Azure AD Conditional Access Deep Dive - Joe Kaplan

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
so this is me I'm Joe Kaplan thank you all for coming I so I don't know how if if any of you know me but maybe a few of you especially my co-workers who were kind enough to show up and cheer me on here today so yeah I'm a guy from the local area I work at Accenture and so possibly a little bit different from the people who are do the consulting work and the and and the product work and whatnot but I've been doing Identity and Access Management for a pretty good long time I've been working at this for like 25 years or so and I've spent my entire year at Accenture which probably sounds like a crazy crazy thing so in the I actually come from a development background I wrote this book years ago which maybe some of you may have bought or maybe not I don't know it's still out there you can still get it on Amazon I'm not really very interested in LDAP programming anymore I know that there are some people in the room who who still do and I I do I do still yeah yeah yeah and I use your tools and I loved your tools and I do find my I have LDP running on my machine all the time because I can't stop looking at that stupid thing but I'm kind of a cloud guy for the most part these days and I do graph API queries too and I'm actually trying to improve my skills there so we have this haiku theme with with hip and so sprinkled throughout my presentation as well are a few conditional access oriented haikus I challenge you to spot them they are not necessarily part of the thing they're just meant to entertain you but you can do whatever sort of haiku dance you want if you see them and we'll just kind of keep moving on all right so we're going to talk about conditional access I call this a conditional access deep dive now what kind of a deep dive are you really gonna get in an hour it's not that deep yeah but what we're gonna try and do is actually give you like a good general overview of how conditional access works and they're the first piece and then I am actually gonna do a slightly deeper a much more nerdy talk about device based conditional access which is the piece that I think is the list is the most interesting it has the most complicated and weird plumbing and try and give you some more stuff around that so that's that's kind of our overall journey here a quick show of hand so conditional access users who is that whose in Azure who's using conditional access now does anyone know anything about this tapas yeah you're a ga and you do this all the time you don't count but all right so any much familiarity at all so if this is all new that's great then you guys may actually learn something that'll be cool so in any event let's so this is my only fancy slide you will be able to tell that I did not do this because I when I actually copied this slide from a Microsoft deck from ignite I didn't even know it had a build in it and I I'm so bad at PowerPoint I didn't even know how to turn it off but this is their beautiful slide that actually explains conditional access we're not going to drain all of this and we're not going to get to every different piece of it but it is a pretty amazing and elegant system for doing authorization in the cloud and I'm gonna take you through a slightly different version of what it's all about but let us flipz skip the slide first thing I want to do though is talk about licensing so it's every so hopefully we at least have a bunch of o365 customers in here and people know a little bit about Azure and enterprise licensing and whatnot so the main thing that you need to know is that to get conditional access you have to have as your ADP one that's kind of like your minimum bar to entry and so you can get that through p1 or EMS III and generally speaking Microsoft is expecting you to buy this for all of your users it's what they call full tenant licensing so buying one one people one license is generally not what they're expecting you to do even though it will like the feature up and so there are some features that go with with some of the pieces like you know in tune CMS be three or five multifactor off this p1 and the custom controls feature used to be p2 it's down to p1 so actually something got cheaper risk based off is what is the p2 feature in this we'll talk about that a little bit but the bottom line is that this is part of the premium suite for adjure Active Directory ok and I will I'm not gonna attempt to explain Microsoft licensing any more than that other than it's something you'll have to talk with your account reps about ok moving on so let's talk about some basic concepts around what is conditional access all about so this is an authorization platform for for protecting your cloud applications and cloud applications can mean a lot of things and we'll talk about that a little bit more later but here are a couple of examples and I use eccentric examples all my screenshots are from our actual real policies you'll see all that in in a second on Jonna will see that and she will laugh because she probably created some of them but so like for example a conditional access concept might be when Accenture employees are trying to access anything in Azure they must perform multi-factor authentication and this is an actual policy that we have and I will actually even show it to you but this is something that we want to do so for anything that we have it's an application managed by a juror we want everyone to use MFA MFA all in is what we call this and this is something that you would do with conditional access ok we also can do some other funkier things like when specific users are accessing a specific application they must use a domain joined Windows PC and this might be in addition to requiring MFA so this is like I already I'm gonna MFA you but I'm also gonna only going to constrain you to using only this device to do this and so it's a really rich and interesting platform allows you to do a bunch of different kinds of stuff these are the kinds of things that you're doing with it these are based on this concept of condition statement and controls if this then allow this ok good so far good no actually a we I would consider I would say that we were probably the original BYO company we put all of our apps on the internet before it was cool and one of the things that I will say is that that's been incredibly liberating for us as a company I think we were it allowed us to move into modern authentication and single sign-on a lot earlier than a lot of other people did what we've actually been able to do with this technology