Quid Pro Quo EMS


Hello,

Quid Pro Quo …or in the words of Austin Powers : Squid Pro Quo, meaning “a feavour for a feavour”. From the corporate ICT’s perspectieve this translates to : we provide additional services that you can use whenever, wherever but … We need to have some information about the location and device before we do that.

Sounds good … Let’s take a popular cloud service like mail/calendar or cloud storage as an example.

What might be a good compromise :

We’ll provide you access to onedrive for business but … We like to make sure the device is locally encrypted , has a minimum of security applied to it and is not jailbroken.

And we provide you with a single sign on experience on your corporate machines but require some kind of multi factor authentication on BYOD.

Let’s see how we could do this. You’ll need active directory Premium to start with this.

First we open our admin center -> Azure AD -> Domain -> and use the applications tab

clip_image002

Now we’ll continue for the Sharepoint online service and configure it.

clip_image004

Now we’ll activate the MFA for a sepcific Office 365 security group of users and request MFA only when the user is not in a “work” location.

clip_image006

You’ll need to define what work locations are by clicking the link . So first we’ll go for the scenario when we require MFA when the user is not @ Work.

Additional info can be found here : https://azure.microsoft.com/en-us/documentation/articles/active-directory-conditional-access-azuread-connected-apps/?rnd=1

So we’ll define the work locations in this case based on ip / subnet combination.

Now if I logon to the onedrive from my machine in that ip subnet -> we expect no MFA

Unfortunately I kept on recieving the Additional verification box …

BTW : the Microsoft Authenticator App is simply a great tool !

No more hassles with copy/paste of codes through sms or applications. The app simply allows you to approve or deny the authentication request.

Install the app -> link your account by scanning a QR code ( use myapss.microsoft.com )

clip_image008

And approve or deny

clip_image010

Great functionality there … But back to the subject … Why do I require MFA now ? …

clip_image012

Now if I modified the trusted IP range with my external IP address recieved from my ISP ( as my Wifi router is of course using NATting )

clip_image014

Bingo ! No MFA request …

clip_image016

While if I do this from another machine -> I recieve the request for MFA.

clip_image018

 

Okay now let’s go one step further and deny access if not @ work.

clip_image020

 

Now let’s see the result if we try to connect on a not @ Work location machine.

clip_image022

 

 

Yes ! No access …

So overall this is some great functionality , MFA is not a on/off scenario and we can have a granular implementation per service and define different settings per location.

We can select to force MFA when not on work location or simply block access completely. It’s clear that cloud first mobile first is really on track.

Next up : device based access rules.

Enjoy.

Gino D

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s