sharepoint server exchange server corporate network mobile devices pcs browsers internet dmz active...

Post on 19-Dec-2015

218 Views

Category:

Documents

0 Downloads

Preview:

Click to see full reader

TRANSCRIPT

Spark the future.

May 4 – 8, 2015Chicago, IL

Securing Access to O365 and other apps with Enterprise Mobility Suite Dilip Radhakrishnan Principal PM Manager, Microsoft Intune

Samuel Devasahayam,Principal PM Manager, Azure Active Directory

Christopher GreenSenior PM, Microsoft Intune

BRK3856

Access control in the new world of cloud and mobility

Secure access to O365 services Secure access to SaaS apps Secure access to on premise resources Roadmap

Agenda

Access control to corporate data today

SharePoint

Server

Exchange Server

CORPORATE NETWORK

Mobile devices

PCs

Browsers

INTERNETDMZ

Active Directory

Policies• Filter EAS• Filter web access• Filter or block mobile app

access• Block unmanaged devices• Prevent downloads• Force multi-factor

authentication• Require domain joined• Force traffic via proxy/VPN

EC2

On-Premises

Private Cloud

Managed devices

The current reality…

SharePoint

Server

Exchange Server

CORPORATE NETWORK

Mobile devices

PCs

Browsers

INTERNETDMZ

Active Directory

The perimeter can not help protect data

Challenge

Protecting data in a mobile first, cloud first world

Solution

Access control and data containment integrated natively in the apps, devices, and the cloud.

SaaS Apps

Data protection with EMS

SharePoint

Server

Exchange

Server

CORPORATE NETWORKPerimeter

network

Active Directory

SharePointOnline

Native device MDM

Intune App SDK/ToolAD Authentication library

Standard on-premises

integration

Native clo

ud

integration

Managed Office productivity and security

O365: Mobile productivityAzure AD: Identity and Access control to O365, SaaS apps and on prem apps.Intune: Data container for Office mobile appsAzure RMS: Information protection at file level

Fir

ew

all

Fir

ew

all

SaaS Apps

Extensibility: Enable business apps to interoperate with Office Mobile

Intune: Mobile device management

On-Premises applications

Introducing ‘Conditional Access Control’

ApplicationBusiness sensitivity

OtherNetwork Location

Risk profile

DevicesAuthenticatedMDM Managed Compliant with policiesNot lost/stolen

User attributesUser identity Group membershipsAuth strength (MFA)

Conditional access control

Secure O365 Email & Collaboration services

Securing O365 Services with EMS

Secure Data in TransitEncrypt emails/attachments shared

externally

Track/Audit Rights protected document usage

Remote kill document access

Revoke AccessRevoke company resource

access from lost/stolen devices or ex employee

scenariosSelectively wipe corp data

Employees

Control AccessBlock Email/SharePoint until enrolled and Compliant to IT

policiesSimple end user experience

Revoke access on policy violations

Prevent data leaksEncrypt application data at rest

Restrict data sharing to managed apps

Enforce application level policiesBuilt in data protection for

Office apps

Demo – Secure email & Collaboration in O365Chris Green

Unified Enrollment

Azure AD

Device object- device id- isManage

d- MDMStatu

s

Quarantine Website

Step 1: Enroll device

Outlook App

Office 365 EAS Service

Access control to Outlook clients on iOS/Android

4Register device in

Azure AD

OutlookCloud

Service

1

Authen

ticat

e

User a

nd

Device

(Workplace Join + management)

3

Enroll into Intune

4

Intune

Set device managemen

t/ compliance

status5

6Iss

ue A

cces

s

toke

nAccess Outlook Cloud service

withAAD token 7

8

Get EAS service access token for user

9Get Corporate email

10

Email delivered

Redirect to Intune

2

Access control to SharePoint from OneDrive mobile apps

Azure AD

OneDrive App

Unified Enrollment

Device object- device id- isManage

d- MDMStatu

s

Quarantine Website

Step 1: Enroll device

Office 365 SharePoint

Online service Intune

4Register device in

Azure AD

1

Authen

ticat

e

User a

nd

Device

(Workplace Join + management)

