Welcome to another edition of the Partner Blog Series. If you’re not achieving the right balance of security and user productivity with your current Identity and Access Management (IAM) solution, I hope you’ll take a moment to read this post. We invited Ben Athawes, Head of Technology Architecture at Content and Code, to talk about why so many of his customers are switching to Azure Active Directory (Azure AD) Conditional Access. He also advises how to safely migrate your apps and users to Azure AD Conditional Access.
By Ben Athawes, Head of Technology Architecture, Content and Code (an IT Lab Group company)
Content and Code is a multi-award-winning Microsoft Gold Partner focused on Microsoft 365 consulting services. We’re based in London and have been helping customers to securely migrate applications to the cloud for over ten years.
Over the last few years, we’ve noticed a significant uptick in customers defaulting to Azure AD as their preferred authentication provider. This trend applies across industries as diverse as financial services, legal, construction, market research and retail. While many innovations within Azure AD have likely contributed to this trend, the most significant is almost certainly the introduction of Azure AD Conditional Access.
Having seen the balance of productivity and security that Conditional Access brings to Office 365 services, our customers are now integrating other apps with Azure AD. They’ve started to think about Azure AD Conditional Access as the “front door” for both on-premises and cloud apps.
In this post, I’ll share three ways in which Azure AD Conditional Access has incentivized our customers to integrate their apps with Azure AD. I’ll also provide high-level steps for safely migrating authentication for your own apps to Azure AD, protected by Conditional Access.
When Azure AD Conditional Access was first introduced, it was at a time when most of our customers automatically trusted devices connected to their corporate networks. Those devices were often exempt from controls such as Multi-Factor Authentication (MFA), with the goal of making the user experience as seamless as possible.
Lately, we’ve found that it’s less common for our customers to choose this “trusted within the network” access model. We think this is mainly because:
The “zero trust within the network” approach that many of our customers take, is an identity and device-based—as opposed to network perimeter-based—access model. Reliably establishing trust with identities and devices is much easier to achieve when using Azure AD Conditional Access, as opposed to traditional perimeter control solutions.
In addition to protecting cloud-based SaaS apps, Conditional Access controls can be applied to on-premises apps that have been integrated with Azure AD via the Application Proxy. This approach can provide a big step forward in terms of usability, as people benefit from a consistent sign-in experience across both cloud and on-premises apps.
Kier Group, a 20,000-strong construction firm, did just that with Azure AD, the Application Proxy and their on-premises intranet, hosted on Microsoft SharePoint Server 2013.
"Kier Group previously relied on a traditional on-premises reverse proxy solution for externally publishing our SharePoint Server environments, but this resulted in an inconsistent experience when navigating between Office 365 and SharePoint on-premises. Now that we’ve deployed the Azure AD App Proxy with pre-authentication and accompanying Conditional Access controls such as MFA, our employees have a consistent and secure experience across our SharePoint Server 2013 intranet and Office 365. We’ve deployed multiple connectors and connector groups to help ensure a high level of availability".
- Mark Bentley, Senior Technical Architect at Kier Group
In addition to the Azure AD App Proxy, Customers can also take advantage of their existing investments in network security solutions through a “secure hybrid access” approach for legacy apps. Through Microsoft’s new integrations with several vendors, customers can streamline and modernize access to apps that support legacy authentication, including Kerberos, NTLM, Remote Desktop Protocol (RDP), LDAP, SSH, and header-based and form-based authentication.
Security is a critical requirement, but you also must keep your users happy. That’s why Azure AD Conditional Access can be configured to allow limited browser-based access from untrusted devices to SharePoint Online and Exchange Online, while blocking actions such as download, print and sync. Pretty handy for folks that may wish to check their work email but don’t have a corporate device handy!
This approach can be extended to other Office 365 services and a rapidly growing list of third-party SaaS apps using Conditional Access App Control, a rich integration with Microsoft Cloud App Security (MCAS). MCAS is a leading Cloud Access Security Broker solution that provides a rich set of controls, including the ability to protect content upon download using Microsoft’s Azure Information Protection solution.
If I’ve convinced you that Conditional Access is the right solution for your company, the next step is to plan your migration to Azure AD! It’s important to take a methodical approach to safely migrate your apps. Here are the steps we recommend to our customers:
Microsoft provides their own documentation that describes some of the steps above in more detail.
I hope reading these success stories from our customers has inspired you to consider adopting Azure AD Conditional Access. If you are looking for more information, read about Azure AD Conditional Access or Microsoft Intune. You also may be interested in the Edgile’s advice for developing a risk management strategy for your app migrations.
The people and companies that belong to the Microsoft Partner Network work with large and small companies across various industries. This experience gives them unique insight into the primary challenges that security professionals confront today. The Partner Blog series is designed to socialize these security trends more broadly and provide insights and tips that you can act on today. Check back monthly for more advice from our partners on how to protect your identities or follow the series to be notified when the next blog is posted.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.