as claw back some stuff like we had RSA P environment on the public internet you could log into the web-based portal and required multi-factor authentication but you know guess what maybe s ap isn't something that we want people accessing with their home machines and now I can actually enforce that if I want and I can say you know you actually really need to use your domain joint compliant device for this app and so it's actually allowed us to keep our ecosystem being very public facing and looking like just like a giant pile of SAS applications and make interesting policy decisions based on individual applications so yeah we're actually still pretty BYO but but we're we're reeling it back a little bit okay anatomy of a policy so this is this is the our default as your MFA policy that we're looking at here there's three things so we're gonna actually talk about this stuff so we have targeting like what the policy applies to the conditions that we're applying in this policy and then the controls that are going to be implemented on top of the policy okay there's your three basic building blocks of conditional access policy ready to go okay let's talk about targets so there's basically two things that we target in our targeting stuff we target stuff related to users and we target stuff related to applications okay users would be just like who's in your at your ad ready and users can be a bunch of interesting stuff too it's not just members it can be guests with b2b I'm not going to really talk about b2b but they're in there and they can be targeted as part of this this ecosystem okay and applications are all of your apps for most customers this is going to start off with your office 365 investment so it's going to be Outlook and SharePoint and all that kind of stuff because those are the things that are automatically going to authenticate against your Azure ad but you also have this whole rich world of SAS applications that you can integrate with Azure ad plus you can integrate all of your own applications with with Azure ad as well through go ahead that's a good thing I wasn't actually sure I couldn't think of a way that you'd be able to target those users if they're not in your directory you'll kind of see in a second that would be weird but yeah there's some stuff in the the b2c app model especially when you're having like consumer users and your internal users accessing you can stitch those scenarios together but there's some stuff to think about but so you have all these enterprise applications we've been talking about like all this modern off stuff that you can do with Fido and whatnot Open ID Connect basically modernizing your applications but as you do this you can add them here this is if you are planning on having a big investment in the Microsoft platform I would highly recommend that this be where your apps end up this is as opposed to like putting them in an ad FS system which we did a lot of and now have a little bit of buyer's remorse so I'll tell you a little bit about that later ad FS is great we've gotten a ton of mileage out of it but I have like literally 5,000 configurations in ad FS that I now want to move to the cloud and that's a really expensive project as it turns out so and then you can also take traditional applications with Azure app proxy and I'm not going to talk about a proxy very much there's it's a really pretty fascinating technology but just imagine it's like it's kind of like a Lego block converter where you can take an on-prem kerberos app that's on your internal network and turned it into a modern author that is available on the external network and has all these different kinds of controls like single sign-on and multi-factor authentication and and you know integration with hello for business and all this policy magic that we can do on top of it so it's a really neat technology definitely something worth looking at in in in the adjure landscape because it's also remarkably easy to deploy for that kind of magic that it does okay so here's a code so we're gonna look around a little bit within our conditional access policies one of the things that you'll see is that there's usually a way to in include people and a way to exclude and this is actually really really important it allows you to craft fairly rich policies so one of my one of my dear friends a somewhat legend in the field of Identity Management named Brian Poole once told me all identity management is exception management and it just let that sit right there I was like wow Bryant that's really deep that's that's super cool and that's almost certainly the coolest thing I'm gonna say all week but the nice thing here is because there's rich features related to exclusions within your ability to target users you can do all the exception management you want related to this stuff and you will find that there are certain things that you want to do like see this guy down here pin firefighter one like when when when everything is when everything is sad and broken and you need to go to your suit your break class accounts you might not want those to require multi-factor authentication for example because how you gonna do it so yeah if you find that you need this you might want to make sure that you you have those things in place and not you know I hid some of the names here but the bottom line is you have rich semantics for doing this the other thing that's really great about this is that this supports like any group in at your ad and it works with nested groups I don't know how many of you work with Azure ad but there's like there's always a weird song and dance as to which features in Azure and Azure ad work with nested groups in which and this one does and that makes this feature useful as opposed to all the other features that don't work with nested groups like licensing and app assignments and add your app roles which drive me nuts because we're a big company we manage all of our groups on Prem and they're all nested and so anyway this works with nesting it's beautiful yep so so this is this is not an azure ad disaster recovery talk but the really quick thing I will say on that is that you want to make sure that you have break glass accounts that are like azure specific accounts that are not like on Prem federated accounts because if things go really really bad and you you find that you need those things you met you want to make sure that you have them you know where the passwords are for them and that you also might want to make sure that they don't require MFA in case you need to use them these frequently are gonna have like GA a global