Protect your business with identity and access management in the cloud
Get single sign-on to thousands of cloud apps and access to web apps that you run on-premises with Azure Active Directory Premium. Built for ease of use, Azure Active Directory management tools enable collaboration and deliver holistic identity protection and adaptive access control.
Benefits of Active Directory
Single sign-on to any cloud and on-premises web app
Azure Active Directory provides secure single sign-on to cloud and on-premises applications including Microsoft Office 365 and thousands of SaaS applications such as Salesforce, Workday, DocuSign, ServiceNow, and Box.
See more supported SaaS apps
Easily extend Active Directory to the cloud
Connect Active Directory and other on-premises directories to Azure Active Directory in just a few clicks and maintain a consistent set of users, groups, passwords, and devices across both environments.
Connect on-premises directories with Azure
Works with iOS, Mac OS X, Android and Windows devices
Users can launch applications from a personalized web-based access panel, mobile app, Office 365, or custom company portals using their existing work credentials—and have the same experience whether they’re working on iOS, Mac OS X, Android and Windows devices.
Protect sensitive data and applications
Enhance application access security with unique identity protection capabilities that provide a consolidated view into suspicious sign-in activities and potential vulnerabilities. Take advantage of advanced security reports, notifications, remediation recommendations and risk-based policies to protect your business from current and future threats.
Protect on-premises web applications with secure remote access
Access your on-premises web applications from everywhere and protect with multi-factor authentication, conditional access policies, and group-based access management. Users can access SaaS and on-premises web apps from the same portal.
Reduce costs and enhance security with self-service capabilities
Delegate important tasks such as resetting passwords and the creation and management of groups to your employees. Providing self-service application access and password management through verification steps can reduce helpdesk calls and enhance security.
Enterprise scale and SLA
Azure Active Directory Premium offers enterprise-grade scale and reliability. As the directory for Office 365, it already hosts hundreds of millions of users and handles billions of authentications every day. The high availability service is hosted in globally distributed datacenters in 17 regions, with worldwide technical support that provides a 99.9% SLA.
Azure Active Directory applications: New apps
Clockworks
FileCloud
Cezanne HR
Flat for Education
Insider Track
BGS Online
Nexonia
Proofpoint on Demand
Lifesize Cloud
Reward Gateway
Pacific Timesheet
Cisco Spark
Recognize
Yonyx Interactive Guides
Identity Panel
Hall Monitor
MediaValet
Origami Risk
Complion
Predictix
Mojo Helpdesk
SharpCloud Standard
Boost mobile productivity with secured access to applications
Using Azure Active Directory Premium, Bristow Group provided its helicopter pilots and support crews—a highly mobile workforce—easier access to critical enterprise applications, both on-premises and in the cloud.
Read the case study
Save time with simplified identity management
Royal Dutch Shell chose Azure Active Directory to simplify identity management for vendors and employees. Now the company provides fast, secured access to external vendors, cutting onboarding time from months to less than a week.
Read the case study
<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
xmlns:content="http://purl.org/rss/1.0/modules/content/"
xmlns:wfw="http://wellformedweb.org/CommentAPI/"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:atom="http://www.w3.org/2005/Atom"
xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
>
<channel>
<title>Azure Active Directory – Enterprise Mobility and Security Blog</title>
<atom:link href="https://blogs.technet.microsoft.com/enterprisemobility/feed/?product=azure-active-directory" rel="self" type="application/rss+xml" />
<link>https://blogs.technet.microsoft.com/enterprisemobility</link>
<description>The most recent news and updates about Microsoft’s Enterprise Mobility offerings and events for enterprise technology professionals and developers.</description>
<lastBuildDate>Thu, 23 Feb 2017 19:43:04 +0000</lastBuildDate>
<language>en-US</language>
<sy:updatePeriod>hourly</sy:updatePeriod>
<sy:updateFrequency>1</sy:updateFrequency>
<item>
<title>#AzureAD now supports Federated SSO and Provisioning with Slack</title>
<link>https://blogs.technet.microsoft.com/enterprisemobility/2017/02/23/azuread-now-supports-federated-sso-and-provisioning-with-slack/</link>
<comments>https://blogs.technet.microsoft.com/enterprisemobility/2017/02/23/azuread-now-supports-federated-sso-and-provisioning-with-slack/#respond</comments>
<pubDate>Thu, 23 Feb 2017 17:00:16 +0000</pubDate>
<dc:creator><![CDATA[Alex_SimonsMS]]></dc:creator>
<category><![CDATA[Uncategorized]]></category>
<category><![CDATA[Apps]]></category>
<category><![CDATA[Authentication]]></category>
<category><![CDATA[Cloud]]></category>
<category><![CDATA[Conditional Access]]></category>
<category><![CDATA[SaaS]]></category>
<category><![CDATA[SSO]]></category>
<guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=47955</guid>
<description><![CDATA[Howdy folks, We have a very cool integration to announce today: Azure AD now supports both automated user provisioning and federated single sign-on to Slack! With this integration, businesses can now use Azure AD to automatically provision and manage employee access to Slack, based on things like group membership or account status. In addition to <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2017/02/23/azuread-now-supports-federated-sso-and-provisioning-with-slack/">Continue reading</a></p>]]></description>
<content:encoded><![CDATA[<p><span style="font-size: 12pt">Howdy folks,<br /> </span></p> <p><span style="font-size: 12pt">We have a very cool integration to announce today: Azure AD now supports both automated user provisioning and federated single sign-on to <a href="https://slack.com/">Slack</a>!<br /> </span></p> <p><span style="font-size: 12pt">With this integration, businesses can now use Azure AD to automatically provision and manage employee access to Slack, based on things like group membership or account status. In addition to provisioning user accounts, Azure AD can also create and manage groups inside of Slack, based on groups in Azure AD and Active Directory.<br /> </span></p> <p style="text-align: center"><img alt="" src="https://msdnshared.blob.core.windows.net/media/2017/02/022317_0711_AzureADnows1.png" /><span style="font-size: 12pt"><br /> </span></p> <p><span style="font-size: 12pt">As one of the featured apps in the Azure AD app gallery, Azure AD also supports fully-federated single sign-on with Slack, in addition to an easy click-through setup for admins.<br /> </span></p> <p><span style="font-size: 12pt">See our documentation for more information on <a href="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-saas-slack-provisioning-tutorial&data=02%7C01%7Casmalser%40microsoft.com%7Cb60f91042ef246b4e03508d450e7a2bb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636222403196204559&sdata=wEMfIl4Ux99I8agtL3VuK3H6gqQFHrQ9WutyftKW0dY%3D&reserved=0">setting up user provisioning between Azure AD and Slack</a>. The Azure AD Integration is available for customers on Slack’s Plus plan or those using their recently-announced Enterprise Grid product.<br /> </span></p> <p><span style="font-size: 12pt">We’d like to thank the Slack team for their great partnership and support in delivering this integration, and look forward to continuing our work with them to deliver great experiences for our mutual customers!<br /> </span></p> <p><span style="font-size: 12pt">Let us know what you think about this integration! Leave us your comments at the end of this post or reach out to us on Twitter. We’re always listening.<br /> </span></p> <p><span style="font-size: 12pt">Best regards,<br /> </span></p> <p><span style="font-size: 12pt">Alex Simons (Twitter: <a href="https://twitter.com/Alex_A_Simons">@Alex_A_Simons</a>)<br /> </span></p> <p><span style="font-size: 12pt">Director of Program Management<br /> </span></p> <p><span style="font-size: 12pt">Microsoft Identity Division<br /> </span></p> ]]></content:encoded>
<wfw:commentRss>https://blogs.technet.microsoft.com/enterprisemobility/2017/02/23/azuread-now-supports-federated-sso-and-provisioning-with-slack/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
</item>
<item>
<title>Announcing the public preview of Azure AD group-based license management for Office 365 (and more)!</title>
<link>https://blogs.technet.microsoft.com/enterprisemobility/2017/02/22/announcing-the-public-preview-of-azure-ad-group-based-license-management-for-office-365-and-more/</link>
<comments>https://blogs.technet.microsoft.com/enterprisemobility/2017/02/22/announcing-the-public-preview-of-azure-ad-group-based-license-management-for-office-365-and-more/#comments</comments>
<pubDate>Wed, 22 Feb 2017 17:00:00 +0000</pubDate>
<dc:creator><![CDATA[Alex_SimonsMS]]></dc:creator>
<category><![CDATA[Announcements]]></category>
<category><![CDATA[Cloud]]></category>
<category><![CDATA[Exchange]]></category>
<category><![CDATA[Hybrid]]></category>
<category><![CDATA[Hybrid Cloud]]></category>
<category><![CDATA[Office 365]]></category>
<category><![CDATA[SaaS]]></category>
<guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=47795</guid>
<description><![CDATA[Howdy folks, One of the toprequests we hear fromAzure AD and Office 365is forrichertoolsto manage licenses for Microsoft Online Serviceslike Office 365 and the Enterprise Mobility + Security. Admins need easier tools to control who gets a product license and which services are enabled. Some customers have even had todelay service roll-outsas they struggled to <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2017/02/22/announcing-the-public-preview-of-azure-ad-group-based-license-management-for-office-365-and-more/">Continue reading</a></p>]]></description>
