Upload
mscug
View
17
Download
1
Embed Size (px)
Citation preview
• Identity overview• Options for conditional access• What to use when?
Conditional access to Office 365
Identity as the core of enterprise mobility
Single sign-onSelf-service
Simple connection
On-premises
Other directories
Windows ServerActive Directory
SaaSAzure
Publiccloud
CloudMicrosoft Azure Active Directory
CustomersPartners
The perimeter cannot help protect data stored in the cloud Access control to corporate data today
Controlling access to corporate data
Mobile devices
PCs
Web browsers
DataUsersDevice
sApps
On-premises
AppsData
“I need to control access to resources based on a variety of conditions”
Control anywhere access
On-premises applications
APPLICATIONPer app policy Type of clientBusiness sensitivity
OTHERNetwork locationRisk profile
DEVICESAre domain joinedAre compliantPlatform type (Windows, iOS, Android)
USER ATTRIBUTESUser identity Group membershipsAuth strength (MFA)
• Allow• Enforce MFA• Block
Azure AD is the control plane
Brute force attacksLeaked credentials
Infected devices
Suspicious sign-in activities
Configuration vulnerabilities
Conditions
Allow access or
Block access
Actions
Enforce MFA per user/per app
User, App sensitivity
Device state
LocationUser
NOTIFICATIONS, ANALYSIS, REMEDIATION, RISK-BASED POLICIES
CLOUD APP DISCOVERY
PRIVILEGED IDENTITY MANAGEMENT
MFA
IDENTITY PROTECTION
RiskOn-premisesapplications
Microsoft Azure
Conditional access overview
• You can configure conditional access in multiple places
• If you configure multiple policies, then all must be met for the user to gain access
• For full capabilities, ensure you are using and enforcing modern authentication
• Services such as ActiveSync are not supported, so you’ll need to deploy and use the Outlook app for email.
Options for conditional access
• For lightweight, mobile only requirements with a third-party MDM, InTune MAM conditional access is simply to deploy and manage.
• If you use InTune today to manage PCs and mobile devices and don’t want to use preview technology, InTune based CA may be most suitable
• If you want to protect desktops and mobile devices, without a requirement for InTune to manage PCs, preview Azure AD-based conditional access is likely to be best
Which to use and when