Presentation is loading. Please wait.

Presentation is loading. Please wait.

Microsoft Virtual Academy Dean Yamada | Senior Premier Field Engineer, Microsoft Stephen Hall | Cloud Solutions Specialist, District Computers.

Published byCameron Dawson Modified over 8 years ago

Similar presentations

Presentation on theme: "Microsoft Virtual Academy Dean Yamada | Senior Premier Field Engineer, Microsoft Stephen Hall | Cloud Solutions Specialist, District Computers."— Presentation transcript:

1 Microsoft Virtual Academy Dean Yamada | Senior Premier Field Engineer, Microsoft Stephen Hall | Cloud Solutions Specialist, District Computers

2 Course Topics Solving Office 365 Client Deployment Scenarios 01 | System Center Configuration Manager (SCCM) Deployment Best Practices 02 | Multi-language Deployment Considerations for Office 365 ProPlus 03 | Office 365 ProPlus with Azure Rights Management Services for IRM/Encryption 04 | Controlling access to Office 365 ProPlus & Services 05 | Office 365 and Exchange Migration Troubleshooting Common Gotchas 06 | New Office 365 ProPlus Customizations via Group Policy or XML 07 | New Updating and Repair Command-Line Options for Office 365 ProPlus

3 Microsoft Virtual Academy Module 4: Controlling Access to Office 365 ProPlus and Services Dean Yamada | Senior Premier Field Engineer, Microsoft Stephen Hall | Cloud Solutions Specialist, District Computers

4 Controlling access with ADFS policy Managing access with Microsoft Intune Controlling access with the Office 365 Portal Module Overview

5 Controlling access with ADFS policy

6 ADFS and ADFS Claims ADFS is a security token service that is used mainly to compile statements about the user account in the form of security tokens ADFS Claims are statements about the security principal (e.g., username, user’s title), that the Web application uses to ascertain the level of access that should be given to the requesting user

7 Client Access Policy & Claim Types Client Access Policy works by identifying which authentication requests should be permitted based upon attributes of the request itself –This is a feature supported by ADFS 2.0 To provide this additional request context information, client access policy uses specific claim types which AD FS generates from request header information (request headers) for processing by the policy engine

8 Understanding Client Access Policy New Claim Types AD FS Claim TypeDescription - This AD FS Claim Type … x-ms-forwarded-client-ip represents a “best attempt” at ascertaining the IP address of the user (for example, the Outlook client) making the request. can contain multiple IP addresses, including the address of every proxy that forwarded the request is populated from an HTTP header that is currently only set by Exchange Online, which populates the header when passing the authentication request to AD FS. x-ms-client-application represents the protocol used by the end client is populated from an HTTP header that is currently only set by Exchange Online, which populates the header when passing the authentication request to AD FS. x-ms-user-agent provides a string to represent the device type that the client is using to access the service is populated from an HTTP header that is currently only set by Exchange Online, which populates the header when passing the authentication request to AD FS x-ms-proxy indicates that the request has passed through the federation server proxy. populated by the federation server proxy, which populates the header when passing the authentication request to the back end Federation Service. AD FS converts it to a claim. x-ms-endpoint-absolute- path can be used for determining requests originating from “active” (rich) clients versus “passive” (web-browser-based) clients.

9 Requirements to enable Client Access Policy Install Update Rollup 2 for Active Directory Federation Services (AD FS) 2.0 package on all federation server and federation server proxies Add necessary claim rules to the Active Directory Claims Provider Trust –These rules make the new claim types available for client access policy –These rules allow the new request context claim types to pass through "Pass through: x-ms-forwarded-client-ip" "Pass through: x-ms-client-application" "Pass through: x-ms-user-agent" "Pass through: x-ms-proxy" "Pass through: x-ms-endpoint-absolute-path"

10 Add claims rules to the AD Claims Provider trust

11

12

13

14 Verify AD Claims Provider trust rules

15 ADD CLAIMS RULES TO THE AD CLAIMS PROVIDER TRUST demo

16 Understanding AD FS 2.0 claims rule language “If the server receives claim A, issue claim B.” –Rules can require more than one claim. –Claim A may be described in terms of its issuer, type or value –Claim B can use incoming claims or an attribute store as a source of values, or explicit values that are specified directly in the rule itself

17 WALK THRU CLIENT ACCESS POLICY RULES CREATION demo

18 Create client access policy rule blocking external access to Office 365

19

20

21

22 Example - Blocking access to Office 365 Services Restricting users from accessing Outlook when they are NOT on the corporate network

23 Breaking down the logic Restricting users from accessing Outlook when not on the corporate network IF –Client is connecting using RPC OR Exchange Web Services OR MAPI/HTTP AND –ADFS claim is an ACTIVE claims request AND –User’s IP address does NOT match corporate IP address range THEN: –Deny the claim NOTE: Outlook (RPC+HTTPS, EWS, MAPI/HTTP, MAPI Address Book), ActiveSync and Autodiscover use ACTIVE ADFS claims requests