3

Enroll into Intune

4

Set device managemen

t/ compliance

status5

8

Documents Synced

Redirect to Intune

2Access SPO service withAAD token

7Iss

ue A

cces

s

toke

n 6

Secure SaaS apps

Conditional access to Azure AD connected applications

2000+ applications pre-configured in Azure AD. Secure access with:• Per-app MFA

• Per-app MFA from extranet

• Block extranet

Target specific groups of users or exclude specific groups of usersTargeting can be standard groups or dynamic groups in Azure AD

ABAC

Microsoft

ADD

fabrikam

DASHBOARD USERS GROUPS DEVICES APPLICATIONS REPORTS CONFIGURE

1&1 Control Panel

1010data

15Five

1to1Real

24SevenOffice

4Imprint

5pm

etc…

1&1 control panel

Access Rules

APPLY TO

RULES

STATUS

Selected Groups:

All Users

Configure “work” network location.

None Selected

Add Group Remove Group

Except:

Add Group Remove Group

None Selected

DASHBOARD CONFIGURE ACCESS RULES OWNERS

OFF MONITOR

ON

Require multi-factor authentication

Require multi-factor authentication when not at work

Block access when not at work

Require a compliant device

Require multi-factor authentication when device is not authenticated

Monitor will generate statistics but not impact user access.

Demo

Conditional access to apps connected to Azure AD

Owner: udayPresenter: sam

Secure on-premises resources

Azure AD Proxy - SSO from the cloud

Single Sing-on experience from Azure Active Directory to on-prem applications

Same conditional access policies available to other SaaS applications using Azure AD

Connectors use the AAD token data to impersonate as the end user to the backend applications using Kerberos Constrained Delegation (KCD)

Support any application that uses Integrated Windows Authentication (IWA) such as SharePoint, Outlook Web Access and CRM.

No need to change the application, install agents on the application or expose it directly to the Internet

Azure Active Directory

Resource ResourceResource

Corp

ora

te

Netw

ork

DM

Z

Connector Connector

Application Proxy

AAD Token: UPN=joe@contoso.com

Kerberos Ticket: joe@contoso.com

AD FS and Hybrid Conditional Access

Active Director

y

AD FS 2012 R2 or higher

Device AuthN

MFA adapte

r

Conditional access policy (claim rules)

Device MDM compliance

Intune

Enroll device in IntuneRegister device in Azure AD

Azure AD registered devices

write-back

Azure AD

Device based conditional access on premises

Active Director

y

AD FS 2012 R2 or higher

Device AuthN

MFA adapte

r

Conditional access policy (claim rules)

Inspect device

certificate

MFA required for un-

registered device

Check device object

Prompt MFA if device not registered

PermitApplication access

Enable Access only from devices that are managed and/or compliant as reported by Intune

Support for down-level managed PC’s Auto-Workplace join for Win7/Win8.1 domain joined PC’s now will be

marked with DJ flag and marked as ‘managed’

Revocation of Access & SSO when device attributes change User prompted for fresh credentials

Support Web Application Pre-authentication for EAS with both Username/Pwd & Device credential

