NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect...
-
Upload
morgan-simonsen -
Category
Technology
-
view
15 -
download
4
Transcript of NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect...
![Page 1: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/1.jpg)
![Page 2: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/2.jpg)
Azure AD Identity Protection andConditional AccessUsing the Microsoft cloud to protect your corporate identities and applications
![Page 3: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/3.jpg)
About Your Speaker: Morgan Simonsen• Cloud Evangelist@Lumagate• P-TSP@Microsoft• MCSE, MCSA, MCT• MVP• Twitter: @msimonsen• Email: [email protected]• Blog: morgansimonsen.com
![Page 4: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/4.jpg)
Agenda• Why are we in this room? - We are all going to the cloud
and becoming mobile• The Story so far - Cloud Identity with Azure Active Directory
101• But I’m worried… - How to protect ourselves in this brave
new world• Skynet to the rescue - Azure AD Identity Protection• IFTTTATAT - Azure AD Conditional Access
![Page 5: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/5.jpg)
Why are we in this room?We are all going to the cloud and becoming mobile
![Page 6: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/6.jpg)
Easy access24x7
connectivity
FlexibilityGlobal reach
Seamless collaboration
AgilityReduced friction 23% greater productivity, 100% higher employee
satisfaction Is mobility the answer to better employee productivity?, Forbes Magazine, 29.3.2016
The Cloud & Mobile Promise
But what about Auditing? Security? Compliance & Assurance?
![Page 7: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/7.jpg)
Enterprise Mobility+Security The Microsoft vision
Identity Driven Security
Managed Mobile Productivity
Comprehensive Solution
AppsDevices DataUsers
![Page 8: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/8.jpg)
Azure Information Protection
Protect your data, everywhere
Microsoft Cloud App Security
Azure Active Directory
Detect threats early with
visibility and threat analytics
Advanced Threat Analytics
Extend enterprise-grade security to your cloud and SaaS apps
Intune
Protect your users, devices,
and apps
Manage identity with hybrid integration to protect
application access from identity attacks
Enterprise Mobility+SecurityThe Microsoft solution
Privileged Identity Management
Identity Protection
ENFORCE MFA
ALLOW
BLOCK
Conditional Access
Windows 10Azure AD Join,
Health Attestation,
Windows Hello, BitLocker
![Page 9: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/9.jpg)
The Story so farCloud Identity with Azure Active Directory 101
![Page 10: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/10.jpg)
• Microsoft “Identity Management as a Service (IDaaS)” for organizations.
• Millions of independent identity systems controlled by enterprise and government “tenants.”
• Information is owned and used by the controlling organization—not by Microsoft.
• Born-as-a-cloud directory for Office 365. Extended to manage across many clouds.
• Evolved to manage an organization’s relationships with its customers/citizens and partners (B2C and B2B).
Azure Active Directory
33,000Enterprise Mobility + Security | Azure AD Premium enterprise customers
>110kthird-party applications used with Azure AD each month
>1.3 billion authentications every day on Azure AD
More than
750 Muser accounts on Azure AD
Azure AD Directories>10 M
90% of Fortune 500 companies use Microsoft Cloud (Azure, O365, CRM Online, and PowerBI)
Every Office 365 and Microsoft Azure customer uses Azure Active Directory
![Page 11: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/11.jpg)
Azure AD Trust Fabric
Active Directory
Contoso AD
Contoso Azure AD
Fabrikam AD
Fabrikam Azure AD
…and trust extends to all Azure AD enabled organizations
Business-2-Business (B2B) lets all identities in Azure AD collaborate
We are all in the same boat forest
![Page 12: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/12.jpg)
Hybrid identity components
AD DS
FIM/MIM Sync
On-premises
• Sync engine• Password Sync• Health (Sync, ADFS,
ADDS)• AD FS (optional)• Pass-Through AuthN
SalesforceBoxDropBoxGoogle…
IdentityBridge
Your apps
Office 365
Azure AD Connect
Azure AD
![Page 13: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/13.jpg)
But I’m worried…How to protect ourselves in this brave new world
![Page 14: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/14.jpg)
Sobering statistics
The frequency and sophistication of cybersecurity attacks are escalating
$500Btotal potential
costof cybercrime to
the global economy
$3.5Maverage cost of a data breach to a
company
200+median # days attackers reside within a victim’s network before
detection
network intrusions due to
compromised user credentials
75%+
![Page 15: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/15.jpg)
Industrialized Digital CrimeCybercrime Supply Chain
SDKs & Toolkits SaaS (social graph!)