administrator accessing your tenant and stuff like that but yeah where you put it in your desk drawer like whatever it is that you do so yeah so anyway so let's move on targeting applications I will I will quickly run out of time if I don't go through the the basic stuff here quickly so we talked about users targeting applications so there's essentially what you do is you pick apps from the list of applications that you have configured within as your ad that you can use to target there's some new functionality coming out it's either out or will be out soon like preview e things related to being able to put apps into groups now which will help you with the management of these things but the idea is that you're going to target apps and you can also do exclusions so as per the caveat there be careful with selecting all cloud apps all cloud apps will really apply this policy to everything and you want to make sure that that you you don't cause a dreadful harm by by doing these we do actually have a policy that targets all cloud apps though for mfa in our environment and it literally forces us to do MFA on everything with those excluded users ok so I think that's probably enough on targeting applications unless there are questions I'm gonna move on to conditions we're good to go to conditions yep yep ok cool so I'm not gonna talk about all the conditions there's a number of different types of conditions but I'm gonna drill down on a few of these so sign-on risk is a condition this is related to so there's a there's a feature within as your ad premium P 2 called as right ad your ad identity protection or it's usually called risk-based authentication and it's this like well we'll talk about in a second because I got a slide on it but that is one of the conditions that you can apply client device type and location I'm not going to talk about the other ones although the disk device State one is pretty interesting because device state is both a I it's something that you can use as a condition and also something that you can use as a control so it's a little bit confusing but there are actually some really interesting uses you can do with device state as a condition and I don't if we have time later maybe we'll come back to that all right let's so we talked about this a little bit but the basic idea here with risk is that you can essentially let so basically what a jury is doing with every authentication is evaluating the risk of the authentication based on a bunch of heuristics that are going on like it looks at you know the source IP of where somebody's coming in and like the unusualness of it and it basically scores every authentication that it sees coming into the platform and they will get a a risk score and then what you can do is based on the the risk at run time of that authentication that Microsoft has assigned you can have different policies trigger like if this looks like a high-risk thing and it's with like the CEOs credentials maybe you want to force an MFA maybe you don't want that to happen at all and there's so there's a bunch of the interesting things you can do with doing risk based off in the platform this is the feature that you need to step up to p2 to get though okay and I think that that is what I'm that that's all I've got for it but it is a really really interesting and and super-ripped piece of the the platform that would definitely recommend people to check out and take advantage of yes miles uh-huh so it's it's actually being assessed always and you will actually get risk scores in your audit logs it's just that for you to actually be able to articulate your own policies about what you want to do about it that's what you're paying for but it's actually incredibly fast and it's done on every single authentication yeah so it has this really complicated heuristics model I would there's like some really interesting talks on how it works and and all the various machine learning and stuff that goes into it and how they like constantly updating the ml models and how they make it super fast and whatnot and it's like the first tip conference a year and a half ago in New York someone who did like an entire session on this it's like a really cool technology I don't have enough time to get into a lot of detail but it's it is it is one of the crown jewels of the platform it is is a really pretty interesting piece of technology in terms of how it works and how its able to make these policy evaluations at really high speed and using machine learning technology so yeah if you've got p2 you should should definitely use it and if you're thinking of a reason to buy p2 this is pretty pretty neat stuff so so first of all one thing to know is Accenture is not yet bought p2 so we are not actually using this yet we're admiring this problem at half a million people all licensing discussions our end up being like just just crazy amounts of money and and you know take us a long time to come around to these things since we require multi-factor authentication for everything all the time as well most of the remedies that you're likely to implement with this stuff would do a step-up - MFA anyway and so from our perspective we don't necessarily get as much value with this we are interested with this for things like service accounts that have never met MFA disabled on them for example you know they have do they generally have much longer passwords but they're also like an interesting attack surface because they're not being MF aid so okay yeah oh sure go ahead teaching teaching as your your locations ends up being important to get good results out of any of the location-based awareness stuff as well to wait let's get to that in a sec - so Darren we don't have this feature I haven't used it yet I have that slide I need to keep going so you I mean yeah and so there's like that you you have a lot of flexibility with targeting like for example you could specifically target your executive leadership team for stuff and do interesting things for them that you might ignore for your lesser important people and whatnot but yeah okay let me talk about device so this is basically you can target specific devices accessing stuff and you see the devices that are available here and you can also do exclusions based on devices as well and so this is pretty interesting because you can make target airplay policies apply only to specific platforms you'll notice that Linux is missing as our Chromebooks which we find slightly annoying it's not a huge big deal for us but Chromebooks are actually kind of becoming a little bit more of a big deal for us but there it is