"Identity is the new control plane"
With these new capabilities, Windows 10 and the Enterprise Mobility Suite (Azure AD Premium, Intune and Azure RMS) are modernizing enterprise mobility:Hi there! I'm Mahesh Unnikrishnan, the PM responsible for integrating mobile device management (MDM) solutions such as Microsoft Intune with Azure AD. Alex's previous blog post introduced cool new capabilities in Windows 10 powered by Azure AD . With Windows 10, we're excited to enable automatic MDM enrollment of both corporate owned devices as well as personally owned BYO devices, powered by Azure AD.
As more organizations adopt a 'bring-your-own-device' (BYOD) friendly approach, their IT departments are faced with the challenge of ensuring corporate data stays secure on mobile devices. Devices pose ongoing risks to corporate data accessed from them. Devices are frequently lost/stolen, and jail-broken, they have risky apps installed on them and they a frequently configured insecurely (for example: no PIN/passcode, device encryption disabled etc.) MDM solutions help mitigate these risks by ensuring compliance with corporate security policies. To deliver a secure experience for applications across these devices, we've partnered closely with Microsoft Intune and Office 365. If you follow the blog, you've probably read about some of the work we've done here:
These are pretty exciting innovations and they've been greeted by strong customer demand. For example, in just over 1 year, 13000 customers have purchased the Enterprise Mobility Suite.
But Windows 10, we're really putting things into overdrive! With Windows 10 and the Enterprise Mobility suite, IT administrators can:
Note: We are working with third party MDM ISVs to support automated MDM enrollment and policy based access checks. I share more on that front later this year.
This powerful combination of capabilities, all based in the cloud, illustrates what Alex means when he talks about "Identity is the new control plane". Without a dollar of new on-premises infrastructure, you can quickly deploy an end-to-end solution for managing users, devices and critical applications like Office 365 in accordance with your corporate policy. And no other vendor offers this kind of complete, modern & entirely cloud based enterprise mobility solution.In a previous post , Ariel Gordon illustrated how you can join a corporate owned device to Azure AD in the out-of-box experience on Windows 10. If you join your corporate owned device to Azure AD as part of setting up Windows 10, you're presented with a terms of use page, after successful authentication. This page provides information about the policies your IT administrator has configured in Microsoft Intune, to enforce on your device.
If you accept these terms, your device is joined to Azure AD and subsequently automatically enrolled for management with Microsoft Intune. You do not need to locate the appropriate app to use from the Windows Store or perform any manual steps to enroll your device! If you decline to have your corporate owned device be managed you will not be able to join the device to Azure AD.
In a previous post , Venkatesh Gopalakrishnan illustrated how you can add an Azure AD account to a personally owned device. When you do so, you're presented with a terms of use page, after successful authentication. This page provides information about the policies your IT administrator has configured Microsoft Intune, to enforce on your device.
If you accept these terms, your Azure AD account is added to your device and subsequently enrolled for management with Microsoft Intune. This seamless experience saves you the trouble of having to enroll your device separately for management or perform other manual steps to do so.
If you decline to have your personally owned device be managed your Azure AD account will still be added to your device. You may continue to enjoy single-sign-on to some corporate resources or applications. However, you will be denied access to sensitive corporate resources or applications that your IT administrator has configured to allow access only from policy compliant devices.
Your organization's IT administrator configures device management policies in Microsoft Intune. For instance, your IT administrator may require that devices have a PIN or passcode enabled on them, have encryption turned on and are regularly updated. Additionally they may choose to implement more sophisticated policies such as jailbreak detection etc. These policies are configured in the Intune console and are used by Microsoft Intune to evaluate whether a device complies with corporate policy.
Your organization's IT administrator configures conditional access control policies in Azure AD. For instance, your IT administrator may require that in order to access a cloud app used by your organization, users' devices need to be managed by Intune and compliant with the device management policy configured on Intune. These conditional access control policies are configured in the Azure AD portal and are used by Azure AD to determine whether to allow a user to access an application secured by it.
Microsoft Intune periodically evaluates whether your device is compliant with the required device management policies configured by your IT administrator. This compliance information is then reported to Azure AD. If your device falls out of compliance at a later stage (say the PIN/passcode was disabled on it), Microsoft Intune notifies Azure AD of the device being out of compliance.
There are a couple of other scenarios in which Microsoft Intune notifies Azure AD:
If your device complies with required device management policy and has been reported by Microsoft Intune as compliant, Azure AD will allow access to the cloud application. If your device falls out of compliance (say you disabled a PIN/passcode or turned off device encryption), Microsoft Intune reports the device as non-compliant and Azure AD will block access to the cloud application.
Additionally, when your device is found to be non-compliant with policy, Azure AD provides a link that helps you remediate the situation and regain access. This link launches the Intune app on your device, which can then tell you exactly why your device is out of compliance and how to remediate the situation. We believe this self-service remediation helps end-users remain productive without having to wait for IT administrators to help remediate access denied issues.
The integration we're building between Intune and Azure AD enables IT administrators to rely on device compliance state reported by Intune, in order to determine whether to grant access to applications. This is powered by our conditional access engine which Alex has blog about previously .
A sample conditional access control policy your IT administrator would be able to configure is illustrated below:"Allow users in our finance department to access the Finweb portal only if they have performed multiple factor authentication and are using a policy compliant device." |
Notice how this policy expresses requirements using a combination of conditions, in order to grant access to an application. These conditions include the identity of the user, the strength of their authentication as well as whether their device is considered policy compliant. Such policies can be configured in Azure AD on a per-application basis. Azure AD conditional access control enables your IT administrators to apply stricter access control policies for sensitive applications.
Conditional access control for cloud applications
Your IT administrator can configure conditional access control policies for cloud applications such as Office 365 and the other 2500-odd SaaS applications secured by Azure AD. If your IT administrator requires policy compliant devices to enable access to these cloud applications, Azure AD will leverage the compliance information reported by Intune in order to determine whether to allow access.
Conditional access control for on-premises applications
For on-premises applications there are two options to enable conditional access control based on a device's compliance state. For on-premises applications that are published through the Azure AD Application Proxy, you can configure conditional access control policies similar to how you'd do so for cloud applications. For more details, refer to Alex's blog post from earlier this year.
Additionally, Azure AD Connect (which should GA in the next week or two) will soon sync device compliance information from Azure AD to your on-premises AD (requires Windows Server 2016). ADFS on Windows Server 2016 supports conditional access control based on a device's compliance state. Your IT administrator can configure conditional access control policies in ADFS that use the device's compliance state as reported by Intune to secure on-premises applications.
Conditional access control is an Azure AD Premium feature that's also available with EMS. If you don't have an Azure AD Premium subscription you can get a trial here .
As always we look forward to and welcome your feedback.
Thanks,
Mahesh Unnikrishnan
Senior Program Manager
Microsoft Identity and Security Services Division
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.