Recently, we have heard a lot of buzz from our customers around conditional access questions and requirements. We understand that securing access to company resources is vital to every organization. With the explosion of available cloud services and mobile devices, the way in which users access company resources has certainly changed. This requires a new approach to security.
Microsoft is investing in their conditional access platform framework and now has a few different solutions available through Azure Active Directory, Intune, and SCCM.
Azure Active Directory (AD) – Conditional access control capabilities in Azure Active Directory offers simple ways for companies to secure resources in the cloud and on-premises. Conditional access policies can be used to help protect against the risk of stolen and phished credentials, by requiring multi-factor authentication, as well as helping to keep company data safe, by requiring an Intune-managed device granting access to sensitive services. Azure Active Directory Conditional Access is a feature of Azure AD Premium. All users who access an application with conditional access policy applied must have an Azure AD Premium license.
Conditional Access with Azure AD Licensing Requirements
Azure Active Directory Conditional access is a feature of Azure AD Premium. All users who access an application with conditional access policy applied must have an Azure AD Premium license. Azure AD Premium may be purchased stand-alone or a part of the bundled Enterprise Mobility and Security Suite (formally EMS). Contact your local Connection representative for a quote or more information.
Intune – Intune allows you to restrict access to your company email and other Office 365 services with conditional access. Intune’s conditional access capabilities allow you to secure access to your company’s email and other Office 365 services by restricting access to devices that are compliant with the rules that you have configured.
Compliance policies can be configured within Intune to evaluate the compliance of the device based on your organization’s unique needs while conditional access policies restrict or allow access to a specific service. When a conditional access policy is used in combination with a compliance policy, an even stronger security posture can be created for users. In this scenario, only compliant devices will be allowed to access the services that have Conditional Access policies in place.
Conditional Access with Intune Licensing Requirements
Microsoft Intune may be purchased stand-alone or as part of the bundled Enterprise Mobility + Security Suite (formally EMS). Contact your local Connection representative for a quote or more information.
Popular Use Cases for Conditional Access
Use conditional access to manage access to the following services:
- Microsoft Exchange On-premises
- Microsoft Exchange Online
- Exchange Online Dedicated
- SharePoint Online
- Skype for Business Online
- Dynamics CRM Online
Using bundled Microsoft technology to enforce conditional access is also possible. Example: System Center Configuration Manager with Intune, Azure AD, and Exchange Online.
System Center Configuration Manager (SCCM) may be used in conjunction with Exchange Online and Microsoft Intune to create a conditional access scenario. This allows you to manage email access and protect email data on mobile devices that are BYOD or company-owned.
To get started with this scenario you will need to:
- Create the compliance policies that define the rules and settings that a device must comply with in order to be considered compliant by conditional access polices.
- Begin enforcing conditional access.
- Optionally, configure the Exchange Server connector for Exchange Online This connector is required for reporting purposes only. It is not required to enable conditional access.
In this scenario, different Microsoft technologies all play a role in the conditional access policy and execution:
- Microsoft Intune: Manages compliance and conditional access policies that you configure for enrolled devices
- Microsoft Azure Active Directory: Authenticates users against your services and checks device compliance status
- Configuration Manager: Manages your users’ device enrollments and provides reporting
- Exchange Online: Enforces or denies access to company email based on the device’s compliance status
About Connection’s Microsoft Cloud Services
Connection, a Microsoft Cloud Productivity Gold Partner, offers a full portfolio of services around Microsoft’s Enterprise Mobility + Security Suite (EMS) to help your organization get up and running. Microsoft’s EMS helps keep your employees productive on their favorite apps and devices while keeping your company data protected. Contact an Account Manager for information on:
- Discovery Sessions (Demonstrations and Discussions)
- Deployment Planning Services (Microsoft Software Assurance Benefits – DPS)
- Planning Engagements
- Deployment Services
- Azure AD Premium
- Azure Information Protection (ARM)
- Advanced Threat Analytics