Interlink Cloud Blog
Eric Inch

"Stay Out Unless I Say So!" - The Sweetness of Azure AD Conditional Access

"Stay Out Unless I Say So!" - The Sweetness of Azure AD Conditional Access

I talk to a lot of customers using Office 365 that would like to have granular control on who can access the hosted services and only allow access to these services from corporate owned and managed devices. Enter Azure AD Conditional Access. “Keep out.. Unless of course you meet certain conditions!”

For example, with Azure AD device access rules you can restrict access to Exchange Online to only domain joined machines.

“Wait?! What?! That sounds just like what I’m looking to do.

What does that look like?”

 

When a user attempts to access Outlook Web App from a personal computer, they go to the OWA URL and enter their username and password.


The conditional access policy will look to verify that the device being used to access OWA is domain joined and registered in Azure AD. Since the computer is a personal computer, the user is denied access.


After closer examination using the “More details” link, you can see the access rules set require the device to be domain joined for access. In the scenario of personal computers, this will show as Unregistered.

Your access to corporate resources was swatted away like Dikembe Mutumbo. “Not in my house!”

“Good Eric, that’s all great but how about the full Outlook client? I would really like to see what options we have to prevent our users from connecting their personal Outlook client to our corporate email.”


When a user attempts to connect the Outlook client on a non-domain machine, the Outlook client will open and prompt the user for authentication.


The user will enter their username and password and the authentication process will look for a registered device.


Once again the user will be gently reminded that they need to be on a corporate owned device.

“Wow Eric, I’m really impressed by Conditional Access and the device access restrictions available in the Microsoft security suite. Anything else we should know? What about users that want to access OWA from other browsers?”

 

First and foremost, under no circumstance should you ever use anything other than Microsoft technology. Ever!

But, in the event some of your users want to go against my recommendation, to access corporate resources protected with device access rules they would need to use a supported browser. Conditional access support for applications: https://azure.microsoft.com/en-us/documentation/articles/active-directory-conditional-access-supported-apps/


The behavior when attempting Outlook Web App using the Google Chrome browser would be as follows:

The user enters their username and password from a non-domain machine.

Since the user is trying to use a browser that doesn’t support conditional access, it gives the user a warning that the browser is not supported and to use Microsoft Edge or Internet Explorer.

The device based access rules are configured within Azure AD Premium and have the following options.

  • Enable Access Rules – On or Off. (self-explanatory)
  • Apply To – Specific groups that you want to scope the access rules to. You also have the ability to except specific users from the scope.
  • Device Rules – The access rules you want to enforce for access to the corporate resources.
  • Application Enforcement – “For browser and native applications” OR “For only native applications” Exchange ActiveSync – Require a compliant device to access email

For more information on Azure AD Conditional access, please read the official Microsoft blog article AzureAD Conditional Access Policies for iOS, Android and Windows are in Preview!

 

Matt Scherocman

How Does Archiving in Office 365 Work?

Immutability is the industry-standard term for “preserving data in the system so that it is discoverable, and cannot be destroyed or altered."

With Exchange Server 2016, and Exchange Online, Microsoft enables organizations to preserve individual or all mailbox items for discovery natively, keeping those items within the Exchange infrastructure. This approach is called, In-Place hold.

One significant benefit of hold as opposed to separate, read-only storage is that items are preserved within the Exchange infrastructure, preserving more of the information including metadata and making management easier for IT admins. Users benefit because they can manage their mailboxes using the familiar Outlook interfaces. From an IT-perspective, In-Place Hold eliminates the necessity and complexity of maintaining a separate infrastructure and potentially storage for Exchange items.

Exchange gives organizations the flexibility to choose the architecture that can help meet their immutability requirements whether that is on-premises, online, or a hybrid of both, and supports the ability to store archived items in a separate physical location.

In Exchange Online, you can use In-Place Hold or Litigation Hold to accomplish the following goals:

  • Enable users to be placed on hold and preserve mailbox items immutably
  • Preserve mailbox items deleted by users or automatic deletion processes such as MRM
  • Protect mailbox items from tampering, changes by a user, or automatic processes by saving a copy of the original item
  • Preserve items indefinitely or for a specific duration
  • Keep holds transparent from the user by not having to suspend MRM
  • Use In-Place eDiscovery to search mailbox items, including items placed on hold

Additionally, you can use In-Place Hold to:

  • Search and hold items matching specified criteria
  • Place a user on multiple In-Place Holds for different cases or investigations

How does Litigation Hold work?

In the normal deleted item workflow, a mailbox item is moved to the Deletions subfolder in the Recoverable Items folder when a user permanently deletes it (Shift + Delete) or deletes it from the Deleted Items folder. A deletion policy (which is a retention tag configured with a Delete retention action) also moves items to the Deletions subfolder when the retention period expires. When a user purges an item in the Recoverable Items folder or when the deleted item retention period expires for an item, it's moved to the Purges subfolder in the Recoverable Items folder and marked for permanent deletion. It will be purged from Exchange the next time the mailbox is processed by the Managed Folder Assistant (MFA).