possible to block things that can't be detected as a platform so on the exclude site you can you can basically say everything including unsupported and it will block it will then apply to Linux even if it doesn't know what it is okay so targeting devices let me talk is it okay if I keep going yeah I guess I don't want to run out of time location so location is is basically it gives you the ability to target things based on locations azor gives you the ability to or as Radia gives you the ability to feed in things like your your IP ranges so like whatever your egress peas out of your corporate network are onto the public Internet you can feed that data back into Azure ad for example and then and you can name these things and use them as trusted locations basically you can then allow as your ad to treat these things separately so you could do things like when my people are on my internal network they have to do this but if they're on if they're not on my internal network then they have to do this so that's what this stuff is is based on and there's a number of different ways you can specify it you can do it based on IP ranges you can do it based on countries and regions that thing mark is trusted location has additional semantics that feed into other parts of the platform like MFA and whatnot but it's a powerful mechanism a lot of people are really really interested in this especially like inside outside semantics it's something we're starting to care about less because we're trying to move to this model where we don't think of our internal network is being special and especially we're trying to think of the data center network as being special but the office networks is being like a hotbed of contamination and basically just one step above a Starbucks and and I and this I think this is healthy this is this is growth right so you know but so at the same time like some of those semantics become less and less interesting and like I said we forced everyone to mfa all the time anyway so I don't care if you're on the internal network or not but I will tell you so we we do here's a here's a specific example of something we did do with this though so we had an app and we really wanted to MFA the app and the app was basically using legacy often there was nothing we can do with this so we're like okay we're gonna use this app proxy thing we're gonna put the app proxy in front of and that's gonna allow us to turn it into a modern auth and then I can put an MFA policy on it through conditional access now it's MFA except we also what happens when you add proxy something is it ends up on the public Internet and they're like oh we don't really want this on the public internet it was on the internal network and now you put our our special thing that we're all scared about on the public Internet and that scares us and like okay so we can do this thing whereby we can say to get to this app you have to be accessing it from our internal network and so even though the endpoint is on the public internet now you cannot actually access it unless you're coming from our internal network and we've effectively made it an internal facing app from the client perspective even though it is actually public facing another so this is how you would call this a stupid CA trick but is it there's like a lot of really interesting things you can do using the policy language in the framework okay I'm going to jump over to controls there are more controls than there are conditions and we are only going to talk about the highlighted ones but I will I will just like I will briefly highlight the ones that we're not going to deep dive into which are the the bolded ones um so you kind of know what they are and then we will dive in a little bit deeper on on the bold ones sound good okay so it controls the most basic thing you can do is allow our block like you can like this is an incredibly rich policy framework but if you just want to do like a user policy that says block unless it's these guys you can totally do that block unless so except for these users and you've you've done a really basic access control list so those semantics are there obviously there's there's a whole lot more stuff that you could do but that is a thing that you can do Terms of Use like anyone ever having like GDP are not sure if they have GDP our problems and their lawyers say throw up terms of use everywhere just to make sure that we're covered for GDP are so there's some really powerful functionality within the platform where you can force people to accept a Terms of Use in order to gain access to something and this the platform will not let them in until they accept your terms of use you can have multiple terms of use objects created that allow you to basically provide different terms to different types of systems like we have like one for in tune and we have one for mam and we have one for this and and whatnot so you can do do different stuff with this there were a bunch of really interesting features that were just dropped around the holidays for Terms of Use where you can now make terms of use per device if you need that and you can make them expire make people redo them at periodically and stuff like that so in any event it's it's an interesting thing that makes the lawyers happy and you'll you you should take advantage of it because it's like it's right there you can force people to reset their password which is kind of neat and this this goes really well with the the risk-based sign-in if as your detects that your password has been compromised through there like heuristic mechanism if you're doing the password hash sync and whatnot they will tell you when it finds people whose passwords have been dumped on the public Internet and then you can actually use this to force them to change the password or you could just do it whenever you want this is part of risk-based stuff so the custom controls there's some extensibility in in the system that you can apply like you can use true Sona for example to do like additional high-end energy identity proofing it's kind of neat you can do session based off which is Kaz which is a whole other topic that I'm not going to talk about but you can basically say I want them to go into a special session broker to have their session monitored because of blah-dee-blah and this is how you bootstrap into Kaz through conditional access okay and so we are going to talk about these other three things hybridize radio and compliant device multi-factor off yes so it literally it has nothing to do with gdpr it is literally it is it is the ability to display a terms of use which