Coming up,
we take a look at updates to Conditional Access
part of Microsofts Enterprise Mobility
 and Security Solution.
That allows you to apply access 
controls to the company data.
We're going to explore the new Unified Azure Administration Portal,
the expansion of conditional access controls
that specify the apps and data access
based on the users and permitted locations 
and compliant devices.
And then we're gonna have a look risk 
based conditional access controls
that incorporate machine learning
to continuously safeguard access to your 
apps and data in real-time.
Microsoft Mechanics
Today I'm joined by Alex Simons,
a regular on the show from the Enterprise 
Mobility and Security Team.
Alex, welcome to the show.
Hey Simon, Nice to be back.
Alex, we've covered Conditional Access
 in a couple of previous shows.
And I know that it's a set of
policy rules that define the circumstances 
under which users get access to corporate data.
But before we go into some of the changes 
that we've made in the product.
Can you tell us a little bit more about Conditional Access, just a level set for folks?
Yeah, sure Simon.
In the old days, everyone had a firewall and a directory.
and some PCs and servers.
It was all kind of on-premise.
And that gave you control over things.
You knew what was going on.
You didn't have to worry about security very much.
You didn't have to worry about
 people doing the right thing.
As the internet comes along,
all of a sudden there things like salesforce.com and Concur maybe the people want to use.
As employees are bringing lots of
 devices like their iphones and there Androids devices
to work and wanting to get work done on those.
All the sudden IT had a big challenge.
And intially you could just hook up maybe one app.
Or you can give somebody a VPN on their device so that you get back to your corporate network.
That kind of worked in 2009.
As you get to more and more of your
corporate IT estate being in the cloud 
in lots of different services.
And as your employees want to use 
more and more devices.
As customers and partners want to 
connect with you, it all just falls apart.
You can't use your firewall and your on-premise 
directory to manage that anymore.
What you really need is a Cloud Control plane
that lets you coordinate between all those different resources and people and devices,
in a way that is compliant and secure.
And that's what conditional access is in 
the Enterprise Mobility Suite
It lets you do things like dictate corporate policy on
which users can get to which things?
Which devices do they have to be on?
Where can they come from and what kind of authentication strength did they have?
And even what locations are they in?
Is the app risky or not in terms of the business impact?
Even a risk score from our machine learning system.
Does this really look like it's the user
 who they say they are, or not?
All of those can work together on a 
conditional access system
to make you secure and compliant.
That's great and a really good level set.
How have we actually been
 improving Conditional Access?
The biggest change in conditional access recently
is bringing all of those capabilities together in one administrative portal.
Now in the New Azure portal, you can go in and you can see all of your conditional access policies
across Azure Active Directory and Intune in one place.
The second big improvement has been
adding the ability to have multiple 
policies per application
and to share policies across 
application as well for your whole tenant.
Finally we've also brought risk scores in.
So now you can have conditional access 
policies that include the risk score
as well as all of those other factors.
These sound like great features, 
can you show us them in action?
Yeah, let's take a look at a demo like if I was an employee at the company.
Here I am in the My Apps portal for
 Azure Active Directory.
And you can see all the apps have been assigned to me.
Each of these have different policies 
depending on the app's sensitivity
that my admins created for us.
So let's take an easy one like, Box.
The security level and that they're not too worried about.
I can just click and get immediately
 single signed into Box, no problem.
A more sensitive app like Salesforce has all of our customer records and stuff.
I probably want to do a two-factor 
authentication for that.
So let me get my phone here.
We'll go ahead and I'm going to click on Salesforce.
You'll see how it's going to force me
to do a second factor authentication
 before I'm able to login.
So on my phone i'm going to get a call
and this then adds a whole new level of security
to the login.
Now we really know it's me before I can 
get into salesforce.com.
And there you can see my authentication is completed.
Now let's go ahead and take a
 look at a really sensitive app.
This is one which maybe had some financial data or something that I can't access
if I'm not on the corporate network.
So here we are in the studio and obviously
 i'm not in the corporate network.
Let's go ahead and click on this one and you'll see
that as we try to log into this app that tells me "No".
I just can't get there from here there's 
nothing I can do about that.
I even have details here that show me
the IP address that I came from.
So that if I need to call help desk or something it's easy for them to figure out what's going on.
What about if it's coming from a device 
that we know nothing about?
Some things are pretty sensitive and you might not want to be able to download documents or things like that.
So let's take a look at this SharePoint site.
On this SharePoint site when I try to login, 
this device isn't registered yet
and managed by my MDM.
When I login to SharePoint, 
it comes up and tells me I can't get there.
It gives me instructions on how to get 
my device managed.
All I have to do is click on that.
Here you can see I'm in the experience to get my device managed by my company so I can get access.
That's pretty cool and that's going to take you through the engine enrollment process?
Yes, exactly.
Alex, you also mentioned risky log on?
What happens in those circumstances?
Simon, our machine learning system in 
identity protection
is watching every single log on for suspicious activity.
So if I try to login to that it looks risky, it's going to block me because most likely I'm a hacker.
I'm going to try to log into that same 
account using a Tor Browser.
