Microsoft Virtual Academy Dean Yamada | Senior Premier Field Engineer, Microsoft Stephen Hall | Cloud Solutions Specialist, District Computers
Course Topics Solving Office 365 Client Deployment Scenarios 01 | System Center Configuration Manager (SCCM) Deployment Best Practices 02 | Multi-language Deployment Considerations for Office 365 ProPlus 03 | Office 365 ProPlus with Azure Rights Management Services for IRM/Encryption 04 | Controlling access to Office 365 ProPlus & Services 05 | Office 365 and Exchange Migration Troubleshooting Common Gotchas 06 | New Office 365 ProPlus Customizations via Group Policy or XML 07 | New Updating and Repair Command-Line Options for Office 365 ProPlus
Microsoft Virtual Academy Module 4: Controlling Access to Office 365 ProPlus and Services Dean Yamada | Senior Premier Field Engineer, Microsoft Stephen Hall | Cloud Solutions Specialist, District Computers
Controlling access with ADFS policy Managing access with Microsoft Intune Controlling access with the Office 365 Portal Module Overview
Controlling access with ADFS policy
ADFS and ADFS Claims ADFS is a security token service that is used mainly to compile statements about the user account in the form of security tokens ADFS Claims are statements about the security principal (e.g., username, user’s title), that the Web application uses to ascertain the level of access that should be given to the requesting user
Client Access Policy & Claim Types Client Access Policy works by identifying which authentication requests should be permitted based upon attributes of the request itself –This is a feature supported by ADFS 2.0 To provide this additional request context information, client access policy uses specific claim types which AD FS generates from request header information (request headers) for processing by the policy engine
Understanding Client Access Policy New Claim Types AD FS Claim TypeDescription - This AD FS Claim Type … x-ms-forwarded-client-ip represents a “best attempt” at ascertaining the IP address of the user (for example, the Outlook client) making the request. can contain multiple IP addresses, including the address of every proxy that forwarded the request is populated from an HTTP header that is currently only set by Exchange Online, which populates the header when passing the authentication request to AD FS. x-ms-client-application represents the protocol used by the end client is populated from an HTTP header that is currently only set by Exchange Online, which populates the header when passing the authentication request to AD FS. x-ms-user-agent provides a string to represent the device type that the client is using to access the service is populated from an HTTP header that is currently only set by Exchange Online, which populates the header when passing the authentication request to AD FS x-ms-proxy indicates that the request has passed through the federation server proxy. populated by the federation server proxy, which populates the header when passing the authentication request to the back end Federation Service. AD FS converts it to a claim. x-ms-endpoint-absolute- path can be used for determining requests originating from “active” (rich) clients versus “passive” (web-browser-based) clients.
Requirements to enable Client Access Policy Install Update Rollup 2 for Active Directory Federation Services (AD FS) 2.0 package on all federation server and federation server proxies Add necessary claim rules to the Active Directory Claims Provider Trust –These rules make the new claim types available for client access policy –These rules allow the new request context claim types to pass through "Pass through: x-ms-forwarded-client-ip" "Pass through: x-ms-client-application" "Pass through: x-ms-user-agent" "Pass through: x-ms-proxy" "Pass through: x-ms-endpoint-absolute-path"
Add claims rules to the AD Claims Provider trust
Verify AD Claims Provider trust rules
ADD CLAIMS RULES TO THE AD CLAIMS PROVIDER TRUST demo
Understanding AD FS 2.0 claims rule language “If the server receives claim A, issue claim B.” –Rules can require more than one claim. –Claim A may be described in terms of its issuer, type or value –Claim B can use incoming claims or an attribute store as a source of values, or explicit values that are specified directly in the rule itself
WALK THRU CLIENT ACCESS POLICY RULES CREATION demo
Create client access policy rule blocking external access to Office 365
Example - Blocking access to Office 365 Services Restricting users from accessing Outlook when they are NOT on the corporate network
Breaking down the logic Restricting users from accessing Outlook when not on the corporate network IF –Client is connecting using RPC OR Exchange Web Services OR MAPI/HTTP AND –ADFS claim is an ACTIVE claims request AND –User’s IP address does NOT match corporate IP address range THEN: –Deny the claim NOTE: Outlook (RPC+HTTPS, EWS, MAPI/HTTP, MAPI Address Book), ActiveSync and Autodiscover use ACTIVE ADFS claims requests
ADFS Claims Language Restricting users from accessing Outlook when not on the corporate network exists([Type == " && exists([Type == " absolute-path", Value == "/adfs/services/trust/2005/usernamemixed"]) && exists([Type == " application", Value == "Microsoft.Exchange.RPC|Microsoft.Exchange.WebServices|Microsoft.Exchange.Mapi|Microsoft.Exc hange.Nspi"]) && NOT exists([Type == " forwarded-client-ip", Value =~ " "]) => issue(Type = " Value = "true");
Translating the ADFS Claims “If/Then” Statement exists([Type == " = the claim exists and came through an ADFS Proxy server exists([Type == " absolute-path", Value == "/adfs/services/trust/2005/usernamemixed"]) = the value “usernamemixed” and is the value of the endpoint and the name of the ACTIVE ADFS claim exists([Type == " application", Value == "Microsoft.Exchange.RPC|Microsoft.Exchange.WebServices| Microsoft.Exchange.Mapi|Microsoft.Exchange.Nspi"]) = the ClientApplication is RPC or WebServices or MAPI over HTTP or MAPI Address Book NOT exists([Type == " client-ip ", Value =~ “\b192\.168\.4\.([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-5][0-9])\b|\b10\.3\.4\.5\b "]) = The value of the IP address DOES NOT MATCH the specified public NAT address pool of – or => issue(Type = " Value = "true"); = Deny the claim NOTE: The IP address is treated as string and not a number. Regex expressions can be very tricky. Using a regex verification tool is recommend.