<content:encoded><![CDATA[<p>Howdy folks,</p> <p>One of the toprequests we hear fromAzure AD and Office 365is forrichertoolsto manage licenses for Microsoft Online Serviceslike Office 365 and the Enterprise Mobility + Security. Admins need easier tools to control who gets a product license and which services are enabled. Some customers have even had todelay service roll-outsas they struggled to find a reliable solution that works at scale.</p> <p>Today, were happy to be able to fulfill this request by announcing the public preview of a much-anticipated new capability in Azure AD: group-based license management! With this new feature you can define a license templateand assignit to asecurity group in Azure AD. Azure AD willautomatically assign and remove licenses as users join and leave the group.</p> <p>This preview also includes the highly-requested ability to selectively disable service components in product licenses, making it possible to stage the deployment of large service suites such as Office 365 Enterprise E5.</p> <p>Keep reading to get an overview of this new capability, or dive straight into our <a target="_blank" href="https://docs.microsoft.com/en-us/azure/active-directory/active-directory-licensing-whatis-azure-portal">detailed documentation</a>.</p> <h2>Overview</h2> <p>Here are a few key facts about group-based license management:</p> <ul> <li>Licenses can be assignedusing any security group in Azure AD, whether synced from on-premises or created directly in Azure AD.</li> <li>All Microsoft Online Services that require user-level licensing are supported.</li> <li>The administrator can disable one or more servicecomponents when assigning a license to a group. This allows staged deployments of rich products like Office 365 Enterprise E5 at scale.</li> <li>The feature is only available in the <a target="_blank" href="https://portal.azure.com/">Azure portal</a>.</li> <li>Licenses are typically added or removed within minutes of a user joining or leaving a group.</li> </ul> <p>There are more details below, or, if youre ready to dig in, just jump straight into our <a target="_blank" href="https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products">new license management experience in the Azure portal</a>. Thats right, no more going back to the classic portal to license your EMS or Azure AD users! If youre not using Azure AD Basic or above, <a target="_blank" href="https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security-trial">sign up for a trial</a>.</p> <h2>Easily assign licenses to many users</h2> <p>To <a target="_blank" href="https://docs.microsoft.com/en-us/azure/active-directory/active-directory-licensing-group-assignment-azure-portal">assign a license</a>, just choose an individual user or a group. In the example below, Im rolling out the Office 365 Enterprise E3 suite to all information workers in the organization. Since Im doing a staged rollout, I will initially enable only a handful of online services in the suite:</p> <p><a href="https://msdnshared.blob.core.windows.net/media/2017/02/AAD_CBL1.png"><img width="610" height="223" title="AAD_CBL1" class="aligncenter" style="padding-top: 0px;padding-left: 0px;padding-right: 0px;border-width: 0px" alt="AAD_CBL1" src="https://msdnshared.blob.core.windows.net/media/2017/02/AAD_CBL1_thumb.png" border="0" /></a></p> <p>After all users in the group are processed they will inherit licenses from the Information Workers group.</p> <p><a href="https://msdnshared.blob.core.windows.net/media/2017/02/AAD_CBL2.png"><img width="610" height="225" title="AAD_CBL2" class="aligncenter" style="padding-top: 0px;padding-left: 0px;padding-right: 0px;border-width: 0px" alt="AAD_CBL2" src="https://msdnshared.blob.core.windows.net/media/2017/02/AAD_CBL2_thumb.png" border="0" /></a></p> <p>From now on, any newly added group members will be licensed, and when they leave the group the license will be removed from them. You can do more cool things with this, like have users inherit licenses from multiple groups at the same time. <a target="_blank" href="https://docs.microsoft.com/en-us/azure/active-directory/active-directory-licensing-group-advanced">Check out this article</a> to learn more about how this functionality works.</p> <h2>Automate even more with dynamic group membership</h2> <p>If you have an Azure AD Premium P1 subscription you can combine dynamic group membership with license management to create an automated license management flow.</p> <p>Here is an example of two groups that look at extensionAttribute1 and assign licenses based on its value:</p> <p><em>“O365 E5 base services”</em></p> <p><a href="https://msdnshared.blob.core.windows.net/media/2017/02/AAD_CBL3.png"><img width="610" height="164" title="AAD_CBL3" class="aligncenter" style="padding-top: 0px;padding-left: 0px;padding-right: 0px;border-width: 0px" alt="AAD_CBL3" src="https://msdnshared.blob.core.windows.net/media/2017/02/AAD_CBL3_thumb.png" border="0" /></a></p> <p><em>“EMS E5 licensed users”</em></p> <p><a href="https://msdnshared.blob.core.windows.net/media/2017/02/AAD_CBL4.png"><img width="610" height="164" title="AAD_CBL4" class="aligncenter" style="padding-top: 0px;padding-left: 0px;padding-right: 0px;border-width: 0px" alt="AAD_CBL4" src="https://msdnshared.blob.core.windows.net/media/2017/02/AAD_CBL4_thumb.png" border="0" /></a></p> <p>A user with attribute value of <em>EMS;E5_baseservices;</em> automatically inherits both licenses:</p> <p><a href="https://msdnshared.blob.core.windows.net/media/2017/02/AAD_CBL5.png"><img width="610" height="192" title="AAD_CBL5" class="aligncenter" style="padding-top: 0px;padding-left: 0px;padding-right: 0px;border-width: 0px" alt="AAD_CBL5" src="https://msdnshared.blob.core.windows.net/media/2017/02/AAD_CBL5_thumb.png" border="0" /></a></p> <p>This functionality keeps you from having to write and maintain scripts to manage licenses and group memberships. All the heavy lifting is done in the cloud, by Azure AD!