What’s new with Azure Active Directory from Ignite 2017
Prior to Ignite 2017, Microsoft worked diligently to turn on new capabilities for Azure Active Directory. That said, we wanted to recap that for you.
The next wave of conditional access is now
In June Microsoft introduced the general availability of the new conditional access admin experience in the Azure portal. This powerful new experience makes it easy to manage policies that bring together services across EMS, including Azure Active Directory, Microsoft Intune. Conditional access also takes advantage of the Microsoft Intelligent Security Graph, which scans billions of signals to determine user risk levels.
Thus, they are now bringing to life a new wave of scenarios that expand our conditional access capabilities, including integration across EMS’ Azure Information Protection and Microsoft Cloud App Security services. We’ve grouped the new features into three broad categories:
- Devices and apps
- Session control and information protection
- New conditions and custom controls
Check out the highlights from each feature category that Microsoft previewed at Ignite.
Devices and apps
It was recently announced device-based conditional access support for macOS, and now Microsoft is introducing new application-based conditional access capabilities. With this new level of control you can restrict access to services so that only client applications that support Intune app protection policies can use them. And you can combine app-based conditional access policies with device-based policies to protect data for both personal and corporate devices.
Additionally, their conditional access policies now allow you to protect VPN connectivity in your Windows 10 device. So, any users with Windows 10 devices can connect automatically to your VPN only if they’re compliant with device policies.
One more exciting feature being introduced is the ability to manage device identities in the Azure portal. With this new feature, you can manage device attributes, retrieve BitLocker keys for devices, see device authentication-related audit logs, and find support resources related to devices, all in the Azure portal.
Improved Session control and information protection
The EMS team has also been making some incredible headway improving session control and data protection.
Session controls allow you to limit access to resources. Microsoft had support for SharePoint restricted mode, one of their session control technologies, in public preview . At Ignite, they let the public know that they are expanding their session controls in Azure AD Conditional Access to integrate with Microsoft Cloud App Security.
Microsoft Cloud App Security performs real-time monitoring and helps IT gain control over both authorized and unauthorized cloud application usage. This capability is currently in private preview. It will be available in public preview soon and will give you the ability to limit and control the actions your users take in SaaS applications using conditional access policy. For example, you will be able to let users access SaaS apps from an unfamiliar location or unmanaged device, but prevent them from downloading sensitive documents.
New conditional access integration with Azure Information Protection (currently in public preview) allows you to apply access polices to protected files. Now, you can set a policy that prompts a user to complete a MFA challenge before accessing a protected document. You can even have the policy serve up a MFA challenge when users are off the corporate network or are flagged as an elevated risk by Identity Protection.
New Conditions & Custom Controls
Microsoft just recently turned on the public preview of country/region-defined IP range conditions. These new conditions make it easy to block access from specific countries and regions based on automatic IP address checks.
Last but not least, they have integrated two-step authentication solutions from Duo, RSA, and Trusona. So, if you’re using one of these providers to support two-step authentication, you can easily use them within the Azure AD conditional access engine.
Microsoft is continuing to enable customers’ journey to the cloud
Listening to numerous customers that prove how important it is for their users’ passwords stay firmly within internal boundaries, Microsoft developed pass-through authentication! This authentication method allows you to use Azure AD for single sign-on without compromising any of your security requirements.
That said, Pass-through authentication is now generally available!
Pass-through authentication is an Azure Active Directory sign-in options (along with password hash sync and federation). It’s most appropriate for organizations who can’t or don’t want to permit users’ passwords, even in hashed form, to leave their internal boundaries. Pass-through authentication allows users to sign into both on-premises and cloud applications using the same passwords, and works by securely validating users’ passwords directly against on-premises Active Directory using a lightweight on-premises agent.
To guarantee a smooth user experience, Microsoft is also extending seamless single sign-on to pass-through authentication and password hash sync. Hybrid customers will only need to sign into their device once. They will not be prompted again for another login, regardless of which authentication method they use, to access Azure AD-integrated applications on their AD-joined devices within their corporate network.
Casting a light on shadow IT
More than 80 percent of employees admit to using non-approved SaaS applications for work, and discovering which apps they’re using is the first step to managing shadow IT. To that end, we’re upgrading the Cloud App Discovery tool to an enhanced experience powered by Microsoft Cloud App Security.
With this upgrade, IT admins can now discover more than 15,000 apps without needing on-premises agents to do so. They can also receive detailed on-going risk analysis and alerts for new apps in use, get inbound and outbound traffic information, and uncover the top users of discovered apps – all important pieces in gaining a greater understanding of cloud app usage across an organization.
More Governance and Compliance options for Azure AD customers
In addition to Sailpoint, Microsoft is expanding their partnerships in advanced governance with the integration of Omada and Saviynt, two leaders in identity governance. Now you can seamlessly integrate their solutions with Azure Active Directory Premium which gives you rich governance capabilities like Access Requests, Policy based workflows and approvals, enhanced auditing and reporting and fine-grained lifcycle provisioning. If your looking for a great governance solution for Azure Active Directory, you can’t go wrong with any of these partner solutions.
Azure Active Directory is also adding more granular control functionality so enterprises can determine ‘who has access to what’ across their hybrid deployments and cloud services. These new features, currently in public preview, enable customers to:
- ask group owners or group members to attest to their need for continued group membership, by starting an access review of that group.
- ask users with access to an enterprise application, or others in the organization, to recertify their need for continued application access.
The Azure AD access review experience is now more user-friendly by just showing access highlights, including whether the user being reviewed has signed into the application recently.
Azure AD Privileged Identity Management (PIM) is also being extended to manage Azure subscriptions and resources, further governing who can manage resources in Azure. The new Azure AD PIM preview includes ‘just in time’ and time-limited membership of Azure RBAC roles alongside its existing controls of Azure AD and Microsoft Online Services roles.
For more information
- September 2018 (1)
- August 2018 (2)
- July 2018 (2)
- June 2018 (3)
- May 2018 (2)
- April 2018 (1)
- March 2018 (2)
- February 2018 (2)
- January 2018 (1)
- December 2017 (1)
- November 2017 (2)
- October 2017 (2)
- September 2017 (2)
- August 2017 (2)
- July 2017 (2)
- June 2017 (1)
- May 2017 (3)
- April 2017 (1)
- March 2017 (3)
- February 2017 (2)
- January 2017 (3)
- December 2016 (2)
- November 2016 (2)
- October 2016 (3)
- September 2016 (1)
- July 2016 (1)
- June 2016 (3)
- May 2016 (2)
- April 2016 (5)
- March 2016 (2)
- February 2016 (1)
- January 2016 (4)
- December 2015 (5)
- November 2015 (5)
- October 2015 (5)
- September 2015 (4)