is something that sometimes people will use as part of a strategy around how they attempt to be in compliance with GD P R or any other thing that the lawyers think requires a Terms of Use to be done like a more common example might be we want you to accept the Terms of Use - to use your personal mobile device to access our office 365 services and like if you're using mam or something like that and I'm not going to get too much and all the mobile stuff and whatnot but like the lawyers will frequently want you to do these things and you have like this whole Swiss Army knife toolbox of things that you can do with it but it's not it would it would be incorrect for me to say that it really has anything to do with gdpr because that that's really specifically around implementing a whole set of controls that may or may not have anything to do with terms of use at all yeah no not really I mean I so and I know that there's like an extensibility point here as well to that I have I haven't played with it at all I have had numerous discussions with the the true Sona guys about their their password lists off and and high-end identity proofing this is the only thing I really know about that and all the plays in this ecosystem it's kind of neat and the kind of thing where you might like one of the things that we were thinking about with it was that maybe we would actually use this for high-end identity proofing for really special targets within the company like the guys who have access to the bank stuff like the Treasury guys who are always getting fished and and whatnot maybe there's some stuff we would want to do there it's the kind of thing that you'd like to do on your your executive leadership team that you'd probably get fired if you actually deployed it because they'd be like where's my where's my secretary so in any event so basically no I don't have a lot of experience with any of the customization stuff there okay so talking about MFA if there's any one thing that anyone was to do with conditional access and anything that anyone is doing in the cloud at all everyone should just be doing MFA it's incredibly important it's so much easier to deploy than it ever was before and if you're you know if you have if you're buying p1 you now have MFA just use it deploy it it's good and there is there's a lot of richness in this platform but requiring a multi-factor authentication is one of the things you can do as a control in any case as part of a a conditional access thing I will talk to a tiny little bit about Windows hello for business this is my new favorite thing that a conditional access was my own favorite thing that Windows for business my new favorite thing so this the last time I will ever talk about conditional access in public but one of the things that's really cool about hello for business is that it is actually treated as an MFA based authentication when you go against Azure ad so that sign-in to your device that's like magic and fast all it flows all the way up to the cloud treated directly as MFA by the platform okay so I have a little bit of stuff related to troubleshooting and so there's really a couple of things that you're gonna use really talk about related to troubleshooting and after this we're gonna do our pivot to the device off and would get a little bit nerdier but there's two basic things you're you're likely going to be using for doing troubleshooting related to conditional access so sign on logs and this is an example to sign on logs one of the cool things with the sign on logs is that you don't see this column right here it shows you which conditional access policies may have been applied to any particular authentication event and whether or not the conditional access policy allowed the thing through or blocked it it's incredibly useful for the person who's saying I can't get in and you have to try and figure out what happened you go find them in your logs look for them and and do it that way there's also this thing called the what-if tool which allows you to basically do what if scenarios on the on your conditional access policies to give you an idea if you do this what will happen and so you should definitely use that when you're planning out your stuff to try and make sure that you don't do the thing where you accidentally block the CEO and everyone else in the company from getting into exchange which is really really easy to do so yeah any questions on troubleshooting and then we're gonna start to pivot into device off ok device state so this this has been something I've been working on personally for a few years now and I was talking about that so we were like I would say we were kind of the original BYO company but now as we start to as the the landscape of horrifying devices on the Internet becomes more apparent to everyone and the sacredness of the corporate device and what what we at least think we're doing in terms of managing those endpoints becomes important to us we would very much like to be able to treat the device as a first-class citizen of the policy model because just knowing the users identity and being really certain about that doesn't necessarily mean that we can trust that because if they're they're coming from a device that is not trusted that that identity may may not be trustworthy okay so device stage is important being able to understand the device state is something that you might want to be able to do so in any event just gonna talk a little bit about some of our stuff and I think I hit about on a bunch of these things already but so we're a big company we've got like about half a million users in our directory we're not as big as those guys over there but we're pretty big and it's it's a pretty interesting place to work as as an identity management professional we hire like a couple thousand people a week in Accenture so yeah it's it's crazy and we I was talking like some of this stuff we were talking about with b2c is related to our former employee directory we're now at a point where we've had there's been a million people who are now former employees of Accenture in the world since we started keeping track and that's that's that's a lot of people who who work for us and have quit so in any event and I'm not one of them yet okay so we have lots and lots and lots of public facing web apps our normal deployment model for what we would call an application is in Accenture is a browser-based web application that's on the public Internet this is our bread and butter what we do all the time and we do this in the cloud we do this on Prem but like we we have like a crazy amount of public IP