IaaS (botnets!) Phone support!
![Page 16: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/16.jpg)
Azure Active DirectoryIdentity Protection & Conditional
Access
Cloud-powered protection
![Page 17: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/17.jpg)
WE DRIVE BUSINESS EVOLUTION FORWARD
Adopt Cloud for Better Security• Past: Cloud was security concern• Now: Cloud is security peace of
mind• Economies of Scale Security of
Scale• Division of responsibilities• Compliance and Certifications
• PCI, HIPAA etc.• Security Talent
![Page 18: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/18.jpg)
Why use Azure AD to protect our users and apps?
• Cloud Cadence release schedule for new features• Insights of scale• World Class Protection• Price• Frankly; what are your other options…?
Microsoft Azure
![Page 19: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/19.jpg)
Mission: Protect our users
• World class signal due to massive amount of relevant data• One of the world’s largest consumer identity services (the Microsoft
Account service) • One of the world’s large enterprise identity services (the Azure AD service)• One of the world’s largest consumer email services (Outlook.com)• One of the world’s largest enterprise email services (Office 365)• One of the world’s largest online gaming services (Xbox Live)• Signals from services like SharePoint Online, Skype and OneDrive to
strengthen our analysis• Feeds from Microsoft Digital Crime Unit and Microsoft Security Response
Center• Partnering with Law Enforcement, Security Researchers, Industry further
enhances signal
Analyze> 10 terabytes of data
Deflect 1.5 million attacks
Process> 14B sign-ins
Microsoft Daily Statistics
Source: https://www.microsoft.com/sir
![Page 20: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/20.jpg)
Machine
Learning for
security
![Page 21: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/21.jpg)
Credentials
Azure Active Directory
![Page 22: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/22.jpg)
Azure Active Directory
Credentials
Schrödinger'sUser
?
![Page 23: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/23.jpg)
SeemsGood
SeemsBad
Coder
Azure Active DirectorySchrödinger'sUser
?Credentials
Classifier
Rules
![Page 24: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/24.jpg)
Azure Active Directory
Analysis
SeemsGood
SeemsBad
Classifier
Schrödinger'sUser
?Credentials
Self-reporting Threat dataRelying parties Behavior10+ TB Logs
![Page 25: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/25.jpg)
Azure Active Directory
Analysis
SeemsGood
SeemsBad
Classifier
Self-reporting Threat dataRelying parties Behavior10+ TB Logs
Schrödinger'sUser
?Credentials
![Page 26: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/26.jpg)
Azure Active Directory
Analysis
SeemsGood
SeemsBad
True Negative
True Positive
Classifier
Self-reporting Threat dataRelying parties Behavior
Schrödinger'sUser
?
LabelData We were right!
Credentials
10+ TB Logs
![Page 27: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/27.jpg)
Azure Active Directory
Analysis
SeemsGood
SeemsBad
True Negative
True Positive
Classifier
Self-reporting Threat dataRelying parties Behavior
Schrödinger'sUser
?
LabelData
False Negative
False Positive
We were wrong!
Credentials
10+ TB Logs
We were right!
![Page 28: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/28.jpg)
Azure Active Directory
Analysis
SeemsGood
SeemsBad
True Negative
Classifier
Self-reporting Threat dataRelying parties Behavior
Schrödinger'sUser
?
SecurityAnalyst Label
Data
False Negative
We were wrong!
Credentials
10+ TB Logs
True Positive
False Positive
We were right!
![Page 29: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/29.jpg)
Azure Active Directory
Analysis
SeemsGood
SeemsBad
True Negative
Classifier
Self-reporting Threat dataRelying parties Behavior
Schrödinger'sUser
?
SecurityAnalyst Label
Data
Code updatesto Classifier
False Negative
We were wrong!