</p> <p>Find out more about <a target="_blank" href="https://docs.microsoft.com/en-us/azure/active-directory/active-directory-licensing-group-advanced#group-based-licensing-using-dynamic-groups">how to use these features</a>.</p> <h2>Let your users sign up for licenses!</h2> <p>As the admin, you control license assignment in Azure AD, but you can choose to open a group for users so you dont have to be involved in managing a certain product, like Power BI (free).</p> <p>With Azure AD Premium P1, you can use the <a target="_blank" href="https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-self-service-group-management">powerful self-service management features</a> directly in the cloud to let users decide if they need product licenses by requesting to join a group.</p> <h2>How can I try it?</h2> <p>Visit the <a target="_blank" href="https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products">Azure portal</a> and give the license management experience a try!</p> <p>While group-based license management is in public preview you will need an active subscription for Azure AD Basic (or above) in your tenant to assign licenses to groups. If you dont have one, just <a target="_blank" href="https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security-trial">sign up for an Enterprise Mobility + Security trial</a>. Later, when this functionality becomes generally available it will be included in Office 365 Enterprise E3 and similar products.</p> <p>As with all previews there are some limits to what we currently support. You can find details about those limitations in our <a target="_blank" href="https://docs.microsoft.com/en-us/azure/active-directory/active-directory-licensing-group-advanced#limitations-and-known-issues">documentation</a>, which we will be updating consistently as things change.</p> <p>Let us know what you think by leaving a comment below or emailing the Azure AD License Management team. We look forward to hearing from you!</p> <p>Best regards,</p> <p>Alex Simons (Twitter: <a target="_blank" href="http://twitter.com/alex_a_simons">@Alex_A_Simons</a>)</p> <p>Director of Program Management</p> <p>Microsoft Identity Division</p> ]]></content:encoded>
<wfw:commentRss>https://blogs.technet.microsoft.com/enterprisemobility/2017/02/22/announcing-the-public-preview-of-azure-ad-group-based-license-management-for-office-365-and-more/feed/</wfw:commentRss>
<slash:comments>16</slash:comments>
</item>
<item>
<title>Azure AD and SailPoint: Advanced identity governance across your on-premises and cloud resources</title>
<link>https://blogs.technet.microsoft.com/enterprisemobility/2017/02/10/azure-ad-and-sailpoint-advanced-identity-governance-across-your-on-premises-and-cloud-resources/</link>
<comments>https://blogs.technet.microsoft.com/enterprisemobility/2017/02/10/azure-ad-and-sailpoint-advanced-identity-governance-across-your-on-premises-and-cloud-resources/#comments</comments>
<pubDate>Fri, 10 Feb 2017 18:00:39 +0000</pubDate>
<dc:creator><![CDATA[Alex_SimonsMS]]></dc:creator>
<category><![CDATA[Uncategorized]]></category>
<category><![CDATA[Identity Governance]]></category>
<category><![CDATA[Identity-driven Security]]></category>
<category><![CDATA[Public Cloud]]></category>
<category><![CDATA[SaaS]]></category>
<guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=47295</guid>
<description><![CDATA[Howdy folks, Over the past year, we’ve had the privilege to work closely with our largest customers in highly regulated industries like healthcare, financial services and pharma, helping them to successfully deploy and use Azure AD Premium. Through this close partnering, we’ve learned that to meet their unique security and compliance requirements, they need some <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2017/02/10/azure-ad-and-sailpoint-advanced-identity-governance-across-your-on-premises-and-cloud-resources/">Continue reading</a></p>]]></description>
<content:encoded><![CDATA[<p><span style="font-size: 12pt">Howdy folks,<br /> </span></p> <p><span style="font-size: 12pt">Over the past year, we’ve had the privilege to work closely with our largest customers in highly regulated industries like healthcare, financial services and pharma, helping them to successfully deploy and use Azure AD Premium. Through this close partnering, we’ve learned that to meet their unique security and compliance requirements, they need some pretty advanced access governance controls across their on-premises and cloud resources, in addition to the industry leading identity management and security they get with Azure AD Premium.<br /> </span></p> <p><span style="font-size: 12pt">Today, we’ve got good news for these customers.<br /> </span></p> <p><span style="font-size: 12pt">I am thrilled to announce our technical collaboration with SailPoint, a proven leader in identity governance. SailPoint’ s identity governance capabilities, combined with Azure AD’s secure access and risk-based identity protection, will help cover the most demanding security and compliance needs of our joint customers. The SailPoint integration extends Azure Active Directory Premium to provide full, fine-grained provisioning and lifecycle governance across enterprise systems on-premises and in the cloud.