Interlink Cloud Blog

Interlink Cloud Blog

Welcome to the Interlink Cloud Blog

All content provided on this blog is for informational purposes only. The owner of this blog makes no representations or warranties regarding the information from our partners or other external sources.
Mark Dreyer

Conditional Access: Important Baseline Announcement

MFA-Conditional-Access-Baseline-Announcement

Make sure your organization is ready for changes to Conditional Access Baseline Protections!
___________________

Recently, Microsoft announced an update to Conditional Access policies regarding security. Read to learn what will be replacing Security Defaults, and how to turn it on!

Baseline Protections Update  

Microsoft currently has Baseline Protection Policies in place with Conditional Access in order to protect organizational accounts. Baseline Protections will stop being enforced on February 29th, 2020 and be replaced with Security Defaults. Security Defaults are a set of basic identity security mechanisms recommended by Microsoft. New tenants will automatically have these enabled, but existing tenants will require action. When enabled, these recommendations will automatically be enforced in your organization. Administrators and users will be better protected from common identity-related attacks – but you must be sure to enable these features! View the Microsoft announcement Introducing Security Defaults, which explain this.

If you are currently using Conditional Access and want to set up the equivalent policies in place of baseline, contact us today!

Continue reading
  2068 Hits
  0 Comments
Mark Dreyer

Multi-Factor Authentication (MFA) & Conditional Access

Multi-Factor-Authentication-Conditional-Access

Learn how to take advantage of these services from Azure Active Directory!
__________________

Recently, Microsoft started to offer a free cloud-based Azure Active Directory Multi-Factor Authentication. In addition, you can gain many premium features such as branding, password protection, hybrid identities, group access management, conditional access, and identity protect & governance with different paid versions. Read on to find out which version is best for your organization and how a deployment will best optimize your organization!

What is Multi-Factor Authentication (MFA)?  

At the basic level, Multi-Factor Authentication has added security in a two-step verification process. This introduces a significant challenge to attackers because even if an attacker manages to learn a user’s credentials, it is useless without also having an additional authentication method. The combination of these can be a trusted and not easily duplicated device (such as a registered cellphone), biometrics like facial recognition or fingerprint access, or a domain-joined PC.

Continue reading
  2922 Hits
  0 Comments
Mark Dreyer

Azure Active Directory: Finding the Best Plan

Azure-Active-Directory-plan-2

Learn how to take advantage of these services from Azure Active Directory!
___________________________________

Which Azure Active Directory Plan is Best for Me?  

Azure Active Directory comes in four editions:

  1. Free
  2. Office 365 Apps
  3. Premium Plan 1
  4. Premium Plan 2

The Free edition is included with an Office 365 subscription. If you are interested in upgrading to a Premium version, contact us today and we will walk you through which plan is best for you and how to deploy/govern this upgrade! View a detailed list of Azure AD plans and pricing details.

Continue reading
  1671 Hits
  0 Comments
Eric Inch

"Stay Out Unless I Say So!" - The Sweetness of Azure AD Conditional Access

"Stay Out Unless I Say So!" - The Sweetness of Azure AD Conditional Access

I talk to a lot of customers using Office 365 that would like to have granular control on who can access the hosted services and only allow access to these services from corporate owned and managed devices. Enter Azure AD Conditional Access. “Keep out.. Unless of course you meet certain conditions!”

For example, with Azure AD device access rules you can restrict access to Exchange Online to only domain joined machines.

“Wait?! What?! That sounds just like what I’m looking to do.

What does that look like?”

 

When a user attempts to access Outlook Web App from a personal computer, they go to the OWA URL and enter their username and password.


The conditional access policy will look to verify that the device being used to access OWA is domain joined and registered in Azure AD. Since the computer is a personal computer, the user is denied access.


After closer examination using the “More details” link, you can see the access rules set require the device to be domain joined for access. In the scenario of personal computers, this will show as Unregistered.

Your access to corporate resources was swatted away like Dikembe Mutumbo. “Not in my house!”

“Good Eric, that’s all great but how about the full Outlook client? I would really like to see what options we have to prevent our users from connecting their personal Outlook client to our corporate email.”


When a user attempts to connect the Outlook client on a non-domain machine, the Outlook client will open and prompt the user for authentication.


The user will enter their username and password and the authentication process will look for a registered device.


Once again the user will be gently reminded that they need to be on a corporate owned device.

“Wow Eric, I’m really impressed by Conditional Access and the device access restrictions available in the Microsoft security suite. Anything else we should know? What about users that want to access OWA from other browsers?”

 

First and foremost, under no circumstance should you ever use anything other than Microsoft technology. Ever!

But, in the event some of your users want to go against my recommendation, to access corporate resources protected with device access rules they would need to use a supported browser. Conditional access support for applications: https://azure.microsoft.com/en-us/documentation/articles/active-directory-conditional-access-supported-apps/


The behavior when attempting Outlook Web App using the Google Chrome browser would be as follows:

The user enters their username and password from a non-domain machine.

Since the user is trying to use a browser that doesn’t support conditional access, it gives the user a warning that the browser is not supported and to use Microsoft Edge or Internet Explorer.

The device based access rules are configured within Azure AD Premium and have the following options.

  • Enable Access Rules – On or Off. (self-explanatory)
  • Apply To – Specific groups that you want to scope the access rules to. You also have the ability to except specific users from the scope.
  • Device Rules – The access rules you want to enforce for access to the corporate resources.
  • Application Enforcement – “For browser and native applications” OR “For only native applications” Exchange ActiveSync – Require a compliant device to access email

For more information on Azure AD Conditional access, please read the official Microsoft blog article AzureAD Conditional Access Policies for iOS, Android and Windows are in Preview!

 

Continue reading
  6057 Hits
  0 Comments

Welcome to the Interlink Cloud Blog

All content provided on this blog is for informational purposes only. The owner of this blog makes no representations or warranties regarding the information from our partners or other external sources.