HOW AZURE AD SECURES OFFICE 365Andreas KjellmanChief Technical Architect Identityandreas.kjellman@advania.se

AGENDA

■ Overview

■ Secure the front door, but allow mobility

■ Avoid user errors and unintentional leaks

■ Detect attacks and limit damage

Note: Additional licenses (EMS E3/E5 orAzure AD Premium P1/P2) might be required

OVERVIEW

HOW AZURE AD IS RELATED TO OFFICE 365

Self-service Singlesign on

•••••••••••

Username

Simple connection

Cloud

SaaSAzure

Office 365Publiccloud

Other Directories

Windows ServerActive Directory

On-premises Microsoft Azure Active Directory

■ Microsoft’s identity solution for the cloud

■ Started as a directory for Office 365, but has grown

■ If you use Office 365, then you also use Azure AD

AZURE AD IN NUMBERS

>85% of Fortune 500 use

Microsoft cloud

(Azure, O365,

Dynamics, PowerBI)

>1.3Billion daily sign-ins to Azure

AD

Azure AD “tenants”

>10 M

More than

750 Muser accounts in

Azure AD

Unregulated, unknown

Managed mobile environment

WHERE IS THE CONTROL?

On-premises

Perimeter protection

Identity, device management protection

Hybrid data = new normal It is harder to protect

THE CURRENT REALITY

Identity is the key to cloud

SECURE THE FRONT DOOR, BUT ALLOW MOBILITY

■ Conditional Access▸ Restrict how a user can access cloud resources

■ Identity Protection▸ Identify identities with a high risk

▸ Make the sign-in stronger for high-risk users and sessions

■ Application proxy▸ Replaces UAG/TMG

▸ Access on-premises resources from any device anywhere

TECHNOLOGIESSecure the front door, but allow mobility

Limit access based on:

■ User attributes▸ Group memberships

■ The device▸ domain-joined, compliant, o/s

■ Application▸ Client type (web, mobile, app)

■ Location▸ IP (such as on-premises trusted network)

■ Risk▸ Session risk, user risk

CONDITIONAL ACCESSSecure the front door, but allow mobility

Take an action:

■ Allow

■ MFA

■ Block

■ Gain insights from a consolidated view of machine learning based threat detection

■ Remediation recommendations

■ Risk severity calculation

■ Risk-based conditional access automatically protects against suspicious logins and compromised credentials

AZURE INFORMATION PROTECTION

Leaked credentials

Infected devices Configuration

vulnerabilities Risk-based

policies

MFA Challenge Risky Logins

Block attacks

Change bad credentials

Machine-Learning Engine

Brute force attacks Suspicious sign-in activities

Secure the front door, but allow mobility

■ Access on-premises apps from the Internet

■ No firewall openings

■ Works with all devices using http/https

■ Replaces UAG/TMG (and VPN for some scenarios)

AZURE ACTIVE DIRECTORY APPLICATION PROXYSecure the front door, but allow mobility

AZURE ACTIVE DIRECTORY APPLICATION PROXY

DMZ

https://appX-contoso.msappproxy.net/

ApplicationProxy

User

Azure or 3rd Party IaaS

connector

connectorconnector

Microsoft AzureActive Directory

connector

app app app app

Secure the front door, but allow mobility

AVOID USER ERRORS AND UNINTENTIONAL LEAKS

■ Single Sign-On▸ On-premises with Azure AD/Office 365

▸ Azure AD with other SaaS apps

■ Azure Information Protection▸ Classify and protect information

■ Work with partners in a secure way using B2B

TECHNOLOGIESAvoid user errors and unintentional leaks

SSO: PROTECT THE USERS FROM THEMSELVESAvoid user errors and unintentional leaks

■ Password sync ▸ With integrated Windows Authentication (seamless sign-on) (preview)

■ Pass-through authentication (preview)

■ Federation (ADFS)

SSO: ON-PREM TO AZURE ADAvoid user errors and unintentional leaks

Azure AD Connect

On-prem Microsoft Azure Active Directory

■ SSO to 2800+ pre-integrated SaaS apps

■ Store shared accounts credentials in Azure AD

SSO: TO ANY SAAS APPAvoid user errors and unintentional leaks

AZURE INFORMATION PROTECTION

DOCUMENT TRACKING

DOCUMENT REVOCATION

Monitor & Respond

LABELINGCLASSIFICATION

Classify & Label

ENCRYPTION

Protect

ACCESS CONTROL

POLICY ENFORCEMENT

Avoid user errors and unintentional leaks

Share without duplicating user

accounts

WORK WITH PARTNERS SECURELYAvoid user errors and unintentional leaks

Microsoft

Account

You mange all permissions

Works for all organization sizes

DETECT ATTACKS AND LIMIT DAMAGE

■ Security reports

■ Privileged access management

TECHNOLOGIESDetect attacks and limit damage

SECURITY REPORTSDetect attacks and limit damage

■ Users activates their roles when needed

■ MFA for privileged roles

■ Users have permissions for a limited time

■ Security admin can see all requests and review permissions

■ Also available on-premises with MIM2016

PRIVILEGED ACCESS MANAGEMENTDetect attacks and limit damage

Azure AD contains everything you need to secure Office 365

THANK YOU!Andreas KjellmanChief Technical Architect Identityandreas.kjellman@advania.se