Welcome to another edition of the Partner Blog Series. If you’re not achieving the right balance of security and user productivity with your current Identity and Access Management (IAM) solution, I hope you’ll take a moment to read this post. We invited Ben Athawes, Head of Technology Architecture at Content and Code, to talk about why so many of his customers are switching to Azure Active Directory (Azure AD) Conditional Access. He also advises how to safely migrate your apps and users to Azure AD Conditional Access.
Why you should make Azure AD Conditional Access the front door to your on-premises and cloud apps
By Ben Athawes, Head of Technology Architecture, Content and Code (an IT Lab Group company)
Content and Code is a multi-award-winning Microsoft Gold Partner focused on Microsoft 365 consulting services. We’re based in London and have been helping customers to securely migrate applications to the cloud for over ten years.
Over the last few years, we’ve noticed a significant uptick in customers defaulting to Azure AD as their preferred authentication provider. This trend applies across industries as diverse as financial services, legal, construction, market research and retail. While many innovations within Azure AD have likely contributed to this trend, the most significant is almost certainly the introduction of Azure AD Conditional Access.
Having seen the balance of productivity and security that Conditional Access brings to Office 365 services, our customers are now integrating other apps with Azure AD. They’ve started to think about Azure AD Conditional Access as the “front door” for both on-premises and cloud apps.
In this post, I’ll share three ways in which Azure AD Conditional Access has incentivized our customers to integrate their apps with Azure AD. I’ll also provide high-level steps for safely migrating authentication for your own apps to Azure AD, protected by Conditional Access.
Three reasons to switch to Azure AD Conditional Access
1. Enable an identity and device-based access model
When Azure AD Conditional Access was first introduced, it was at a time when most of our customers automatically trusted devices connected to their corporate networks. Those devices were often exempt from controls such as Multi-Factor Authentication (MFA), with the goal of making the user experience as seamless as possible.
Lately, we’ve found that it’s less common for our customers to choose this “trusted within the network” access model. We think this is mainly because:
Customers have realized that certain physical network controls are lacking (perhaps people are able to plug in their own devices to trusted networks, for example), and/or trusted and untrusted networks share the same public IP addresses.
Device-based Azure AD Conditional Access controls such as Hybrid Azure AD Join and Microsoft Endpoint Manager Compliance have matured. This means a customer’s definition of “trusted” devices can include requirements such as operating system versions, encryption, and antivirus.
The “zero trust within the network” approach that many of our customers take, is an identity and device-based—as opposed to network perimeter-based—access model. Reliably establishing trust with identities and devices is much easier to achieve when using Azure AD Conditional Access, as opposed to traditional perimeter control solutions.
2. Provide a consistent sign-in experience for both cloud and on-premises apps
In addition to protecting cloud-based SaaS apps, Conditional Access controls can be applied to on-premises apps that have been integrated with Azure AD via the Application Proxy. This approach can provide a big step forward in terms of usability, as people benefit from a consistent sign-in experience across both cloud and on-premises apps.
Kier Group, a 20,000-strong construction firm, did just that with Azure AD, the Application Proxy and their on-premises intranet, hosted on Microsoft SharePoint Server 2013.
"Kier Group previously relied on a traditional on-premises reverse proxy solution for externally publishing our SharePoint Server environments, but this resulted in an inconsistent experience when navigating between Office 365 and SharePoint on-premises. Now that we’ve deployed the Azure AD App Proxy with pre-authentication and accompanying Conditional Access controls such as MFA, our employees have a consistent and secure experience across our SharePoint Server 2013 intranet and Office 365. We’ve deployed multiple connectors and connector groups to help ensure a high level of availability". - Mark Bentley, Senior Technical Architect at Kier Group
In addition to the Azure AD App Proxy, Customers can also take advantage of their existing investments in network security solutions through a “secure hybrid access” approach for legacy apps. Through Microsoft’s new integrations with several vendors, customers can streamline and modernize access to apps that support legacy authentication, including Kerberos, NTLM, Remote Desktop Protocol (RDP), LDAP, SSH, and header-based and form-based authentication.
3. Simplify access while preventing data exfiltration
Security is a critical requirement, but you also must keep your users happy. That’s why Azure AD Conditional Access can be configured to allow limited browser-based access from untrusted devices to SharePoint Online and Exchange Online, while blocking actions such as download, print and sync. Pretty handy for folks that may wish to check their work email but don’t have a corporate device handy!
This approach can be extended to other Office 365 services and a rapidly growing list of third-party SaaS apps using Conditional Access App Control, a rich integration with Microsoft Cloud App Security (MCAS). MCAS is a leading Cloud Access Security Broker solution that provides a rich set of controls, including the ability to protect content upon download using Microsoft’s Azure Information Protection solution.
Steps to migrate your apps to Azure AD Conditional Access
If I’ve convinced you that Conditional Access is the right solution for your company, the next step is to plan your migration to Azure AD! It’s important to take a methodical approach to safely migrate your apps. Here are the steps we recommend to our customers:
Inventory your present app identity providers, and configured apps (known as “relying parties” in AD FS).
Prioritize the order that you want to migrate your apps to Azure AD. Factors such as business criticality, usage and expected lifespan are likely to apply.
For each app identified:
Map present controls and configurations to Azure AD. Examples include controls such as MFA, blocking legacy authentication (which can be enforced using Azure AD Conditional Access), and claims transformations (which can be replaced using Azure AD claims mapping policies). Microsoft provides a migration readiness script to simplify this step for AD FS customers.
Add the app within Azure AD. This is easiest if the app already exists within the app gallery because properties such as the single sign-on mode are pre-populated. But non-gallery apps can be added too.
Setup required Azure AD configurations and controls within Azure AD Conditional Access, using Report-only Mode to test your various access scenarios.
Configure and test Azure AD single sign-on. Microsoft has developed a collection of tutorials to help with this step.
Note that certain apps will require that the identity provider is switched to wholesale (a “cutover” to Azure AD), so this step may need to be performed outside of peak working hours. Other apps, such as SharePoint Server, will allow the identity provider to be configured in a more granular manner, enabling the Azure AD integration to be tested first.
I’d encourage you to lean on your SaaS app vendors here—chances are, other customers have asked for help integrating their app with Azure AD.
Repeat the above steps for your other apps.
Plan to decommission your other identity provider(s) if they are no longer required.
Microsoft provides their own documentation that describes some of the steps above in more detail.
The people and companies that belong to the Microsoft Partner Network work with large and small companies across various industries. This experience gives them unique insight into the primary challenges that security professionals confront today. The Partner Blog series is designed to socialize these security trends more broadly and provide insights and tips that you can act on today. Check back monthly for more advice from our partners on how to protect your identities or follow the series to be notified when the next blog is posted.