<br /> </span></p> <p><span style="font-size: 12pt">Let’s take a look at how the integration works through the lens of a few specific scenarios.<br /> </span></p> <p style="text-align: center"><img alt="" src="https://msdnshared.blob.core.windows.net/media/2017/02/021017_0614_AzureADandS1.png" /></p> <p><span style="font-size: 12pt"><strong>Identity and context synchronization</strong><br /> </span></p> <p><span style="font-size: 12pt">The first step in enabling advanced access governance is to synchronize the Azure AD view of users and their access to applications with SailPoint. This is performed using a direct connector that automatically aggregates user accounts, group permissions, and Microsoft Access Panel tiles and maps each of these to the SailPoint Identity Cube. It also provides the basis for SailPoint to send change events back to Azure AD when access is modified during a governance mitigation process.<br /> </span></p> <p><span style="font-size: 12pt">In addition to this, SailPoint will connect to applications managed outside of Azure AD, including on-premises applications like EPIC, which is widely used in healthcare. This creates a 360-degree view of all access in the organization and creates a strong foundation for comprehensive control.<br /> </span></p> <p><span style="font-size: 12pt"><strong>Access request and lifecycle events</strong><br /> </span></p> <p><span style="font-size: 12pt">User access request and approval is at the core of any identity management and governance solution. The integration of SailPoint with Azure AD adds support for self service access requests and approvals. Additionally the integration propogates access changes based on employee lifecycle events like join, move, or leave across all applications (cloud or on-premises) to ensure that access is granted according to business policy.<br /> </span></p> <p><span style="font-size: 12pt">In both cases, the SailPoint-Microsoft combination enables end-to-end coverage of all provisioning events with full synchronization of access changes to the Microsoft Access Panel.<br /> </span></p> <p><span style="font-size: 12pt"><strong>Identity governance certification, segregation of duty policies, and more</strong><br /> </span></p> <p><span style="font-size: 12pt">A key component of strong identity governance is the ability to review access on a regular basis. The integration provides a simple and effective way to automate the entire access certification process.<br /> </span></p> <p><span style="font-size: 12pt">SailPoint’s access certifications combine data collected from the identity and context synchronization process described above with account and entitlement data from all application sources to create a single view of all access. After that, a fully automated access review process can be initiated to business and IT owners. Changes to access that resulted from the access review process are automatically propagated to the Azure AD Access Panel.<br /> </span></p> <p><span style="font-size: 12pt">Another important governance control is the ability to enforce SOD policies throughout a user’s lifecycle with an organization. SOD policies can be defined and enforced by SailPoint during access reviews or access request processes to provide an additional level of policy control.<br /> </span></p> <p><span style="font-size: 12pt">SailPoint also delivers audit and compliance reporting that demonstrates the effectiveness of the identity controls operating across the organization. This significantly reduces the burden on IT operations teams and improves visibility for the business.<br /> </span></p> <p><span style="font-size: 12pt"><strong>Self-service password reset extension</strong><br /> </span></p> <p><span style="font-size: 12pt">In addition to the governance capabilities described above, the integration with SailPoint enables an important password management use case the combined solution can automatically propagate an Azure AD password change to all connected systems in SailPoint that share a common password policy. This allows a user to change their password once in Azure AD and have it synchronized across a wide variety of on-premises and cloud-based systems.<br /> </span></p> <p><span style="font-size: 12pt">We’re excited to bring this partnership to you and want to hear your feedback. Leave your comments below and reach out to us via Twitter! As always, we’re listening.<br /> </span></p> <p><span style="font-size: 12pt">Best regards,<br /> </span></p> <p><span style="font-size: 12pt">Alex Simons (Twitter: <a href="https://twitter.com/Alex_A_Simons">@Alex_A_Simons</a>)<br /> </span></p> <p><span style="font-size: 12pt">Director of Program Management<br /> </span></p> <p><span style="font-size: 12pt">Microsoft Identity Division<br /> </span></p> ]]></content:encoded>
<wfw:commentRss>https://blogs.technet.microsoft.com/enterprisemobility/2017/02/10/azure-ad-and-sailpoint-advanced-identity-governance-across-your-on-premises-and-cloud-resources/feed/</wfw:commentRss>
<slash:comments>5</slash:comments>
</item>
<item>
<title>Azure AD News: Azure MFA cloud based protection for on-premises VPNs is now in public preview!</title>
<link>https://blogs.technet.microsoft.com/enterprisemobility/2017/02/06/azure-ad-news-azure-mfa-cloud-based-protection-for-on-premises-vpns-is-now-in-public-preview/</link>
