Protect ALL Applications with Microsoft Entra

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi everyone in this video I'm going to explore protecting all of your applications no matter where they are with Microsoft enter and yes it's Microsoft enter ID is the new name for Azure active directory and we have the idea of Microsoft intra and I think the intra name is really coming from the fact that hey it's your entryway to all of your services identity really is that front door and that great experience so we have Microsoft enter and what we as an organization have what used to be an Azure 80 tenant is now a Microsoft enter tenant so this is where we have all of our users our groups our devices our tenant is trusted by all those other services that hey our users are going to interact with and our users of our devices are going to have all these different signals that we can use to make the right decision about granting and controlling that access but the key Point here is I do want to protect all of my applications now I can easily think well obviously there's Microsoft services so hey we have the various Microsoft solutions that could be Microsoft 365 Dynamics 365. we have things like azure all of those Trust Microsoft enter ID I can write my own applications so I can go and write my own custom application maybe it's for my company or maybe it's something I'm writing for a multi-tenant situation where I want other people to leverage it there are many other applications there's a gallery and in that Gallery there are huge numbers of third-party SAS Solutions that I can easily with the click of a button go and add into and make available in my environment I can even have the idea that I have my own applications that are currently sitting on premises and these on-premises apps more and more them now are web-based in some way well they can also Trust and have single sign on a seamless experience for the end user using my Microsoft enter tenant and that's really the the key Point around all of this now they'll work in different ways I can obviously think about how those Cloud native Technologies well they often use things like open ID connect and there might be oauth flows I might use saml and if it's not in the gallery hey I can onboard other applications using saml when I think about this on premises well what it's actually using here is at proxy and this is going to enable enable those applications whether they're talking things like hey maybe they are talking saml but maybe it's more those on-premises things maybe it's talking Kerberos maybe it's just header based there's even ways I can do things around for example a password-based authentication hey the first time they try and use the app it's going to make them enter a password which will get vaulted and then injected in on seamless authentication requests when I'm using curb boss hey the connector is going to use kerbos constrained delegation to go and get a token and seamlessly get me access to my application so the point is it doesn't matter where my app is if it's a Microsoft app if it's an app I'm writing if it's a third-party app whether it's in the gallery or not if it's an on-premises app all of those things will just be available and if we jump over and look at this if I'm in the portal and I'm looking at my applications and Enterprise apps we can see when I add new applications it's hey I can search the gallery to which there are thousands of different apps available I could search for but if I say create my own this is where we get all those other options hey I can link to my on-premises applications I can develop I register an app I'm writing or integrate any other app that's maybe not in the gallery now I can submit to Microsoft and say hey have you considered adding this app to the gallery but if it's not if it speaks saml well I can just go and add it I can make it available so we have this identity provider your Microsoft enter tenant that is your entryway to any app doesn't matter where it is and when I talk about on-premises doesn't have to necessarily be on-prem it could actually be running in a different Cloud but it's not a oidc and oauth 2 enabled app maybe it speaks cobross maybe it's that header based whatever that is I can still get it integrated and what we want to focus on when we think about all of this is the end user so I absolutely have my end user and I want them to have a great experience if my users over here and they're out there now I'm drawing a machine very badly doesn't necessarily have to be a machine it could be their mobile device a tablet a phone there's many different form factors and operating systems I can support here but they may just use a URL directly and get a fantastic experience there's also apps and websites for example the my applications that presents them all the apps available to them they can organize it however they want so they get a really nice experience for the interactions and then what they're going to do from there is well they're going to go and perform that Authentication against my Microsoft enter tenant and what we want to provide for the you is there is this great experience but I want to give them this single this seamless sign-on experience I don't want them to constantly be prompted for authentications they just want it completely seamless for them and again even if I'm on a mobile device if I have things like Microsoft authenticator installed that acts as a token broker so even if I'm going through different applications I'm still going to get that completely seamless experience now as that end user we jump over again for example here what I'm looking at is I'm logged in as Clark so I'm Clark Kent over here obviously the icon's giving it away who he really is but I'm looking at my dashboard I've got