Device Conditional Access

Demo – Secure access using ADFS

Owner: SamPresenter: sam

VPN & Wifi ManagementSupport for major SSL VPN

vendors:• Cisco• Juniper• Checkpoint• SonicWall• F5• Custom VPN Payloads

Support for Native VPN standards• PPTP• L2TP• IKEv2

Automatic VPN connection• App-triggered VPN: Windows 8.1

and Windows Phone 8.1• Per-app VPN for iOS

Support multiple Wifi Authentication types:• WEP• WPA/WPA2 Personal• WPA/WPA2

Enterprise

Specify certificate to be used for Wi-Fi connection

Certificate management lifecycle with Intune

Deployment

Usage with Resource Access profiles

Renewal

Revocation

Certificate Deployment – SCEP approach

Intune

SCEP Server(NDES) +

Intune Connector

CA

1. Deploy SCEP certificate profile. Intune generates a challenge string.

2. Device gets SCEP profile that contains URI for NDES. Device contacts NDES and presents challenge.

3. NDES forwards to NDES Connector policy module, which validates the request

4. If valid, NDES passes on request to issue Cert “on behalf”

5. Cert is delivered to the device and event is reported back to Intune

6. NDES Connector reports event back to Intune

12

34

5

5

6

Certificate Deployment – PFX approach

Intune

Intune Connector

CA

1. Intune cloud service contacts on premise Certificate connector.

2. Intune connector requests certificate on behalf of user

3. CA issues certificate and private key

4. Connector sends it up to Intune service

5. PFX(Cert+Private key) is delivered to the device and event is reported back to Intune

1

42

35

EAS Client

Attempt email

connection

2

Quarantine

If not managed, Push

device into quarantine

3

On Prem Exchange

Server 2010/2013

Who does what?

Intune: Evaluate policy, manage device state and mark device record in AAD

Exchange Server: Provides API and infrastructure for quarantine

10If managed,

email access is granted

Secure Email in On-Prem Exchange

Unified Enrollment

Register EAS email client

7

Create EASID to device ID binding

8

Set device management/ compliance status

6

Azure AD DRS

Device object- device id- isManage

d- MDMStatu

s

- EASIDsAzure AD

Quarantine email

Step 1: Enroll device

Step 2: Register EAS client

(Workplace Join + management)

4

Intune

5

Register device in Azure AD

5 Enroll into Intune

1

Block non Managed devices

9Allow Managed device

Road Ahead

Desktop Conditional access Restrict Outlook 2013/OneDrive PC apps to sync only from

Domain joined PCs or Intranet locations

Browser access to O365 services Restrict OWA/SP access to only Intune managed/compliant

mobile devices or domain joined PCs

Mac support Restrict Outlook on Mac to sync only from Intune managed

and compliant devices.

Windows 10 management Enhanced access control and data protection

Road ahead

Windows Device health attestation service

Unified enrollment experience

Auto enroll with Intune & AzureADNew Compliance Rules

Is device patched?Is Firewall enabled?Is Antivirus & real time

protection enabled?

Win10 – Conditional access enhancements

Refer session @ Microsoft Ignite on “Securing Access to Microsoft Exchange and SharePoint Online services with Microsoft Intune“ by Dilip Radhakrishnan & Chris Green

Access please

1

2Prove to me you are

healthy

Intune, AAD & Windows Attestation

Service

Here is my proof

5

Approved

4Company

resources

Documents

Email

3Request

Win10 – Enterprise Data protection

“Enterprise data protection”

User friendly work-personal separation

Manage what data is “Enterprise”

Audit intentional data disclosure

for business

personal

Business Apps & DataManaged

Personal Apps & DataUnmanag

ed

Data exchange is blocked or audited

EDP Policy in Intune

Auto connect VPN

VPN traffic filtersApplication based filters

Unified platformVPN: open to 3rd party

plug-ins

Windows 10 - Better VPN management

Conclusion

Security and Access control: Architecture matters

• Always up to date

• Continuous feature upgrades

• Always available and reachable

• Easy to adopt and deploy

• Easy to try and buy

• Designed to work together

• Built from the ground up: Datacenter, Fabric, SaaS

• Built using world class engineering & security

• Compliant and certified

• Financially backed Service Level Agreements

IntuneDevice & App Management

Office 365Productivity

Azure ADIdentity and Access

Microsoft’s Differentiators

Cloud-hosted corporate data protection

Azure AD

Integrated cloud services Best end-user experience for mobile productivity

World-class engineering and security with a single support system and 3 rd-party ecosystem

Complete solution for application and device management, access, identity, productivity, and

data protection

Visit Myignite at http://myignite.microsoft.com or download and use the Ignite Mobile App with the QR code above.

Please evaluate this sessionYour feedback is important to us!

© 2015 Microsoft Corporation. All rights reserved.

top related