When a mailbox is placed on Litigation Hold, items in the Purges subfolder are preserved for the hold duration specified by the Litigation Hold. The hold duration is calculated from the original date an item was received or created, and defines how long items in the Purges subfolder are held. When the hold duration expires for an item in the Purges subfolder, the item is marked for permanent deletion and will be purged from Exchange the next time the mailbox is processed by the MFA. If an indefinite hold is placed on a mailbox, items will never be purged from the Purges subfolder.

The following illustration shows the subfolders in the Recoverable Items folders and the hold workflow process.

Archiving in Office 365

See this technet article for additional information, or you can view the general sales site from Microsoft here.

Contact Interlink today for help in defining your needs, which licensing options would be the best fit, and actually getting the service configured correctly to ensure the right data is being kept and deleted.  

Jason Wingert

Your Biggest Business Threat is The One You Can’t See: How to Battle it With Microsoft Security Solutions

Your Biggest Business Threat is The One You Can’t See: How to Battle it With Microsoft Security Solutions

Cyber-attacks are sophisticated security intrusions that cost organizations $4 billion dollars per year. Because of the growing risk of cyber threats, Microsoft has outlined the anatomy of how a cyber breach occurs and the different response options available to regain control of a compromised system in an interactive infographic.

view the infographic microsoft security

Using research from leading IT security experts, the anatomy of a data breach demonstrates that all it takes is a small lapse in cyber security to open up your network to a series of devastating attacks.

Modern IT infrastructure requires a robust suite of security solutions that can detect threats and provide managers with appropriate response options. Understanding the anatomy of a breach can help you understand which Microsoft security products can keep your data safe.

Interlink has seen the challenges with cloud security and the solutions, and we can help keep your identities and data safe. 

Connect with Interlink Cloud Advisors today.

Matt Scherocman

Difference Between Microsoft’s Cloud App Security and Office 365 Advanced Security Management

Difference Between Microsoft’s Cloud App Security and Office 365 Advanced Security Management

Cloud App Security and Office 365 Advanced Security Management are very comparable Microsoft products, and many of our clients are confused over the difference between them. Both were acquired by Microsoft through the acquisition of Adallom and give users the capability to create security policies and receive alerts when those policies are breeched. In addition, each of the products give users the ability to set manual or automation remediation. Focused on Office 365, Advanced Security Management (ASM) does that work automatically.

In contrast, Cloud App Security covers a wide range of SaaS-based applications - including competitor’s services like Box, Salesforce, and Amazon Web Services. Cloud App Security also adds more functionality including its own data loss prevention, ability to automatically add new applications, and integration with Security Information Event Management (SIEM) products. 

The below chart provides additional details on when each product includes:

Difference Between Microsoft Cloud App Security and Office 365 Advanced Security Management

Contact Interlink today to discuss your needs and which solutions would be a fit for your organization.  

Matt Scherocman

Secure Productive Enterprise – The Ultimate License Bundle– The New Enterprise Cloud Suite

Secure Productive Enterprise – The Ultimate License Bundle– The New Enterprise Cloud Suite

What is Secure Productive Enterprise? 

Companies want to continue to use the most advanced technology to enable their employees to achieve more, but all of these new and different products have resulted in a licensing headache. We hear constantly that attempting to navigate around Microsoft licensing can be challenging and frustrating. Microsoft created the Enterprise Cloud Suite (ECS) a few years ago in an attempt to simplify this process. It was a single licensing option that included E3, the Enterprise Mobility + Security Suite and Windows Desktop upgrade. Building upon this initial base Microsoft is now continuing to simplify this process with the introduction of the Secure Productive Enterprise. This will be bringing together Office 365, Windows 10 Enterprise upgrade, and the Enterprise Mobility + Security suite into a single licensing offering called the Secure Productive Enterprise. This will be replacing the Enterprise Cloud Suite and Microsoft will be introducing even more options by also offering an Office 365 E5 option in the bundle.   

Moving forward Microsoft will be standardizing packaging offers across Office 365, Windows 10 Enterprise, and the Enterprise Mobility + Security Suite by offering two tiers of the Secure Productive Enterprise: E3 and E5. This is what it will look like:

Secure Productive Enterprise

Microsoft will continue to evolve the Windows E5 edition by adding more functionality. The first difference is the introduction of Windows Defender Advanced Threat Protection for end point breach detection.

For more information, check out Microsoft's blog post Empower Your Employees with the Secure Productive Enterprise.


Interlink can help guide you through your options and help figure out what works for your users. We can help profile your users - remember that you don’t have to license everyone with the same license bundle in the cloud.  

Contact us for more information.

 

Welcome to the Interlink Cloud Blog

All content provided on this blog is for informational purposes only. The owner of this blog makes no representations or warranties regarding the information from our partners or other external sources.

Blog Categories

Interlink Cloud
Interlink Cloud
5 post(s)
Tips and Tricks
Tips and Tricks
2 post(s)
Outlook
Outlook
2 post(s)
Reporting
Reporting
1 post(s)
Cloud Storage
Cloud Storage
2 post(s)
Webinars
Webinars
14 post(s)
OneDrive
OneDrive
5 post(s)
Yammer
Yammer
3 post(s)
Azure
Azure
20 post(s)
SharePoint
SharePoint
10 post(s)
Microsoft
Microsoft
6 post(s)
Lync
Lync
8 post(s)
Office 365
Office 365
58 post(s)

Blog Archive