24 ADFS Claims Language Restricting users from accessing Outlook when not on the corporate network exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) && exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint- absolute-path", Value == "/adfs/services/trust/2005/usernamemixed"]) && exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client- application", Value == "Microsoft.Exchange.RPC|Microsoft.Exchange.WebServices|Microsoft.Exchange.Mapi|Microsoft.Exc hange.Nspi"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms- forwarded-client-ip", Value =~ " "]) => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");

25 Translating the ADFS Claims “If/Then” Statement exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) = the claim exists and came through an ADFS Proxy server exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint- absolute-path", Value == "/adfs/services/trust/2005/usernamemixed"]) = the value “usernamemixed” and is the value of the endpoint and the name of the ACTIVE ADFS claim exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client- application", Value == "Microsoft.Exchange.RPC|Microsoft.Exchange.WebServices| Microsoft.Exchange.Mapi|Microsoft.Exchange.Nspi"]) = the ClientApplication is RPC or WebServices or MAPI over HTTP or MAPI Address Book NOT exists([Type == " http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded- client-ip ", Value =~ “\b192\.168\.4\.([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-5][0-9])\b|\b10\.3\.4\.5\b "]) = The value of the IP address DOES NOT MATCH the specified public NAT address pool of 192.168.4.0 – 192.168.4.255 or 10.3.4.5 => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");http://schemas.microsoft.com/authorization/claims/deny = Deny the claim NOTE: The IP address is treated as string and not a number. Regex expressions can be very tricky. Using a regex verification tool is recommend.

26 DEMO ADFS CLAIM RULE CREATION demo

27 DEMO – Create ADFS Claims Rule

28

29

30

31 DEMO – Verify ADFS Claims Rule

32 Scenario Your need to restrict members of the DCServiceTeam group from accessing Outlook Web App when NOT on the corporate network

33 Breaking down the logic Restrict members of a the DCServiceTeam AD security group from accessing OWA when NOT on the corporate network IF –ADFS claims request went through a proxy AND –User is a member of the specified group AND external –ADFS claims request is a PASSIVE claim to the external ADFS Proxy endpoint THEN: –Deny the claim NOTE: OWA’s login uses a PASSIVE claim - the client browser connects directly to the ADFS endpoint

34 Get an AD Group SID using ADUC

35 Get an AD Group SID using PowerShell Use PowerShell on a Domain Controller dsquery group -name "groupname" | dsget group – sid

36 http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-58-02- metablogapi/0456.DACimage_5F00_0B286F17.jpg

37 ADFS Claims Language exists([Type == http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy]) && exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "S-1-5-21-2777359623-4057299290-1147869377-1203"]) && exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms- endpoint-absolute-path", Value == "/adfs/ls/"]) => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");

38 Translating the ADFS Claims “If/Then” Statement exists([Type == http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy]) = the claim exists and came through an proxy exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "S-1-5-21-2777359623-4057299290-1147869377-1203"]) = the user is a member of the specified group exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint- absolute-path", Value == "/adfs/ls/"]) = the claim is a PASSIVE claim to the “/adfs/ls” endpoint => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true"); = Deny the claim NOTE: The Security Identifier (SID) of the Active Directory security group is needed here. The “adfs/ls” endpoint is the external ADFS proxy server farm

39 GET SID FOR AN ACTIVE DIRECTORY GROUP CREATE THE ADFS CLAIMS RULE demo

40 DEMO – Create ADFS Claims Rule

41 Office 365 Client Access Policy Builder Tool PowerShell script that provides a graphical user interface which allows admins to implement changes using a helpful wizard A new feature of Hotfix Rollup Update 2 for AD FS 2.0 Automates the creation of these policies for the most common scenarios Installs on primary ADFS 2.0 server

42 Office 365 Client Access Policy Builder Tool Block all external access to Office 365 Block all external access to Office 365 except Exchange ActiveSync Block all external access to Office 365 except for browser-based applications such as Outlook Web Access or SharePoint Online Block all external access to Office 365 for members of designated AD groups Block only external Outlook clients Admins can select an external IP or IP address range to be used within the rules. –Should be the public IP address internal clients have as their source address when accessing the internet from the corporate network The IP address and IP range fields protect against the use of invalid IPv4 addresses The Build button is enabled once a valid IP address or range has been entered. –Build executes the creation of the Issuance Authorization Rules on the Office 365 Relying Party trust.