some favorite applications but I might have media apps I have all the apps available to me and I get this completely seamless experience now what can be super interesting here is hey I have my favorite applications but one of the additional things is for many browsers we have this idea of a my apps extension and again I don't want the user to worry about where they are or what they're doing I get a completely seamless experience even if I only knew the internal url url which I normally if I'm on the corporate Network or VPN in that extension is going to go and do the conversion for me but hey I can still go and completely seamlessly get to my app and you'll notice it's even authenticated now what I'm playing around with here this is an on-premises app and you see it converted the URL to what I need to use by the app proxy to get to that on premise but the user didn't need to know anything and I just as easily could have clicked on any of these little icons it would do exactly the same thing so from the end user be it through the my apps experience be it they just entered the URL directly or they're using one of the great portal apps for their mobile device they get this completely seamless experience which we is what we want for our users we don't want them to have to think or worry about these types of things and I do want to try and make it as Extreme as possible when I show these things it's super easy to do anything just in the cloud I'm actually going to show apps I've running on premises so I'm using that at proxy but we'll see everything we do is going to work exactly the same way all of the protections I want work for my app anywhere it's not just my cloud apps hey it's going to work for my on-premises ones as well now we hear about zero trust we hear about hey we don't distrust the network we hear about we constantly want to validate every single request we want to think about all the different signals that are available to us and then make good choices prompt good authentication strengths based on well what are the current signals we're getting from this particular authentication or this authorization request to get a new token for the user so every single time we try and access we want to re-gather those signals and signals are so important now when I think about the user so if I was to just think user signals there are signals about the overall health of the user and specifically the user risk now I can think all their signals is the user's credential found on the dark web are we getting feeds from Microsoft and their Partners about things they've learned about the user of a requests they've tried to perform so there are offline signals that can be correlated to understand how risky is the user based on all these different things we are hearing about them but then there's also the idea of well real time so as I'm performing this Authentication I can think of real time in risk and again we've got all these different signals that we care about now signing risk is much harder to do because at the time of the particular authentication the authorization I'm trying to get a new token what can I look at without breaking the user's experience I can't wait five minutes to go and correlate things so we can look at things like well unfamiliar sign-in properties is it coming from an IP it normally comes from a regular type of device a regular browser regular location is there additional risk detected is it some anonymized IP address are your Tor Browser those are all very high fidelity signals so I can make real-time decisions not just based on hey all these other things that coming in over a period of time and correlated but this specific could be the first time they've ever had this malicious type activity on them at that point of signing what signals are available what can I do there and this is where you get the Microsoft enter identity protection so here this is just looking at some of those types of signals and it tells you which ones are real time and which ones are offline so offline is obviously part of the user's overall risk real time they'll actually go into the sign in yeah hey look it's a verified through actor IP that's a real-time activity Anonymous IP additional risk unfamiliar sign-in properties so all these different things that are leveraged that go into that type of hey what is the risk for the user what is the risk for that sign in and obviously there are many other types of signals as well I'm on a particular device so I have idea what is the device state the device State can be well what is the client application they're trying to use right now what is the location are their attributes is it a saw a secure access workstation that could be an attribute of the device is it compliant so we have mobile device management technology for example in tune that can push policies that can hey make sure you are meeting those you're not being jailbroken for example so I can look at what's the health of the device the user or they have user properties the user has various groups memberships I can use that as part of the signal and of course what app am I actually trying to get to I can drive different things about that so if all of these different signals and we can see these so once again if I jump over to the portal quickly if I go and look at my protect and secure conditional access policies and I'll just create a new policy quickly but we can assign based on the user or select users or are they external and obviously you can exclude I can Target particular Cloud apps so look all the apps available I could have a filter based on attributes of the app I can look at different conditions around the user risk the sign-in risk the device platform the location The Client app I can do filters so I have all of these options