Quid Pro Quo …or in the words of Austin Powers : Squid Pro Quo, meaning “a feavour for a feavour”. From the corporate ICT’s perspectieve this translates to : we provide additional services that you can use whenever, wherever but … We need to have some information about the location and device before we do that.
Sounds good … Let’s take a popular cloud service like mail/calendar or cloud storage as an example.
What might be a good compromise :
We’ll provide you access to onedrive for business but … We like to make sure the device is locally encrypted , has a minimum of security applied to it and is not jailbroken.
And we provide you with a single sign on experience on your corporate machines but require some kind of multi factor authentication on BYOD.
Let’s see how we could do this. You’ll need active directory Premium to start with this.
First we open our admin center -> Azure AD -> Domain -> and use the applications tab
Now we’ll continue for the Sharepoint online service and configure it.
Now we’ll activate the MFA for a sepcific Office 365 security group of users and request MFA only when the user is not in a “work” location.
You’ll need to define what work locations are by clicking the link . So first we’ll go for the scenario when we require MFA when the user is not @ Work.
Additional info can be found here : https://azure.microsoft.com/en-us/documentation/articles/active-directory-conditional-access-azuread-connected-apps/?rnd=1
So we’ll define the work locations in this case based on ip / subnet combination.
Now if I logon to the onedrive from my machine in that ip subnet -> we expect no MFA
Unfortunately I kept on recieving the Additional verification box …
BTW : the Microsoft Authenticator App is simply a great tool !
No more hassles with copy/paste of codes through sms or applications. The app simply allows you to approve or deny the authentication request.
Install the app -> link your account by scanning a QR code ( use myapss.microsoft.com )
And approve or deny
Great functionality there … But back to the subject … Why do I require MFA now ? …
Now if I modified the trusted IP range with my external IP address recieved from my ISP ( as my Wifi router is of course using NATting )
Bingo ! No MFA request …
While if I do this from another machine -> I recieve the request for MFA.
Okay now let’s go one step further and deny access if not @ work.
Now let’s see the result if we try to connect on a not @ Work location machine.
Yes ! No access …
So overall this is some great functionality , MFA is not a on/off scenario and we can have a granular implementation per service and define different settings per location.
We can select to force MFA when not on work location or simply block access completely. It’s clear that cloud first mobile first is really on track.
Next up : device based access rules.