space and we use a lot through Amazon and Azure and whatnot and this is this is our normal deployment model so all of our apps look like SAS apps and so we have actually our big our big things have been like em effing the entire company so we have the entire everyone in Accenture is Emma fade I like all like half a million people and we have MFA applied to thousands of applications including the entire office 365 suite so it's it's like it's a pretty pretty cool story we've also hybrid domain joined our entire fleet of half a million workstations successfully and we're applying the the policy that says if you're going to use the outlook desktop client you have to be on a hybrid domain joined device which if you can think about the ops around that is pretty interesting because like if you have like a point one percent failure rate you've got like thousands of failures and it's just been pretty solid for us so far yeah um so it's so okay so we do something complicated here I think I have a slide on this I can't remember where well so we will get to it I'll just explain it now so what we do actually is I'm like like a lot of big customers we all the all the azure ad users with like eccentric aam UPN suffixes are federated they go back to on-prem ad FS and we there's another feature within within your Adger ad federation configuration that you can flag a pacific federation configuration is supporting MFA and so what happened then is that any time a juror wants to MFA something it'll just say oh I'm not gonna MFA them I'm going to send them back to on Prem and so we actually have Symantec VIP integrated with ad FS on Prem and we actually wrote our own like ad FS MFA plugin for it they have one but we we wrote ours first and we like it better so we just use our own we're actually in the process of dumping this and moving on to the Aria semantics in the room we're where it would have being re a paying customer for as your MFA and no longer makes financial sense for Accenture to invest in to MFA platforms and will consolidate on the one that we can't get out of which is part of our um s3 license so so yes but the good thing with our architecture is that this is actually doable if I can be register my users in Azure MFA I only I am if they only exist really in two spots it's in that one thing on ad FS and in the cloud and I could kind of flip everyone over which is neat okay but yeah I won't talk about semantics the other things you can do with semantics because we use it in a relatively specific way but we you know we do have a pretty giant deployment of it because these semantics also and when we moving into Azure oh you totally can if you do this right very very bright yeah I think there is native support now and yeah we would never use that our goal is to continue to use the thing we have until we migrate off and yeah and that will that should be soon we're working hard on that right now okay so let's let's do the device off deep dive so first of all in order for devices to be authenticated which is how you actually know who they are and can make interesting decisions about them they all have to get registered so there's a number of different ways that things can get registered let me just kind of run through this real quick by the way who's like who's messing around with this stuff who's doing like hybrid hybrid join with Windows 10 or even with Windows 7 or like using in tune registering devices that way I'm just anyone like everything but Windows 7 it actually works you can totally do that anyone doing like a Dre DJ like modern management cool all right we're not yet we we're we're admiring modern management but not really quite there yet I and okay so anyway this is this is how stuff gets registered basically with Windows 10 you have this is its GPO based and your machines will basically automatically register themselves or you can do as your ad join or you can do ad work or school account which I recommend you avoid because you cannot get compliance through that and then there's some other stuff you can do with your down level stuff and then mobile is is in tune and and Mac is in tune through Jam any Mac Jam people yeah you will need Jam and it's yeah I I don't know what else to say it sure that sounds that sounds reasonable yeah there's mr. n des over there so in any event if you're doing azure ad join and you were wondering where the settings are that control this stuff there's actually not a giant amount of surface area by the way these are not like the recommended settings these are just settings these are just where the settings are do not take anything that you see checked or unchecked here is what you should be doing this is not prescriptive guidance this is just literally where the settings are so under devices in your azure ad go to device settings and this stuff over here will control like device registration stuff for the azure ad join use case do people understand the difference between hybrid join edger ad join and worker school account should I explain that real quick ok let me try and explain that real quick so so hybrid join is for machines that are domain join you probably mostly have domain join machines and what happens in hybrid join is that the devices will register themselves in Azure ad with some software that's built into Windows 10 and based on some configuration that you put in your tenant it's generally managed through a Dre D connect which are probably also running and essentially all of the machines will end up with device objects that get created in Azure ad that allow them to authenticate to the system ok and it's generally done silently so there's a like a GPO it's on by default and if you have the rest of the plumbing in place so you've gone through the azure ad connect stuff to turn it on it should really just work and your machines will all register themselves and they will end up with a device object in the cloud and it will you'll be able to look at that and you'll be able to tell them apart from people who did like just ad work or school account and AD work or school account is when you click on the box in Windows 10 and do ad worker school account which it's not something I would I would recommend you do a whole lot of in the corporate world but it has uses on personal machine and whatnot so azure ad join is the pure modern management version so basically an azure ad join your machine is not actually joined to an Active Directory forest is joined to Azure Active Directory you're logging in with an org ID on to the Machine and you're you're using pure modern management amazingly there's like