available to help me govern okay well when should certain policies apply to the various signals and their values that I'm actually getting and so if we think of all of these different capabilities we have all of our apps no matter where they are we have all these signals conditional access now Microsoft enter conditional access this is our security guard this surrounds any attempt and every attempt that is trying to get a token as an authorization attempt to get a token for a particular service doesn't matter if it's a Cloud app if it's an on-premises app it's going through this conditional access I always think about conditional accesses like Gandalf Standing There You shall not pass that's your conditional access and So based on all of these different signals we're getting depending on the values is it a medium risk or high risk with an unknown location Etc this is going to drive particular controls maybe we just allow that particular authorization request to go through and they get token and they're good to go but maybe I'm going to require a particular authentication strength we're used to the idea of saying oh well we require MFA but we're now moving beyond that so I can go and look for a second if I jump over so once again I'm in my protect and secure I go to my authentication methods I'll just discard that I can look at authentication strengths we have these built-in strips so sure there's multi-factor authentication which can be anything then there's things like passwordless MFA and even phishing resistant MFA so I can go to different strengths that will require these so password list is I can't use SMS text messages I can't use a phone call but I can use hey hello for business or Fido to security key certificate based off all the Microsoft authenticator app where it prompts up and I type in a number and it authenticates me it shows me things like my location then phishing resistant is even more strict this takes away the authenticator app and the reason it does that is technically speaking I could still fish with the authenticator app because someone could call me up and say hey um I'm testing you I need to make sure you're really who you say you are I've sent you a challenge prove to me you have your phone by typing in this number and they're like okay well you fished them whereas the fishing resistant it's there in the device it's a certificate connected by a card to the device it's a photo key inserted into the device it is the device with Windows hello for business so we have these different levels available to us and I can also create my own so in my case here I added my own one that I also support you can do the password and the Microsoft authenticator so you can create your own combinations of what are the maybe authentication strips you really want and then if we just go back we can see all of these we have all of these controls and I can block access I can grant access Ike have all these different options around what I need I can say hey I need one of them or I need all of them so you have complete control I can even do session level controls to be more granular around what I can or can't access so these controls are huge in scope so I could also Drive things like hey the device requirements it has to be hybrid joined it has to be um compliant so our device requirements I have to accept to terms of use and the list goes on to all the different things that I can drive with that conditional access now there are many ways that I can apply these we're used to the idea that we would create a conditional access policy for example for every particular application and then craft all the combinations of what we're having that we end up with a lot of conditional access policy and they get harder and harder to actually manage so one of the other things that we can do and this is actually I'm really liking this new capability is we have the idea that well if doing that approach why don't we have the idea and use my the universal pen when I really like something what about if I create application labels or rings you can use different terms for what we're going to do but I'm going to think about classifying my applications now my app labels could be things like hey I have a a low security requirement app maybe I've got a medium security maybe I've got a high and then what I could do for those is I can combine with the signals say if it's a low priority app and there's no signals I don't need to do anything by medium and my signal is well hey there's a sign-in risk maybe I want to drive a behavior well we have to do an MFA I don't care which one you can use a text message it's a medium priority sure but maybe if it's a high priority and I detect the same sign in Risk this is just an example I want to make sure I hit all of the different combinations I don't want a gap in my scenarios that something could fall through and not get any challenges but maybe I've acquire a strong MFA and maybe I need it to be a compliant device so I'll create my policies based on this attribute this label I'm going to do and then once I've defined those labels I'll go and tag all of my applications with their label so hey this this gets its this gets its label and this gets its label and this gets it everything gets a label everything is tagged with a particular label of in this case maybe it's just my and security level that I require and then I'm going to drive policies off of that so I'm going to Define what they are what are the different categories then I'm just going to create policies around the categories and then just assign them to the applications there's a bit of upfront work but then it's just a matter of assigning to the app and we can see this so let's let's think about those stages the first step would obviously be to create the attributes