Conditional access to Office 365What options do you have?

• Identity overview• Options for conditional access• What to use when?

Conditional access to Office 365

Identity overview

Identity as the core of enterprise mobility

Single sign-onSelf-service

Simple connection

On-premises

Other directories

Windows ServerActive Directory

SaaSAzure

Publiccloud

CloudMicrosoft Azure Active Directory

CustomersPartners

The perimeter cannot help protect data stored in the cloud Access control to corporate data today

Controlling access to corporate data

Mobile devices

PCs

Web browsers

DataUsersDevice

sApps

On-premises

AppsData

“I need to control access to resources based on a variety of conditions”

Control anywhere access

On-premises applications

APPLICATIONPer app policy Type of clientBusiness sensitivity

OTHERNetwork locationRisk profile

DEVICESAre domain joinedAre compliantPlatform type (Windows, iOS, Android)

USER ATTRIBUTESUser identity Group membershipsAuth strength (MFA)

• Allow• Enforce MFA• Block

Azure AD is the control plane

Brute force attacksLeaked credentials

Infected devices

Suspicious sign-in activities

Configuration vulnerabilities

Conditions

Allow access or

Block access

Actions

Enforce MFA per user/per app

User, App sensitivity

Device state

LocationUser

NOTIFICATIONS, ANALYSIS, REMEDIATION, RISK-BASED POLICIES

CLOUD APP DISCOVERY

PRIVILEGED IDENTITY MANAGEMENT

MFA

IDENTITY PROTECTION

RiskOn-premisesapplications

Microsoft Azure

Conditional access overview

Options for conditional access

• You can configure conditional access in multiple places

• If you configure multiple policies, then all must be met for the user to gain access

• For full capabilities, ensure you are using and enforcing modern authentication

• Services such as ActiveSync are not supported, so you’ll need to deploy and use the Outlook app for email.

Options for conditional access

Legacy portal for InTune managed devices – manage.Microsoft.com

Microsoft Intune

(But, coming soon to the new Azure portal!)

Microsoft Intune

Current portal for Azure AD conditional access – manage.windowsazure.com

Azure AD legacy portal

Preview portal for Azure AD conditional access – portal.azure.com

Azure AD new portal

Portal for InTune MAM conditional access – portal.azure.com

InTune Mobile Application Management CA

• For lightweight, mobile only requirements with a third-party MDM, InTune MAM conditional access is simply to deploy and manage.

• If you use InTune today to manage PCs and mobile devices and don’t want to use preview technology, InTune based CA may be most suitable

• If you want to protect desktops and mobile devices, without a requirement for InTune to manage PCs, preview Azure AD-based conditional access is likely to be best

Which to use and when

• Azure AD conditional access is part of your Enteprise Mobility and Security (EMS) subscription

• Leverages InTune and Azure AD Premium functionality

• Rapidly growing in functionality and provides a number of options

• Consider which to use and where, before deploying

Summary