all this plumbing that allows everything to work like Windows hello for business can actually be configured on these things and you can actually get curbed log in to AD resources and and whatnot but the pure modern management use case for for people who are either interested in moving off of the dependency on on-prem directory and having like computer accounts to the pure modern management thing is a charade you join or like all the new companies like why would I ever deploy an Active Directory that would be crazy this is how you do it so so those you're your three basic things they're like device management as I hold giant topic and I probably can't really get into it a whole lot more than that but those are your three options for Windows 10 basically and eight one and seven are basically hybrid or or work or school account there is no azure ad joined for a down level okay is that okay so there's a little bit of stuff about how what happens when things are registered so in hybrid I'm not going to drain all this but but essentially there's like some step-by-step stuff here that shows you what happens and eventually the machine is going to get a certificate certificates are like part of the plumbing of everything they were the part of the plumbing of all of the stuff that that we were talking about with Fido and whatnot and the public key private key stuff is is everywhere in when with the manual stuff you essentially go through a flow where the user is doing something interactive but we'll eventually end up getting a certificate with the public key known to Azure ad so it can authenticate with it later okay typically the certificate is going to you be protected by the TPM on the machine as well so it's actually like a good strong credential protection so this is actually just a screenshot right out of our thing that shows a giant mix of stuff that's that's in our environment and you will see that like if you're looking at your device's dashboard within as your ad there you'll you'll see all the stuff out there so you we've got like a giant mix of things there's hybridize irradiance stuff there are Android machines that are that are registered somebody just added their work or school account for something there's stuff that's set up within tune if things are managed within tuned you will also see your compliance state and what we're going to talk about compliance in a sec because compliance is interesting but if this is what the view of a of an ecosystem of devices that has a bunch of different stuff going on do I have a Mac example in there I don't think I captured a page with a Mac example I got an iPhone and Android but okay so talked about this a little bit okay so let me just talk about this this big blob of stuff over here at a certain point in your azure ad explorations you may get to the point where you need to look at the graph API like anyone has ever felt like they needed to look at raw LDAP stuff this this is for you because this is this is your this is where the stuff is and I would I would highly recommend anyone who wants to be a very strong administrator or developer of this platform to gain a little bit of familiarity with graph API it's really pretty interesting rich semantically a lot of is actually pretty LDAP II accept that like it's all kind of Jason and OH data and whatnot but this is an actual dump of a device object out of to badger ad from the graph API perspective so and you can see some stuff in here one of the things that you'll see is that this particular device object is has no compliance state but is it's managed which and this is an indication that is a hybrid join machine you also see a bunch of stuff related to the metadata around a tradie connect so really great advanced troubleshooting stuff Allen actually had a link to how you get to the graph API but I would definitely recommend spending a little bit of time poking around in there and just looking at stuff because it's it's where all the all the dirty details are let me keep going because we're gonna run out of time so let me talk okay so I talked about device compliance so we have a good pivot here so what basically when you're doing conditional access policies there's really kind of two device related things you can do so you can you can say the devices hybrid as ready join which basically means it's it's just a domain drawing machine okay you can also say the device is compliant and in compliance is is something that is maintained by in tune and you can you can actually do either ORS on these things but let me so but basically compliance is an in tune thing and it's basically if in tune says that the device is compliant it will be marked in the directory as being compliant and then any policy enforcement that is done that requires compliance will look at that state after the device is authenticated and and make a decision as to whether or not it's compliant so it's basically your intend compliance policies however those were applied in last polled and stored in the directory are are dictating how that works and so we talked a little bit about registration so in tune in tune is a big piece of this anyone looking at like in tune and co-management for for their hybrid that just us so so if you want to use in tune for commit to do compliance related stuff in the cloud for your Windows machines then you end up having to look at either modern management or Co management where you're basically installing in tune on all of your machines in addition to your SCCM client so a lot of you may end up in that journey if you want to be able to use these levers on Windows machines and this is how your you would already be doing your MDM stuff like so example for example an MDM managed mobile device that is compliant with Intune will show up in Azure ad as being compliant so when that device authenticates and if you require compliant device for whatever thing they were accessing it will work if they're no longer compliant as of whenever like the polling frequency came through they will get blocked and and it's it's it's an important useful thing to the extent that that you're getting good compliance information around in tune this is how you're going to it all loops back in and gets enforced okay and this is this is a this is this is real this is this is a for certain thing that happens so device authentication so there is some like crazy magical weird stuff in Windows 10 for device based authentication that works differently than everything else with everything else we're basically using client certificates there's some some special magic that gets added