Credentials
10+ TB Logs
True Positive
False Positive
We were right!
![Page 30: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/30.jpg)
Credentials
Azure Active Directory
Analysis
SeemsGood
SeemsBad
True Negative
Classifier
Self-reporting Threat dataRelying parties Behavior
Schrödinger'sUser
?
SecurityAnalyst Label
Data
Deploy newClassifier
Code updatesto Classifier
False Negative
We were wrong!
10+ TB Logs
True Positive
False Positive
We were right!
![Page 31: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/31.jpg)
Credentials
Azure Active Directory
Analysis
SeemsGood
SeemsBad
True Negative
Classifier
Self-reporting Threat dataRelying parties Behavior
Schrödinger'sUser
?
False Negative
We were wrong!
AnalyzeLabelData
Update
Deploy10+ TB Logs
True Positive
False Positive
We were right!
![Page 32: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/32.jpg)
Learner
Credentials
Azure Active Directory
Analysis
SeemsGood
SeemsBad
True Negative
Classifier
Self-reporting Threat dataRelying parties Behavior
Schrödinger'sUser
?
LabelData
False Negative
We were right!
We were wrong!
Analyze
Update
Deploy10+ TB Logs
True Positive
False Positive
![Page 33: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/33.jpg)
How Identity Protection detects and mitigates cyber attacks
• Sign in Risk• Invoked on each login, evaluating that particular login• 100 data points (signals)• Result sent as input to Conditional Access
• User Risk• Invoked on each login, evaluating accumulated data• Background process• Collects data over time
![Page 34: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/34.jpg)
Identity Protection in Action: EDU Attack
1,750 of 8,000 accounts
compromised
![Page 35: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/35.jpg)
We noticed a sharp increase in password lockouts
Large elevation in user lockouts. Inspection show lockout increase from single org.
UsersLocked Out
Per Day
![Page 36: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/36.jpg)
Suspicious IP activity very different from in-country IPs
Generally lower user volumeGenerally successful
In-Country
TrafficSuspect
IP
Mostly failure trafficSingle UserAgent
![Page 37: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/37.jpg)
Detailed suspicious IP view showed automated attacksInitial bad guy
test runLarge scale account failures/minute
AccountsAccessed
Per-Minute,Suspect IP
![Page 38: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/38.jpg)
The Bad Guys are getting smarter too
• Botnets are bigger, cheaper and more available
• Bad guys are effectively defeating 2nd factor authentication
• Bad guys are feeding our machine learning systems bad data
• The bad guys have machine learning too
![Page 39: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/39.jpg)
Risks Identified by AAD Identity Protection
• Leaked credentials (High)• Impossible travel to atypical locations (Medium)• Sign-ins from infected devices (Low)• Sign-ins from anonymous IP addresses (Medium)• Sign-ins from IP addresses with suspicious activity (Medium)• Signs in from unfamiliar locations (Medium)• Lockout events
![Page 40: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/40.jpg)
Identity Protection APIs• Microsoft Graph API
• https://graph.microsoft.io• IdentityRiskEvents
• Sign-ins and other events that have been analyzed and found to be “risky” by Identity Protection’s machine learning and algorithms
![Page 41: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/41.jpg)
Enable AAD Identity Protection
• EMS E5/AAD P2 required
• Identity Protection works for any sign-in to Azure AD
![Page 42: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/42.jpg)
Demo: Identity Protection in the Azure Portal
![Page 43: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/43.jpg)
Multi-Factor Authentication (MFA) Registration Policy
• Pre-Canned Conditional Access Policy• Edit: Users• Access: Allow• Access Controls: MFA
registration• Monitor Current Registration
Status• You should enforce this!
![Page 44: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/44.jpg)
Sign-in risk remediation policy• Pre-Canned Conditional Access
Policy• Edit: Users and Conditions• Access: Allow or Block• Access Controls: MFA
Authentication• Monitor Number of Sign-ins
impacted• Do not enforce this unless you
have high number of users registered with MFA!