<comments>https://blogs.technet.microsoft.com/enterprisemobility/2017/02/06/azure-ad-news-azure-mfa-cloud-based-protection-for-on-premises-vpns-is-now-in-public-preview/#comments</comments>
<pubDate>Mon, 06 Feb 2017 17:00:58 +0000</pubDate>
<dc:creator><![CDATA[Alex_SimonsMS]]></dc:creator>
<category><![CDATA[Uncategorized]]></category>
<category><![CDATA[Authentication]]></category>
<category><![CDATA[Azure MFA]]></category>
<category><![CDATA[Cloud]]></category>
<category><![CDATA[Cloud Platform Services]]></category>
<category><![CDATA[Hybrid]]></category>
<category><![CDATA[Hybrid Cloud]]></category>
<category><![CDATA[Identity-driven Security]]></category>
<category><![CDATA[Multi-factor authentication]]></category>
<category><![CDATA[On-Prem]]></category>
<guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=46875</guid>
<description><![CDATA[Howdy folks, One of the top requests we hear from customers is to be able to secure their on-premises VPNs using Azure AD and our cloud-based MFA service. Today we’re announcing the public preview of NPS Extension support in Azure MFA. This cool enhancement gives you the ability to protect your VPN using Azure MFA <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2017/02/06/azure-ad-news-azure-mfa-cloud-based-protection-for-on-premises-vpns-is-now-in-public-preview/">Continue reading</a></p>]]></description>
<content:encoded><![CDATA[<p><span style="font-size: 12pt">Howdy folks,<br /> </span></p> <p><span style="font-size: 12pt">One of the top requests we hear from customers is to be able to secure their on-premises VPNs using Azure AD and our cloud-based MFA service. Today we’re announcing the public preview of NPS Extension support in Azure MFA. This cool enhancement gives you the ability to protect your VPN using Azure MFA (which is included in Azure AD Premium) without having to install a new on-premises server.<br /> </span></p> <p><span style="font-size: 12pt">This is another step along the road to realizing our vision of making Azure AD a complete, cloud based “Identity Control Plane” service that makes it easy for enterprises to assure their employees, partners and customers have access to all the right cloud and on-premises resources while assuring the highest levels of compliance and security.<br /> </span></p> <p><span style="font-size: 12pt">To give you the details about this release, I’ve asked Yossi Banai to write a blog about this cool new capability. His blog is below.<br /> </span></p> <p><span style="font-size: 12pt">I hope you’ll find this update useful for improving the security of your organization!<br /> </span></p> <p><span style="font-size: 12pt">And as always, we would love to receive any feedback or suggestions you have.<br /> </span></p> <p><span style="font-size: 12pt">Best Regards,<br /> </span></p> <p><span style="font-size: 12pt">Alex Simons (Twitter: <a href="https://twitter.com/alex_a_simons"><span style="color: blue;text-decoration: underline">@Alex_A_Simons</span></a>)<br /> </span></p> <p><span style="font-size: 12pt">Director of Program Management<br /> </span></p> <p><span style="font-size: 12pt">Microsoft Identity Division<br /> </span></p> <p><span style="font-size: 12pt">——————<br /> </span></p> <p><span style="font-size: 12pt">Hello,<br /> </span></p> <p><span style="font-size: 12pt">I’m Yossi Banai, a Program Manager on the Azure Active Directory team. As you know, multi-factor authentication is an important tool to help safeguard data and applications while meeting user demands for a simple sign-in process. With <a href="https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication"><span style="color: blue;text-decoration: underline">Azure Multi-factor authentication</span></a> (MFA), customers currently can <a href="https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started"><span style="color: blue;text-decoration: underline">choose between</span></a> MFA Server (an on-premises solution) and cloud-based MFA (a cloud-based solution supported and maintained by Microsoft).<br /> </span></p> <p><span style="font-size: 12pt">While <a href="https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server"><span style="color: blue;text-decoration: underline">MFA Server</span></a> provides a rich set of features, more and more customers are choosing to use <a href="https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-cloud"><span style="color: blue;text-decoration: underline">cloud-based MFA</span></a> to secure their environment, to simplify it, reduce cost, and take advantage of powerful Azure AD features such as <a href="https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access"><span style="color: blue;text-decoration: underline">Conditional Access</span></a> and <a href="https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection"><span style="color: blue;text-decoration: underline">Azure AD Identity Protection</span></a>.<br /> </span></p> <p><span style="font-size: 12pt">However, since cloud-based MFA services like Azure AD have not traditionally supported <a href="https://technet.microsoft.com/en-us/library/cc995145.aspx">RADIUS authentication</a>, customers who wanted to secure on-premises clients such as VPN had no choice but to deploy MFA Servers on-premises. With today’s release of the NPS Extension for Azure MFA, I’m excited to announce that we have closed this gap, and added the ability to secure RADIUS clients using cloud-based MFA!