so in this case I've got an attribute set of application attributes and what I've done in this case is I've defined this idea of an application protection level and I've defined it as three predefined values low medium high so that's it and then all I would then do is well for the applications I was going to focus on two apps in this scenario my doggo's IIs app hey I look at my Custom Security attributes I assigned it a value for the application protection level of medium so you can see that right here whereas my other application just regular dog goes no IIs well this is a high priority I want more stringent controls so I just go to each app and give it a label hey this is your attribute Etc once I've given those labels now all I have to do is instead of creating hundreds of conditional access policies for every app and all its combinations or my policy now in this case I've just created two of them if we look down here I created a medium and a high protection level policy my medium policy I'm triggering it based on a filter to say hey if the application protection level is medium and in this case if that is true so it's been tagged as medium then what I'm going to do here is Grant access and just require some kind of authentication strength I don't care which one and I'm only doing this if it's a high or medium signing risk and again I'm just showing you one scenario you obviously want to make sure all your scenarios are covered so that's for a medium so from medium app if there's a medium or above sign-in risk make them do some kind of MFA to validate it's really them if it's a high protection app again we just Target in exactly the same way but this time my value is set to high well now I'm still looking at just the sign in Risk medium or high but I want to be even more strict so this time I require the authenticator at MFA so it could be password and the authenticator app it can be one of the password lists it could be hello for business I have these various options but I require a stronger type of MFA but in addition to that I require the device to be marked as compliant so be it in tune for example is checking the policies and making sure it's good I need those things and I've actually got it set to require one of them but I could set it to be all of them I've acquired so that's it that we set the attribute and then once we set the attributes hey I create the policies so now what is that user experience now you already saw let me just check something up and running so what we're going to have here is for my user you already saw the user when they just went through the regular my apps experience theirs would not have any sign-in risk they don't get prompted to do anything I also want to show that right now the device I am logged into if I was to go and look at all my devices I'm on my studio PC which is this one and you can see my MDM is in June and the important part here is I am compliant so I am on a compliant device so we know I got a great easy experience when I'm just doing a regular logon but now let's use a Tor Browser now remember that compliance that's not just windows that would apply to Windows 1011 Linux desktop Mac OS iOS Android tons of different options there but I'm going to try and access the medium priority app so I'm on the medium priority app I'm going to try and go to it and obviously I'm gonna get to that as clock so obviously with the tour it's going through it's bouncing around it's anonymizing my IP which Microsoft intra is going to see it's going to get that signal so I have to log in so let's login as clock and it's going to do with the regular hey I need your password okay let's give it my password but it's detecting risk is that well you're on an anonymous IP so this is this real time detection and it's just not happy so normally it's going to make me do my authenticator app but I'm going to say hey I can't use this right now but look at all the options it gives me I have a lot of different options because remember all it was doing was saying hey you require some kind of ffmfa so I'd be like okay I can just use my phone it's not super important verify now this will then prove I've met that control that conditional access stipulated so it's like okay it must really be clock I'm happy with this because they could prove everything else and say yeah you can see it's dined in now and at this point it will go through it will get the token for that app and I'm good so there's my dog okay great this is an on-prem app conditional access still applied all of those protections for me now I'm going to try and access another app now this is the higher priority app which has been marked as that high level so this session remember already is authenticated but it has a stronger requirement I didn't text base MFA which is not meeting what this needs now I'm still going to say I can't use my authenticator app right now but notice my choices are very different it's not giving me the SMS option now because I've said hey I have a stronger requirement so I'm going to say this is what I wanted to show off a bit of fun approve it on my Outlook mobile app so what's happened here is Clark so now this is on the iPad note is it saying hey enter the number so it's showing me 82 if I type in 82 and this is in the Outlook app this is just native in Outlook 82 yes and then it's making me just reprompt so that was all in the Outlook app for iOS and that's performing that authentication you can see in the background is authenticated and we can see it's also in this case that a header based authentication so it injected it into this on-premises app that uses header based auth so it's done that for authentication so I still got those additional conditional access even though this app is sitting on-prem but it's a real time live