![Page 45: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/45.jpg)
User risk remediation policy• Pre-Canned Conditional Access
Policy• Edit: Users and Conditions• Access: Allow or Block• Access Controls: Require Password
Change• Monitor Number of users impacted• Should probably be enabled for
High immediately• AADP SSPR is a nice add-on feature
to have enabled
![Page 46: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/46.jpg)
User Experience – Suspicious Sing-In
• Sign-in Risk Policy enforced
![Page 47: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/47.jpg)
User Experience – User at Risk
• User Risk Policy enforced
![Page 48: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/48.jpg)
Licensing• Azure Active Directory Premium P2 required
• Enterprise Mobility+Security E5• If users don’t have it they cannot self-remediate!
Plan featuresEnterprise Mobility + Security E3
Enterprise Mobility + Security E5
Identity and access management
•Microsoft Azure Active Directory Premium P1•Secure single sign-on to cloud and on-premises apps•Multi-factor authentication•Conditional access•Advanced security reporting•Azure Active Directory Premium P2•Risk-based conditional access•Privileged identity management•Includes all P1 capabilities
![Page 49: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/49.jpg)
Using Identity Protection with Conditional Access for Applications
![Page 50: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/50.jpg)
Wide range of Enterprise Mobility Scenarios
Locked Down Device
Managed Device
Personal Device
Unknown Device
Example Point-of-sale or maintenance tablet or
PC
Company provided phone, tablet or PC
Personal phone, tablet or PC
Kiosk at a hotel
Type of user Task Worker Information Worker Information Worker Information Worker
Level of Access Desired by Organization varies across the spectrumLevel of Access Desired by Organization varies across the spectrum
MDM Enabled
ꭕ Won’t Enable MDM
ꭕ Can’t Enable MDM
![Page 51: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/51.jpg)
Conditional Access Building Blocks
• "When this happens" is called condition statement• "Then do this" is called controls
• The combination of a condition statement with your controls represents a conditional access policy
![Page 52: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/52.jpg)
Conditional Access
ApplicationPer app policy Type of client(Web, Rich, mobile)
Cloud andOn-premises applications
User attributesGroup membership
DevicesDomain JoinedcompliantPlatform type (Windows, iOS, Android)
LocationIP Range
Microsoft AzureENFORCE MFA
ALLOW
BLOCK
RiskSession riskUser risk
![Page 53: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/53.jpg)
Demo: Conditional Access for Applications in the Azure Portal
![Page 54: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/54.jpg)
Devices Controls in Conditional Access• Compliant Device:
• Intune Compliance Policy• SCCM
• Domain Joined Device:• Azure AD Registered Device (DRS)
• Windows 10 Domain Joined: Creates object in AD which is synced to cloud by AAD Connect
• (Windows 10 Azure AD Joined: Registers at join)• Windows 7, 8, 8.1 domain joined: ADFS claims configured for DRS
• Windows 8.1 could potentially also enroll in MDM manually and become compliant that way
![Page 55: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/55.jpg)
Azure AD Device Registration Prerequisites
• Device Registration Allowed• USERS MAY WORKPLACE JOIN DEVICES:ALL
• DNS Records:
• Internet Explorer Settings (these are defaults)• Don’t prompt for client certificate selection when only one certificate exists:
Enable• Allow scripting: Enable• Automatic logon only in Intranet zone: Checked
• Group Policy to enforce registration
Entry Type Address
enterpriseregistration.contoso.com CNAME enterpriseregistration.windows.netenterpriseregistration.region.contoso.com CNAME enterpriseregistration.windows.net
![Page 56: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/56.jpg)
ADFS Claims for DRS• Additional Claims:
• http://schemas.microsoft.com/ws/2012/01/accounttype• http://schemas.microsoft.com/identity/claims/
onpremobjectguid• http://schemas.microsoft.com/ws/2008/06/identity/claims/
primarysid• http://schemas.microsoft.com/ws/2008/06/identity/claims/
issuerid
![Page 57: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/57.jpg)
Questions?
![Page 58: NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications](https://reader038.fdocuments.net/reader038/viewer/2022102821/58ed02bd1a28ab6b288b4625/html5/thumbnails/58.jpg)
Please evaluate the session on your way out…
Hated It! Meh… Best session ever!