<br /> </span></p> <p><span style="font-size: 12pt">The NPS extension for Azure MFA provides a simple way to add cloud-based MFA capabilities to your authentication infrastructure using your existing <a href="https://technet.microsoft.com/en-us/network/bb545879.aspx"><span style="color: blue;text-decoration: underline">NPS servers</span></a>. With the NPS extension, you’ll be able to add phone call, SMS, or phone app MFA to your existing authentication flow without having to install, configure, and maintain new servers.<br /> </span></p> <p><span style="font-size: 12pt"><strong>How does the NPS Extension for Azure MFA work?</strong><br /> </span></p> <p><span style="font-size: 12pt">With the NPS Extension for Azure MFA, which is installed as an extension to existing NPS Servers, the authentication flow includes the following components:<br /> </span></p> <ul> <li><span style="font-size: 12pt"><strong>User/VPN Client: </strong>Initiates the authentication request.<br /> </span></li> <li><span style="font-size: 12pt"><strong>NAS Server/VPN Server:</strong> Receives requests from VPN clients and converts them into RADIUS requests to NPS servers.<br /> </span></li> <li><span style="font-size: 12pt"><strong>NPS Server: </strong>Connects to Active Directory to perform the primary authentication for the RADIUS requests and, if successful, pass the request to any installed NPS extensions.<br /> </span></li> <li><span style="font-size: 12pt"><strong>NPS Extension</strong>: Triggers an MFA request to <a href="https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-get-started-cloud/"><span style="color: blue;text-decoration: underline">Azure cloud-based MFA</span></a> to perform the secondary authentication. Once it receives the response, and if the MFA challenge succeeds, it completes the authentication request by providing the NPS server with security tokens that include an MFA claim issued by Azure STS.<br /> </span></li> <li><span style="font-size: 12pt"><strong>Azure MFA</strong>: Communicates with Azure Active Directory to retrieve the user’s details and performs the secondary authentication using a verification method configured for the user.<br /> </span></li> </ul> <p><span style="font-size: 12pt">The following diagram illustrates the high-level authentication request flow:<br /> </span></p> <p style="text-align: center"><img alt="" src="https://msdnshared.blob.core.windows.net/media/2017/02/020617_0251_AzureADNews1.png" /><span style="font-size: 12pt"><br /> </span></p> <p><span style="font-size: 12pt"><strong>Getting started</strong><br /> </span></p> <p><span style="font-size: 12pt">I encourage you to download and install the NPS extension for Azure MFA from the <a href="https://aka.ms/npsmfa"><span style="color: blue;text-decoration: underline">Microsoft Download Center</span></a> and start testing this feature.<br /> </span></p> <p><span style="font-size: 12pt">The NPS Extension for Azure MFA is available to customers with <a href="https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication"><span style="color: blue;text-decoration: underline">licenses for Azure Multi-Factor authentication</span></a> (included with Azure AD Premium, EMS, or an MFA subscription). In addition, you will need Windows Server 2008 R2 SP1 or above with the NPS component enabled.<br /> </span></p> <p><span style="font-size: 12pt">All users using the NPS extension must be synced to Azure Active Directory using Azure AD Connect and be registered for MFA.<br /> </span></p> <p><span style="font-size: 12pt">To install the extension, simply run the installation package and the PowerShell script it generates, which associates the extension with your tenant. Then, configure your RADIUS client to authenticate through your NPS Server.<br /> </span></p> <p><span style="font-size: 12pt"><strong>The fine print</strong><br /> </span></p> <p><span style="font-size: 12pt">This release of the NPS Extension for Azure MFA targets new deployments and does not include tools to migrate users and settings from MFA Server to the cloud.<br /> </span></p> <p><span style="font-size: 12pt">Like with MFA Server, once you enable MFA for a RADIUS client using the NPS Extension, all authentications for this client will be required to perform MFA. If you want to enable MFA for some RADIUS clients but not others, you can configure two NPS servers and install the extension on only one of them. Configure RADIUS clients that you want to use MFA with to send requests to the NPS server configured with the extension, and other RADIUS clients to send requests to the NPS server that don’t have the extensions.<br /> </span></p> <p><span style="font-size: 12pt"><strong>We appreciate your feedback</strong><br /> </span></p> <p><span style="font-size: 12pt">We would love to hear your feedback. If you have any suggestions for us, questions, or issues to report, please leave a comment at the bottom of this post, send a note to the <a href="mailto:npsamfas@microsoft.com"><span style="color: blue;text-decoration: underline">NPS Extension</span></a> team, or tweet with the hashtag #AzureAD.</span></p> ]]></content:encoded>
<wfw:commentRss>https://blogs.technet.microsoft.com/enterprisemobility/2017/02/06/azure-ad-news-azure-mfa-cloud-based-protection-for-on-premises-vpns-is-now-in-public-preview/feed/</wfw:commentRss>
<slash:comments>16</slash:comments>
