
1
Block non Managed devices
9Allow Managed device
Road Ahead
Desktop Conditional access Restrict Outlook 2013/OneDrive PC apps to sync only from
Domain joined PCs or Intranet locations
Browser access to O365 services Restrict OWA/SP access to only Intune managed/compliant
mobile devices or domain joined PCs
Mac support Restrict Outlook on Mac to sync only from Intune managed
and compliant devices.
Windows 10 management Enhanced access control and data protection
Road ahead
Windows Device health attestation service
Unified enrollment experience
Auto enroll with Intune & AzureADNew Compliance Rules
Is device patched?Is Firewall enabled?Is Antivirus & real time
protection enabled?
Win10 – Conditional access enhancements
Refer session @ Microsoft Ignite on “Securing Access to Microsoft Exchange and SharePoint Online services with Microsoft Intune“ by Dilip Radhakrishnan & Chris Green
Access please
1
2Prove to me you are
healthy
Intune, AAD & Windows Attestation
Service
Here is my proof
5
Approved
4Company
resources
Documents
3Request
Win10 – Enterprise Data protection
“Enterprise data protection”
User friendly work-personal separation
Manage what data is “Enterprise”
Audit intentional data disclosure
for business
personal
Business Apps & DataManaged
Personal Apps & DataUnmanag
ed
Data exchange is blocked or audited
EDP Policy in Intune
Auto connect VPN
VPN traffic filtersApplication based filters
Unified platformVPN: open to 3rd party
plug-ins
Windows 10 - Better VPN management
Conclusion
Security and Access control: Architecture matters
• Always up to date
• Continuous feature upgrades
• Always available and reachable
• Easy to adopt and deploy
• Easy to try and buy
• Designed to work together
• Built from the ground up: Datacenter, Fabric, SaaS
• Built using world class engineering & security
• Compliant and certified
• Financially backed Service Level Agreements
IntuneDevice & App Management
Office 365Productivity
Azure ADIdentity and Access
Microsoft’s Differentiators
Cloud-hosted corporate data protection
Azure AD
Integrated cloud services Best end-user experience for mobile productivity
World-class engineering and security with a single support system and 3 rd-party ecosystem
Complete solution for application and device management, access, identity, productivity, and
data protection
Visit Myignite at http://myignite.microsoft.com or download and use the Ignite Mobile App with the QR code above.
Please evaluate this sessionYour feedback is important to us!
© 2015 Microsoft Corporation. All rights reserved.