Ensure users have the right access with Azure Active Directory 11/22/2018 2:33 AM BRK3013 Ensure users have the right access with Azure Active Directory Joseph Dadzie and Mark Wahl Azure AD Program Management © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Microsoft Azure Active Directory How much control do you have over access? Resources in Azure Microsoft Azure Active Directory On-premises applications On- premises
What’s needed for Governance, Risk Management & Compliance 11/22/2018 2:33 AM What’s needed for Governance, Risk Management & Compliance Who has/should have access to what resources? 01 What are they doing with that access? 02 Are there effective organizational controls for managing access? 03 Can auditors verify that the controls are working? 04 © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Critical access questions IT cares about 11/22/2018 2:33 AM Critical access questions IT cares about How do I ensure appropriate access to my cloud and on- premises apps? ACCESS CONTROL How do I know what apps are used in my environment? SHADOW IT VISIBILITY/REPORTING How do I know who is using which cloud apps? How do I efficiently comply with regulatory constraints to data access? COMPLIANCE AWARENESS Are my users aware of policies related to app and data access? How do I prevent data leakage? DATA PROTECTION THREAT PROTECTION How do I know if my users or their access have been breached? © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Ensuring compliance with business policies 11/22/2018 2:33 AM Ensuring compliance with business policies Who should be allowed access and under which conditions? Use Cloud App Security for visibility Use Conditional Access policies to further restrict access For users who are allowed access, how do you ensure they are aware of their obligations? © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Azure AD feature - Terms of use (preview) 11/22/2018 2:33 AM Azure AD feature - Terms of use (preview) NEW Configure, enforce, audit compliance Configure a terms of use by uploading a PDF document Target to users, groups or applications using conditional access Enforce acceptance of terms for users in scope Optionally configure multiple policies, for different business needs Audit events show who accepted / which terms / when Create a Terms of Use Enforce at Sign-In Users consent Review audit reports © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Demo
Terms of use in conditional access policies Risk CONFIDENTIAL SALES APP High Medium Low USER Health: Fully patched Config: Managed Last seen: London, UK HBI Role: VP Marketing Group: Executive Users Client: Mobile Config: Corp Proxy Location: London, UK Last Sign-in: 5 hrs ago Require sign on with MFA Require user agreed to Terms of use CONDITIONAL ACCESS POLICY h User is a member of a sensitive group. Application is classified High Business Impact. Allow access
Ensuring appropriate access to resources 11/22/2018 2:33 AM Ensuring appropriate access to resources How do you determine who should still have access? What about guests or contractors that were given ad-hoc access? How should the decision-makers be involved in the process? What aspects of the processes should be automated? © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Azure AD feature - Access reviews (preview) 11/22/2018 2:33 AM Azure AD feature - Access reviews (preview) NEW Recertify: attest and audit continued access Review Office group members, security group members, and users assigned to applications Optionally, scope the reviews to just guests Select reviewers from the resource Group owners Members review their own access Select other specific individuals Create an access review Reviewers give feedback Results applied Review audit reports © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Demo
How you can use Azure AD access reviews 11/22/2018 2:33 AM How you can use Azure AD access reviews Users asked to justify their need for application access Office group owners review their groups’ memberships Use alongside Office group expiration (also in preview) Clean up unneeded guest access to applications Ensure on-premises groups have only authorized members © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Managing privileged access 11/22/2018 2:33 AM Managing privileged access What about access for IT personnel who manage applications? What happens when guests or contractors need to manage? How do you make sure they only have access when needed? What are the best practices for Azure? © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Azure AD Privileged Identity Management Discover, restrict, and monitor privileged identities Enforce on-demand, just-in-time access Optionally leverage per-role approval workflows Attest admin role membership with access reviews Visibility through alerts and audit reports Ordinary user Global administrator Role privileges expire after a specified interval Ordinary user
Demo
Azure AD feature - PIM for Azure (preview) NEW Discover, restrict, and monitor roles in Azure Enforce on-demand, just-in-time access in Azure RBAC Schedule time-limited access with automatic expiration Attest subscription role memberships with access reviews Converged audit view of Azure management activity Ordinary user Resource group Contributor Role privileges expire after a specified interval Ordinary user
Demo
Partners and ISVs expand breadth of control 11/22/2018 2:33 AM Partners and ISVs expand breadth of control Advanced identity governance partners Password reset extension Fine-grained lifecycle for provisioning Access requests and recertification Policy-based workflow and approval Compliance and audit reporting © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Summary Azure AD helps you effectively manage access to resources 11/22/2018 2:33 AM Who has/should have access to what resources? 01 What are they doing with that access? 02 Are there effective organizational controls for managing access? 03 Can auditors verify that the controls are working? 04 Summary Azure AD helps you effectively manage access to resources New Azure AD features in preview Terms of use Access reviews Privileged Identity Management for Azure RBAC Partners complement Azure AD to ensure you have all the tools to securely manage access across your organization’s apps © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Relevant sessions @ Ignite 11/22/2018 2:33 AM Relevant sessions @ Ignite BRK2019 Productivity and protection for your employees, partners, and customers with Azure Active Directory Alex Simons Nasos Kladakis BRK3016 Shut the door to cybercrime with Azure Active Directory risk-based identity protection Alex Weinert Nitika Gupta BRK2018 Share corporate resources with your partners using Azure Active Directory B2B collaboration Mary Lynch Sarat Subramaniam Laith Al Shamri BRK3012 Secure access to Office 365, SaaS and on-premises apps with Microsoft Enterprise Mobility + Security Caleb Baker Chris Green BRK3013 Ensure users have the right access with Azure Active Directory Joseph Dadzie Mark Wahl BRK2047 Embrace Office 365 groups Christophe Fiessinger Shilpa Ranganathan BRK2405 Azure security and management for hybrid environments Jeremy Winter © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Please evaluate this session Tech Ready 15 11/22/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite https://myignite.microsoft.com/evaluations Phone: download and use the Microsoft Ignite mobile app https://aka.ms/ignite.mobileapp Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
11/22/2018 2:33 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.