signal that made that work now I did want to have a little bit of fun and show the Outlook app now so in this case Clark forgot his phone well he has the authenticator app luckily had the iPad that only had the Outlook client and what we've done here is if we go and look if once again we're looking at those authentication methods and we go to the Microsoft authenticator one of the options we can now turn on is on companion application now I enabled it for everyone so as long as the user doesn't have my source authenticator installed on that device than if they have Outlook set up on their iOS on their Android device whatever they can use that to meet the requirement and that will count as a strong authenticator based application it will only prompt you when you have the Outlook app if it doesn't you can actually just go into settings authenticator and turn that on and so now you see in that experience even from this Tor Browser environment I've got access to my apps my on-prem app exposed through my Microsoft enter tenant and getting that identity protection feature integrated with the conditional access to get those real-time signals I still got seamless access but it made sure I was meeting the requirements so it wasn't exposing me to some risk and we can see all of that in action now if I go to look at my users and let's say we actually go and look at Clark for a second and look at my sign-in logs we can see those logs happening now they're still kind of feeding in it takes a few minutes for them to completely finish but we notice here for the doggo's IIs we got that success so if I was to go and look at that authentication request we look at the old details okay so this is previously satisfied so let's look at this other one so MFA requirements satisfied because the conditional access what got driven was it needed the medium protection level and so that conditional access policy was applied to this particular authentication because this was the medium app and if we look at the interrupted one authentication details previously satisfied look at this one okay so you can see where it failed initially but it did the text based MFA so I got the password correct but I had to do the text-based Authentication so that was the medium priority app we can see it applied the medium conditional access right here which just required any kind of MFA and I was in and see if the logs have updated okay so now we've got the four logs of doggos as well so for dogos if we look at this one notice there's a different conditional access policy got applied the higher protection and if we look at the off details here we can see we're getting that mobile app notification in progress this one and they got satisfied so we can see it drove that different sets of requirements and MFA successfully completed actually down here and you'll notice the requirement was authenticated at MFA which was my custom strength but it worked it went through and I actually leveraged my Outlook app for that so here that really just shows all of the things happening together to see if there's any other logs because again it takes a few minutes for these logs to finish through okay there we go but that really hopefully brought everything together about what we were doing here so we saw every aspect of this any app anywhere worst case scenario I've took an on-prem app that used header based authentication but we still integrated it in Via our app proxy from the user it's still a single sign-on experience no matter where that app is but no matter where that app is you shall not pass without making sure you're meeting the controls and in our case our controls are based around the device compliance and the authentication strength and we drove those not based on lots of policies for every possible app hey we're going to categorize we have an app label of low medium high and then we just labeled all of the applications and then for my nice end user experience of hey I'm just going to select one of these it looked even at the real time signal to protect me this could be the first sign of any anomalous type Behavior where user risk wouldn't have helped because it takes a while to get updated here with the sign in Risk is looking at specific signals it can use without breaking the user experience to give me that protection now if you're new to this when you get started with conditional access policies what's the best way to use this well the best way to start with conditional access policy is we'll make sure as I'm defining my policies again we go to our protect and secure one of the things we can do on our policies is if we go and look at it down the bottom start in report only mode it's going to help you see well what would happen and what experience would get hit by this particular policy without interrupting the user experience because maybe you're doing it wrong it would prompt too often it would be too stringent on its requirements I can control that with that report only option another nice thing you can do with conditional access is this idea of what if with what if I can go in and say well what if it was this particular user so I'll say okay what if it was Clark Kent and then I can say well what if it was a particular application and then I can say what if they were from some weird IP or from a certain country I'm just gonna pick one at random what if hey they did detect a certain risk and a certain user risk or whatever that is what if there were certain properties and then you can go and say well what if I want to do these things what would actually happen here needs to put an IP address as well just between anything and that will go and work out which policies would have applied and notice it's telling me hey look I would have applied the high protection level at policy because the