43 OFFICE 365 CLIENT ACCESS POLICY BUILDER demo

44 Office 365 Client Access Policy Builder Tool

45 Additional Resources http://social.technet.microsoft.com/wiki/contents/articles/4792.understanding-claim-rule-language-in-ad-fs-2-0-higher.aspxhttp://social.technet.microsoft.com/wiki/contents/articles/4792.understanding-claim-rule-language-in-ad-fs-2-0-higher.aspx http://blogs.technet.com/cfs- file.ashx/__key/communityserver-blogs-components- weblogfiles/00-00-00-58-02- metablogapi/0456.DACimage_5F00_0B286F17.jpghttp://blogs.technet.com/cfs- file.ashx/__key/communityserver-blogs-components- weblogfiles/00-00-00-58-02- metablogapi/0456.DACimage_5F00_0B286F17.jpg http://technet.microsoft.com/en-us/library/ff730940.aspx https://gallery.technet.microsoft.com/office/Client-Access- Policy-30be8ae2#contenthttps://gallery.technet.microsoft.com/office/Client-Access- Policy-30be8ae2#content

46 Managing Access with Microsoft Intune

47 Microsoft Intune for Enterprise Mobility Management Mobile device management Mobile application management PC management capabilities, all from the cloud Coming soon in 2015 – New mobile device management features built into Office 365!

48 Why MDM in Office 365 and Microsoft Intune? How will you protect corporate data from personal apps in a BYOD world? (ie. Prevent copy/paste from a work spreadsheet into a personal social status post?) How will you enforce security policies on non-domain joined devices? How do you embrace BYOD with corporate data? Must see – MDM for Office 365, Garage Series video http://www.youtube.com/watch?v=n6Gq4Zh4Zek– http://www.youtube.com/watch?v=n6Gq4Zh4Zek

49 Additional Resources https://microsoft.sharepoint.com/teams/Mobility_for_the_Enter prise/_layouts/15/start.aspx#/SitePages/Proactive%20Offerin gs.aspxhttps://microsoft.sharepoint.com/teams/Mobility_for_the_Enter prise/_layouts/15/start.aspx#/SitePages/Proactive%20Offerin gs.aspx http://technet.microsoft.com/en-US/windowsphone Windows Phone 8.1 Enterprise Mobility Management Microsoft Virtual Academy Course - Channel 9 Series IntroChannel 9 Series Intro http://blogs.office.com/2014/10/28/introducing-built-mobile- device-management-office-365/http://blogs.office.com/2014/10/28/introducing-built-mobile- device-management-office-365/

50 Controlling Access to Office 365 ProPlus with the Office 365 Portal

51 Controlling Access with the Office 365 Portal For all company assets, you can enforce GPOs and use System Center to control who receives the production- approved build of Office 365 ProPlus Users may eventually find out how to install Office 365 ProPlus from their Office 365 Portal - https://portal.office.comhttps://portal.office.com Prevent installs from the Office 365 Portal through the Global Admin page

52 BLOCK INSTALLS FROM THE OFFICE 365 PORTAL demo

53 ©2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, Office, Azure, System Center, Dynamics and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Microsoft Virtual Academy Dean Yamada | Senior Premier Field Engineer, Microsoft Stephen Hall | Cloud Solutions Specialist, District Computers."

Similar presentations

Power BI Sites and Mobile BI. What You Will Learn Sharing and Collaboration Introducing Power BI Exploring Power BI Features and Services Partner Opportunities.

Power BI Sites and Mobile BI. What You Will Learn Sharing and Collaboration Introducing Power BI Exploring Power BI Features and Services Partner Opportunities.
Understanding Active Directory

Understanding Active Directory
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Understanding Active Directory

Understanding Active Directory
Managing Client Access

Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.

Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.

Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
What’s new for the Exchange 2010 Developer? Developing Exchange-enabled Enterprise Applications Creating “Cloud Ready” Exchange-enabled Applications Deploying.

What’s new for the Exchange 2010 Developer? Developing Exchange-enabled Enterprise Applications Creating “Cloud Ready” Exchange-enabled Applications Deploying.
Office 365: Identity and Access Solutions Suresh Menon Technology Specialist – Office 365 Microsoft Corporation India.

Office 365: Identity and Access Solutions Suresh Menon Technology Specialist – Office 365 Microsoft Corporation India.
“Click and Run ” “Click once repeat often” Admins Service Operations “ Install and forget” Engineering Support Key considerations: Deterministic, fool.

“Click and Run ” “Click once repeat often” Admins Service Operations “ Install and forget” Engineering Support Key considerations: Deterministic, fool.
Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs This would be presented.

Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs This would be presented.
03 | Word Templates Brian Meier| Senior Lead Program Manager.

03 | Word Templates Brian Meier| Senior Lead Program Manager.
Microsoft Virtual Academy Preparing for the Windows 8.1 MCSA Module 5: Managing Devices & Resource Access.

Microsoft Virtual Academy Preparing for the Windows 8.1 MCSA Module 5: Managing Devices & Resource Access.
Linus Joyeux Valerie Alonso Managing consultantLead consultant blue-infinity (Switzerland) Active Directory Federation Services v2.

Linus Joyeux Valerie Alonso Managing consultantLead consultant blue-infinity (Switzerland) Active Directory Federation Services v2.
04 | Business Analyzer Brian Meier| Senior Lead Program Manager.

04 | Business Analyzer Brian Meier| Senior Lead Program Manager.
ADatum Assets ADatum REST Web Svc ADatum REST Web Svc.

ADatum Assets ADatum REST Web Svc ADatum REST Web Svc.
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.

Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.

Similar presentations

Ads by Google