I had a discussion with a customer the other day (again) and realized that there are some misunderstanding about conditional access.
Setting conditional access is not a tick box and it will not give You total control!!
There are some things about the conditional access settings in Intune that are, let’s say not realy finished but most of I all realise during the discussion is that the concept of why Microsoft is selling EMS the way they do is lost during planning.
Intune is a really good service to manage (in the cloud) your mobile devices, PCs, Azure AD joined or even domain joined PCs. But when it comes to securing the enterprise data Intune is just a part of a chain.
Conditional Access is a feature built in to Intune. It will give the possibility to control the access to the Office 365 services thus securing the enterprise data from a device perspective.
Conditional Access controls when and if applications and devices can access the services.
It can control access to Exchange Online and Exchange On-premises from the following mail apps:
- The built-in app for Android 4.0 and later, Samsung Knox 4.0 Standard and later
- The built-in app for iOS 7.1 and later
- The built-in app for Windows Phone 8.1 and later
- The mail application on Windows 8.1 and later
- The Microsoft Outlook app for Android and iOS (Exchange Online)
Control access to SharePoint Online from the following apps for the listed platforms:
- Microsoft Office Mobile (Android)
- Microsoft OneDrive (Android and iOS)
- Microsoft Word (iOS)
- Microsoft Excel (iOS)
- Microsoft PowerPoint (iOS)
- Microsoft OneNote (iOS)
Office desktop applications can access Exchange Online and SharePoint Online on PCs running:
- Office desktop 2013 and later with modern authentication enabled.
- Windows 7.0 and later
It will not secure access from a web browser.
Multi-factor authentication ensures that a user is who they claim to be. The more factors used to determine a person’s identity, the greater the trust of authenticity.
For example, MFA can be achieved using a combination of:
- Something You know – password or PIN
- Something You physical have – SMS or one time password
Because multi-factor authentication security requires multiple means of identification at login, it is most secure method for authenticating access to data and applications.
In the MFA service from Microsoft the best way is to use the Azure Authenticator app from Microsoft as something you have. Multi-Factor Authentication helps protect the business with security monitoring and machine-learning-based reports that identify inconsistent sign-in patterns. To help trace and seek potential threats, real-time alerts notify You of suspicious account credentials and patterns of use.
This will secure access to enterprise data when accessing from any web browser or unrecognized app.
It will not secure the data itself when moved from the controlled area.
Azure Rights Management (Azure RMS) is an information protection solution for organizations that want to protect their data. The protection follows the data i.e file or document.
It the user sends the document to someone outside the organization or gives information to a colleague on a USB stick. The information is still protected anywhere, on anything.
Azure RMS will :
- Help protect emails against unauthorized access by applying different IRM options to your email messages.
- Enhance security of your SharePoint libraries by using IRM to set up appropriate permissions.
- Help keep your information safe, online or offline, because your files are protected whether they’re viewed using Office Online or downloaded to a local machine.
- Seamless integration with all Office documents helps guard your organization’s intellectual property.
- Apply custom templates based on your business needs in addition to using default Rights Management Services templates.
It will not secure the data from evil stuff installed on your device
The full chain
So to fully control the enterprise data use:
- Conditional access – to secure apps and the data stored on mobile devices, secure the PC’s with Office applications.
- Multi-factor authentication – to secure from access outside controlled devices such as web browsers
- Azure RMS – to protect individual documents or files outside the controlled environments
To get the get the complete chain You need Intune, Azure AD Premium and Azure Rights Management. Of course You will get a lot more than just securing data with these services. Managing applications, antivirus, inventory, usage tracking, deployment of LOB applications on mobile OS.
Microsoft, as I am sure You already, know is offering this in one neat package: Enterprise Mobility Suite – EMS. This is a “must-have” if You ask me in any serious enterprise.
Want to know more? Start reading here and give us a call at Altitude 365. We implemented the full chain…. in anyway You can imagine.