app I picked was my doggo's app which was the high priority app so I can go and work out well what would happen it's going to help me test all of these different scenarios so that's just a fantastic place to actually go and start now how do I know well what conditional access policy should I even start with like where do I need to give my time what needs the most love so it actually just start off with unconditional access in the Microsoft Venture portal in the overview page you'll notice the overview I get a quick summary of my users of my devices apps protected by conditional access I can go and get quick information about this but I can look at my coverage what are the most commonly accessed applications that are protected by conditional access what doesn't get hit so percentage of users not covered for example I can get quick information to know so if it's red I should I should get attention there because people I've got a gap there's a gap in my policy that people are falling through and not hitting any of any of them so I probably want to tighten that up I can see the different of the different applications well what percentage of users are covered so for my ones we've been demoing here like the dogos was 100 is covered that's good so we want the coverage here if there's a hundred here it means it's not covered so we can get an idea of well where should I start with this and it's even going to help me create policies up at the top my monitoring what's the impact so what percentage through my different conditions policies are resulting in Access granted access denied or hey there's just not a policy assigned to it at all so I get a nice overall View and of course there's tutorials as well so that's a great way to go and get a view if I go to insights and Reporting well this again gives me a summary of view of conditional access in my tenant I can select individual policies the administrators can get a good understanding of what the policy does I can monitor changes in real time but once again I can get nice information to the countries where it's hitting it for the different applications I can see the sign-in details of exactly what's happening what are the user principles and I can dive in around any of these aspects now if we're really not sure where to start like where are the big gaps in my environment the other thing I can do here is if I go to my monitoring and health we have workbooks so right here I'm looking at monitoring and health section of the intraportal and workbooks so if I select this one of the workbooks we have is under the conditional access section we have conditional access Gap analysis so this will help me actually find where there are gaps so hey do I have some Legacy Authentication I'm not using that so this is good this is a good nice green tick do I have unprotected applications okay so now it's showing me applications and number where there is no conditional access policy applied so I should probably think about that I would Target these particular applications are there particular compromise sign-ins that weren't being protected well hey I could then Focus here are there particular locations without coverage so once again what this is trying to do is highlight key gaps I have to then drive key good behavior block the Legacy authentications make sure you have at least one conditional access to every app and block high risk sign-ins or at least Drive some tighter controls to get confidence it's not actually compromised I could block those untrusted locations um there's different things this can help with this is all going to help drive that behavior so that was it I mean that was my goal for this video I think the key Point here is it's all about the user when we do these Solutions again you could be securing our business it's no good having all of these things that the user can't do the job it's unworkable so I want to light up a fantastic end user experience but protect them so we have this idea of the user can get completely seamless experience you saw hey with the extension the URL I can do the internal or the external URL we have all these signals coming in so we have our Microsoft enter tenant around this we have the conditional access that's going to get all these different signals and then from that I can drive controls like customize authentication strips and I'm going to drive these not based on this huge Matrix of conditional access policies but hey I'm just going to create some protection level labels those Drive the policy and I just assign the label to each app and it gives me a nice centralized way of doing that and you saw the tools available to go and look at the sign and see the policy that applies see the authentication that applied get starting gradually with conditional access hey report only mode so I can see what would have got applied and what it would have done use what if to test the scenarios would it trigger my conditional access policy the right way and if I don't know where to start hey I can start on the overview page I can look around I can look at the insights but then I can run that workbook for The Gap analysis to see exactly where I should first pay attention to tighten those things up that was it I hope this was useful I hope this gets you on the path to protect any and all applications no matter where they are using all those fantastic signals even the real time ones to give you that Assurance until next video take care foreign
Info
Channel: John Savill's Technical Training
Views: 24,324
Rating: undefined out of 5
Keywords: azure, azure cloud, microsoft azure, microsoft, cloud, azure ad, identity, conditional access
Id: VJNMJQCmtuY
Channel Id: undefined
Length: 43min 48sec (2628 seconds)
Published: Wed Jul 12 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.