Download presentation
Presentation is loading. Please wait.
Published bySuzanna Long Modified over 9 years ago
4
SharePoint Server Exchange Server CORPORATE NETWORK Mobile devices PCs Browsers INTERNET DMZ Active Directory Policies Filter EAS Filter web access Filter or block mobile app access Block unmanaged devices Prevent downloads Force multi-factor authentication Require domain joined Force traffic via proxy/VPN
5
The current reality…
6
SharePoint Server Exchange Server CORPORATE NETWORK Mobile devices PCs Browsers INTERNETDMZ Active Directory The perimeter can not help protect data Challenge Solution Access control and data containment integrated natively in the apps, devices, and the cloud. SaaS Apps
7
SharePoint Server Exchange Server CORPORATE NETWORK Perimeter network Active Directory SharePoint Online Native device MDM Intune App SDK/Tool AD Authentication library Standard on-premises integration Native cloud integration Managed Office productivity and security O365: Mobile productivity Azure AD: Identity and Access control to O365, SaaS apps and on prem apps. Intune: Data container for Office mobile apps Azure RMS: Information protection at file level Firewall SaaS Apps Extensibility: Enable business apps to interoperate with Office Mobile Intune: Mobile device management
8
On-Premises applications Introducing ‘Conditional Access Control’ Application Business sensitivity Other Network Location Risk profile Devices Authenticated MDM Managed Compliant with policies Not lost/stolen User attributes User identity Group memberships Auth strength (MFA) Conditional access control
10
Securing O365 Services with EMS Secure Data in Transit Encrypt emails/attachments shared externally Track/Audit Rights protected document usage Remote kill document access Revoke Access Revoke company resource access from lost/stolen devices or ex employee scenarios Selectively wipe corp data Employees Control Access Block Email/SharePoint until enrolled and Compliant to IT policies Simple end user experience Revoke access on policy violations Prevent data leaks Encrypt application data at rest Restrict data sharing to managed apps Enforce application level policies Built in data protection for Office apps
12
Unified Enrollment Azure AD Device object -device id -isManaged -MDMStatus Quarantine Website Step 1: Enroll device Outlook App Office 365 EAS Service Access control to Outlook clients on iOS/Android 4 Register device in Azure AD Outlook Cloud Service 1 Authenticate User and Device (Workplace Join + management) 3 Enroll into Intune 4 Intune Set device management/ compliance status 5 6 Issue Access token Access Outlook Cloud service with AAD token 7 8 Get EAS service access token for user 9 Get Corporate email 10 Email delivered Redirect to Intune 2
13
Access control to SharePoint from OneDrive mobile apps Azure AD OneDrive App Unified Enrollment Device object -device id -isManaged -MDMStatus Quarantine Website Step 1: Enroll device Office 365 SharePoint Online service Intune 4 Register device in Azure AD 1 Authenticate User and Device (Workplace Join + management) 3 Enroll into Intune 4 Set device management/ compliance status 5 8 Documents Synced Redirect to Intune 2 Access SPO service with AAD token 7 Issue Access token 6
16
ABAC Microsoft ADD fabrikam DASHBOARDUSERSGROUPSDEVICESAPPLICATIONS REPORT S CONFIGURE
17
1&1 Control Panel 1010data 15Five 1to1Real 24SevenOffice 4Imprint 5pm etc… 1&1 control panel Access Rules APPLY TO RULES STATUS Selected Groups: All Users Configure “work” network location. None Selected Add GroupRemove Group Except: Add GroupRemove Group None Selected DASHBOARDCONFIGUREACCESS RULESOWNERS OFFMONITORON Require multi-factor authentication Require multi-factor authentication when not at work Block access when not at work Require a compliant device Require multi-factor authentication when device is not authenticated Monitor will generate statistics but not impact user access.
18
Owner: uday Presenter: sam
20
Azure Active Directory Corporate Network DMZ
21
AD FS and Hybrid Conditional Access Active Directory AD FS 2012 R2 or higher Device AuthN MFA adapter Conditional access policy (claim rules) Device MDM compliance Intune Azure AD registered devices write-back Azure AD
22
Device based conditional access on premises Active Directory AD FS 2012 R2 or higher Device AuthN MFA adapter Conditional access policy (claim rules) MFA required for un- registered device
24
Owner: Sam Presenter: sam
25
Support for major SSL VPN vendors: Cisco Juniper Checkpoint SonicWall F5 Custom VPN Payloads Support for Native VPN standards PPTP L2TP IKEv2 Automatic VPN connection App-triggered VPN: Windows 8.1 and Windows Phone 8.1 Per-app VPN for iOS Support multiple Wifi Authentication types: WEP WPA/WPA2 Personal WPA/WPA2 Enterprise Specify certificate to be used for Wi-Fi connection
26
Deployment Usage with Resource Access profiles RenewalRevocation
29
EAS Client Attempt email connection 2 Quarantine If not managed, Push device into quarantine 3 On Prem Exchange Server 2010/2013 Who does what? Intune: Evaluate policy, manage device state and mark device record in AAD Exchange Server: Provides API and infrastructure for quarantine 10 If managed, email access is granted Unified Enrollment Register EAS email client 7 Create EASID to device ID binding 8 Set device management/ compliance status 6 Azure AD DRS Device object -device id -isManaged -MDMStatus -EASIDs Azure AD Quarantine email Step 1: Enroll device Step 2: Register EAS client (Workplace Join + management) 4 Intune 5 Register device in Azure AD 5 Enroll into Intune 1 Block non Managed devices 9 Allow Managed device
32
Refer session @ Microsoft Ignite on “Securing Access to Microsoft Exchange and SharePoint Online services with Microsoft Intune“ by Dilip Radhakrishnan & Chris Green Access please 1 2 Prove to me you are healthy Intune, AAD & Windows Attestation Service Here is my proof 5 Approved 4 Company resources Documents Email 3 Request
33
“Enterprise data protection” User friendly work-personal separation Manage what data is “Enterprise” Audit intentional data disclosure for business personal Business Apps & Data Managed Personal Apps & Data Unmanaged Data exchange is blocked or audited
35
Auto connect VPN VPN traffic filters Application based filters Unified platform VPN: open to 3rd party plug- ins
37
Intune Device & App Management Office 365 Productivity Azure AD Identity and Access
38
Microsoft’s Differentiators Cloud-hosted corporate data protection Best end-user experience for mobile productivity World-class engineering and security with a single support system and 3 rd -party ecosystem Complete solution for application and device management, access, identity, productivity, and data protection
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.