DEMO ADFS CLAIM RULE CREATION demo
DEMO – Create ADFS Claims Rule
DEMO – Verify ADFS Claims Rule
Scenario Your need to restrict members of the DCServiceTeam group from accessing Outlook Web App when NOT on the corporate network
Breaking down the logic Restrict members of a the DCServiceTeam AD security group from accessing OWA when NOT on the corporate network IF –ADFS claims request went through a proxy AND –User is a member of the specified group AND external –ADFS claims request is a PASSIVE claim to the external ADFS Proxy endpoint THEN: –Deny the claim NOTE: OWA’s login uses a PASSIVE claim - the client browser connects directly to the ADFS endpoint
Get an AD Group SID using ADUC
Get an AD Group SID using PowerShell Use PowerShell on a Domain Controller dsquery group -name "groupname" | dsget group – sid
metablogapi/0456.DACimage_5F00_0B286F17.jpg
ADFS Claims Language exists([Type == && exists([Type == " Value =~ "S "]) && exists([Type == " endpoint-absolute-path", Value == "/adfs/ls/"]) => issue(Type = " Value = "true");
Translating the ADFS Claims “If/Then” Statement exists([Type == = the claim exists and came through an proxy exists([Type == " Value =~ "S "]) = the user is a member of the specified group exists([Type == " absolute-path", Value == "/adfs/ls/"]) = the claim is a PASSIVE claim to the “/adfs/ls” endpoint => issue(Type = " Value = "true"); = Deny the claim NOTE: The Security Identifier (SID) of the Active Directory security group is needed here. The “adfs/ls” endpoint is the external ADFS proxy server farm
GET SID FOR AN ACTIVE DIRECTORY GROUP CREATE THE ADFS CLAIMS RULE demo
DEMO – Create ADFS Claims Rule
Office 365 Client Access Policy Builder Tool PowerShell script that provides a graphical user interface which allows admins to implement changes using a helpful wizard A new feature of Hotfix Rollup Update 2 for AD FS 2.0 Automates the creation of these policies for the most common scenarios Installs on primary ADFS 2.0 server
Office 365 Client Access Policy Builder Tool Block all external access to Office 365 Block all external access to Office 365 except Exchange ActiveSync Block all external access to Office 365 except for browser-based applications such as Outlook Web Access or SharePoint Online Block all external access to Office 365 for members of designated AD groups Block only external Outlook clients Admins can select an external IP or IP address range to be used within the rules. –Should be the public IP address internal clients have as their source address when accessing the internet from the corporate network The IP address and IP range fields protect against the use of invalid IPv4 addresses The Build button is enabled once a valid IP address or range has been entered. –Build executes the creation of the Issuance Authorization Rules on the Office 365 Relying Party trust.
OFFICE 365 CLIENT ACCESS POLICY BUILDER demo
Office 365 Client Access Policy Builder Tool
Additional Resources file.ashx/__key/communityserver-blogs-components- weblogfiles/ metablogapi/0456.DACimage_5F00_0B286F17.jpghttp://blogs.technet.com/cfs- file.ashx/__key/communityserver-blogs-components- weblogfiles/ metablogapi/0456.DACimage_5F00_0B286F17.jpg Policy-30be8ae2#contenthttps://gallery.technet.microsoft.com/office/Client-Access- Policy-30be8ae2#content
Managing Access with Microsoft Intune
Microsoft Intune for Enterprise Mobility Management Mobile device management Mobile application management PC management capabilities, all from the cloud Coming soon in 2015 – New mobile device management features built into Office 365!
Why MDM in Office 365 and Microsoft Intune? How will you protect corporate data from personal apps in a BYOD world? (ie. Prevent copy/paste from a work spreadsheet into a personal social status post?) How will you enforce security policies on non-domain joined devices? How do you embrace BYOD with corporate data? Must see – MDM for Office 365, Garage Series video
Additional Resources prise/_layouts/15/start.aspx#/SitePages/Proactive%20Offerin gs.aspxhttps://microsoft.sharepoint.com/teams/Mobility_for_the_Enter prise/_layouts/15/start.aspx#/SitePages/Proactive%20Offerin gs.aspx Windows Phone 8.1 Enterprise Mobility Management Microsoft Virtual Academy Course - Channel 9 Series IntroChannel 9 Series Intro device-management-office-365/ device-management-office-365/
Controlling Access to Office 365 ProPlus with the Office 365 Portal
Controlling Access with the Office 365 Portal For all company assets, you can enforce GPOs and use System Center to control who receives the production- approved build of Office 365 ProPlus Users may eventually find out how to install Office 365 ProPlus from their Office 365 Portal - Prevent installs from the Office 365 Portal through the Global Admin page
BLOCK INSTALLS FROM THE OFFICE 365 PORTAL demo
©2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, Office, Azure, System Center, Dynamics and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.