A Tor browser is just an example of the 
kind of thing a hacker might do.
If I try login to my office account using that Tor browser,
Let me just get my password here.
What happens here is that in real-time
 my login is scored.
And its high risk because it's coming from an anonymous IP address.
And so I've been blocked and I cant get in here.
That's a pretty robust set of controls that you've built directly into the product.
Yeah, it really lets you create corporate policy
for both compliance and security reasons.
That keeps your data secure but also lets the board of directors sleep at night.
How do we get this all working from an IT point of view.
Yeah, we'll talk about how this has all been brought together in the new Azure portal.
Let's go ahead and take a look at that.
Here I am in my Azure AD blade.
But, we're going to take a look at the 
conditional access policies.
So the first thing I want you to see is 
my conditional access policy.
You can see that I have multiple
 different policies.
Some of them based on for instance, high business impact and medium business impact applications.
But I can also have multiple policies per applications.
You can see here, this is a Salesforce policy about requiring multi-factor authentication.
This down here is a Salesforce policy that says "I can't get to it from an Android device".
ok, so let's go ahead and take a look at
the require MFA policy for Salesforce and how it works.
So here you can see it's my policy.
I can pick which set of users and groups it applies to.
For instance I could pick all users or
 select users and groups.
In this case, sales groups.
I can also if I want, 
exclude people from it.
Here the administrators have been excluded so they can always get in to get work done.
I can choose which applications this policy applies to.
In this case, obviously it's a Salesforce policy.
I could use this for other apps as well if I wanted to.
i can just add a new one, or I can make it 
apply to all of my applications.
That's been really popular with customers.
And then I can apply to select the 
conditions under which this applies.
So let me show you this, 
this is probably the coolest part.
First, I can have my sign in risk.
So let's go ahead and turn on some sign in risk here.
When the identity protection system sees 
that this is a higher medium risk login,
I wanted to block those.
I'm going to make it apply to those
 higher medium-risk logins.
I want to also make it so that people 
have to be  using a managed device.
You can't use it on your home PC.
That's just too risky.
I'm going to configure this
so that all of my platforms android, iOS,
 Windows Phone, and Windows
all have to be in a managed and compliant state.
I can pick the location that people can get to it from.
For instance I could set up a whole 
range of IP addresses
that represent my corporate network.
So, you can only use it for that.
Given it's a sales app, I want people to
 be able to use it wherever they are.
And then finally, I can pick which kind of applications even access the service.
So in this case you can see here I've set it up so that
only people using a browser can get to it.
So they can't download the data and take-off with it.
And so,  that's a pretty cool set
 of conditional access policies.
And now let's go ahead and take a look
at the way that I can control whether 
they get access or not.
Those are all the things that essentially say
"should this policy be applied now?".
And then now here I can say
"I want to either block access".
So if the risk score was super high, 
we'll block access.
Or, I want to allow access but 
I want to require some things.
so in this case we're requiring 
multi-factor authentication
But I'm going to update this to also require
 that their devices be compliant.
One of the really cool things is down
 here you can decide,
how restrictive is this?
Am I were going to require them to do an
 MFA and have a compliant device?
Or is either one okay?
So we've got some really granular controls 
and compliance policies.
Yeah, essentially you can now take all of those different pieces of context we were talking about.
The user and they're auth strength, and their device.
And, make sure that you've got a policy that meets your corporate security compliant requirements.
What level of reporting is there around this?
You can see all kinds of stuff.
For instance, 
every time
you want to look and see what users are
 doing and if anything seems risky,
you can come in and check out all your users.
So let's take a look at Jennifer Davis.
You'll see that Jennifer has 10 high risk events
that have been flagged by the machine learning system.
And I wonder what is going on.
You can see all kinds of stuff happening here.
She signed in from an anonymous IP address.
She seems to have tried to sign in from a
 place that was too far for her to go to.
She's coming from an effected device.
And from locations where no one in 
our work ever goes most
Most likely, Jennifer's account has been hacked, right?
Maybe she was fished or something like that.
And there's someone trying to login as her.
So i'm going to go ahead and require her
 to reset her password.
So the next time she comes in,
she'll have to pick a new password 
and complete an MFA
so that we can reclaim her account and 
get it out of the hands of hackers.
Alex, this is fantastic to see that we got 
this granularity of controls available
across the whole of enterprise mobility 
and security and in a single UI.
What else are we investing in?
Simon, you can really see how
we're bringing all of the capabilities of the enterprise mobility and security suite together in one control point
And so what you'll see is more and more of
 this kind of work where we bring
the controls of Intune, the controls of Azure AD and all the rest of the enterprise mobility suite
into one administrative experience and integrate all of those capabilities together.
What are the next step that people should take?
Simon, all of this is working today and available.
Anyone who wants to can just go to the
 Azure portal and try it out.
Or, if you want to learn more just click on the link below.
Alex, thanks a lot for coming on the show.
Keep watching Microsoft Mechanics for 
the very latest in tech updates.
We'll see you soon.
Microsoft Mechanics
www.microsoft.com/mechanics