into some of the stuff in the mobile stack but mostly we're doing client certificates and client TLS and Windows 10 there's this thing called the token broker and the web authentication manager so there's a bunch of specific plumbing within Windows 10 that allows devices to authenticate directly to the platform and there's this notion of this thing called a primary refresh token or a PRT this is lingo that gets bounced around quite a bit a PRT is really really similar to a herb TGT in terms of the function that it serves in in the ecosystem but the main thing to know is that Windows 10 is different and there's a bunch of special plumbing within Windows tend to make all this stuff work and it's a Windows solo for business piggybacks on top of it as well too so yeah possibly could do an entire talk on that but in any event the main takeaway there is Windows 10 is special and has all this extra stuff in it yes so it it's it's more like the it's is that the token that is used to get other tokens so there will be you will potentially have other tokens that are used to get another Refresh token like for example you would the primary refresh token might be used to get a refresh token for Outlook against exchange and then so then your outlook client will have a refresh token that's exchange specific that it then uses to get access tokens doing like the OAuth thing and your your machines are doing this all the time and you'll really even know it but like that whole bootstrapping thing where you're hopefully not getting asked for creds all the time it would be because you have this primary refresh token like does that explain a little bit better okay I think that I'm nearly out of time so I'm gonna start skipping ahead a little bit very quickly related to device authentication there's some neato customization stuff that nobody knows about that you can do one of the things that when we would we block people from getting to applications because there's something wrong with their device off the the error tends to be a little bit mysterious and we we we really really wanted to have an ability to tell people in some eccentric specific way that your stuff is not working and here's how you get out of jail so so there's some customization endpoints that are available in here where you can create your own web UI for specific types of errors within conditional access that you can take advantage of if you want to so you can also if you're doing a DFS you can do device off on Prem so if you hybrid register your machines you get these device objects in the cloud if you're running a droid you connect those device objects can actually be synced back to on Prem with what's called as ER ad right back which is something that Connect will do you'll basically end up with a bunch of device objects in a special container with in Active Directory and then ad FS will then be able to reason over them this state will be mastered out of Azure ad so like the compliance state changes in Azure ad through in tune it will write back to on Prem but you can then actually use device on Prem against ad FS with it with the platform if you have all this stuff enabled okay my new favorite thing I wish we had time to talk about this I wish I was doing a talk on windowsill Oh for business but next time next time we will talk about window solo for business it's such a beautiful thing it has like a bunch of crazy warts on it that make it somewhat difficult and challenging to deploy but it is is a really really cool thing so next time we'll talk about it but yeah it's MFA without passwords and it is it is a great technology and definitely something I would encourage people to start looking at within their enterprises and it works in this this the entire ecosystem really really cleanly I so some troubles will mmm the one thing I will say troubleshooting device registration on Windows 10 there is a command called DS reg CMD dot exe slash status that one will run from time to time and look at things and it has output that looks like this and this stuff is incredibly useful for understanding this the state of any given device and knowing whether it's working correctly or not you'll notice here my user state I have an ADD raid DPR T but I do not have an enterprise PRT this would be really helpful to know because this machine would never enroll for Windows for lo for business if it doesn't have an enterprise PRT and these are the kinds of things that you as an IT professional who might deploying this stuff might need to know and want to know how to troubleshoot so this the logs there's a bunch of device state-specific stuff that actually has pretty decent plumbing and I'm basically out of time I'm gonna leave two minutes for additional questions hopefully this was interesting and useful to you guys and the you got like a decent overview of conditional access and and then I'd we jumped in the deep end with with the device based conditional access but anyone have any questions clearly the the conditional access stuff is very much aimed at at modern manage modern authentication use cases like I said this stuff does bleed over into on-prem not necessarily from a conditional access perspective unless you're using a proxy a proxy is this great connector to on Prem stuff you could so you can curb or you can take all your Kerberos apps and turn them into modern off apps and then start applying these policies and these controls to them and you don't have to completely modernize your entire fleet of applications in order to to take advantage of that stuff window slow for business is pretty cool it it does Kerberos based log in without passwords it's like it's like being able to deploy smart cards to an entire organization without actually ever having to have a smart card so cool stuff anyone else mm-hmm so so there's capability within a DFS in that in that you can do authorization policies within a DFS and the state related to the devices is available if you're doing that right back stuff like I was saying so there is some capability there I you know I think the writing is on the wall for additional investment on prime ad I mean did anyone notice that there's not even a forest functional level change in 2019 ad yeah that's all you need to know about on-prem ad but anything that I'm out of time guys thank you very much I appreciate it and yeah I hope you got something all the time [Applause]
Info
Channel: Semperis
Views: 5,282
Rating: 5 out of 5
Keywords:
Id: wGzVtaAT2Iw
Channel Id: undefined
Length: 59min 26sec (3566 seconds)
Published: Mon Sep 09 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.