</item>
<item>
<title>Azure AD B2B: New updates make cross-business collab easy</title>
<link>https://blogs.technet.microsoft.com/enterprisemobility/2017/02/01/azure-ad-b2b-new-updates-make-cross-business-collab-easy/</link>
<comments>https://blogs.technet.microsoft.com/enterprisemobility/2017/02/01/azure-ad-b2b-new-updates-make-cross-business-collab-easy/#comments</comments>
<pubDate>Wed, 01 Feb 2017 18:35:01 +0000</pubDate>
<dc:creator><![CDATA[Alex_SimonsMS]]></dc:creator>
<category><![CDATA[Uncategorized]]></category>
<category><![CDATA[B2B]]></category>
<category><![CDATA[Cloud]]></category>
<category><![CDATA[Multi-factor authentication]]></category>
<category><![CDATA[Public Cloud]]></category>
<category><![CDATA[Public Preview]]></category>
<category><![CDATA[SaaS]]></category>
<guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=46736</guid>
<description><![CDATA[Howdy folks, I’ve been looking forward to writing this blog post for a while! Those of you who follow the blog know that Azure AD B2B collaboration is a set of capabilities that makes it easy for IT pros and information workers to invite people from any organization in the world to collaborate online. The <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2017/02/01/azure-ad-b2b-new-updates-make-cross-business-collab-easy/">Continue reading</a></p>]]></description>
<content:encoded><![CDATA[<p><span style="color: black">Howdy folks,<br /> </span></p> <p><span style="color: black">I’ve been looking forward to writing this blog post for a while!<br /> </span></p> <p><span style="color: black">Those of you who follow the blog know that Azure AD B2B collaboration is a set of capabilities that makes it easy for IT pros and information workers to invite people from any organization in the world to collaborate online. The goal of Azure AD B2B is to enable organizations of all sizes and industries – even those with complex compliance and governance requirements – to work easily and securely with collaborators around the world.<br /> </span></p> <p><span style="color: black">I’m excited to let you know that we’ve just turned on a boat load of new enhancements in our B2B public preview.<br /> </span></p> <p><span style="color: black">Millions of users and thousands customers have been using the public preview of our B2B Collaboration capabilities since we first announced the public preview. Those customers have been incredibly generous with their time and feedback. All of the enhancements we’re announcing today are based their suggestions and we can’t thank them enough for their partnership.<br /> </span></p> <h2>Key new features of Azure AD B2B Collaboration</h2> <p>In today’s release, you’ll find the following new features and functionality:</p> <ol> <li>UX enhancements to the B2B <a href="https://portal.azure.com/">admin experience</a>, including the ability for admins to invite B2B users to the directory or to any group or application.</li> <li>B2B self-service invitation capabilities in the <a href="https://myapps.microsoft.com/">Access Panel</a>, so information workers can invite B2B users to any self-service group or application they manage.</li> <li>Ability to invite a user with any email address to collaborate. Whether a user has an Office365 or on-premises Exchange email address, an outlook.com email address, or any social email address, he/she can now seamlessly access the invited organization with inline, lightweight creation of an Azure AD or Microsoft Account.</li> <li>Professional, tenant branded invitation emails.</li> <li>The option to build customize onboarding experience using our invitation APIs.</li> <li>The ability to require and provide MFA for B2B guest accounts.</li> <li>Ability to delegate responsibility for inviting B2B guest accounts to non-administrators.</li> <li>PowerShell support for B2B.</li> <li>Auditing and reporting capabilities.<span style="font-size: 9pt"><br /> </span></li> </ol> <p style="text-align: center"><img alt="" src="https://msdnshared.blob.core.windows.net/media/2017/01/020117_0159_AzureADB2BN1.png" /></p> <p style="text-align: center"><span style="color: black"><em>Fig 1: A custom branded invitation, one of our most highly requested features<br /> </em></span></p> <p><span style="color: black">We are also releasing <a href="https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-what-is-azure-ad-b2b">updated, detailed documentation</a> to help you understand the capabilities really well and guide you in using them as efficiently as possible.<br /> </span></p> <p><span style="color: black">Our next milestone is to take the service to Generally Availability. So please send us any final or suggestions you have ASAP. We will put them all to good use!<br /> </span></p> <h2>Give it a try!</h2> <p>Getting started is simple. <a href="https://portal.azure.com/"><strong>Go to the user list in your tenant</strong></a> and add any external email address today!</p> <p style="text-align: center"><img alt="" src="https://msdnshared.blob.core.windows.net/media/2017/01/020117_0159_AzureADB2BN2.png" /><strong><br /> </strong></p> <p style="text-align: center"><em>Fig 2: Inviting a B2B Guest User in the new Azure Portal<br /> </em></p> <p>And like always, we would love to receive and feedback our suggestions you have in our <a target="_blank" href="https://techcommunity.microsoft.com/t5/Azure-Active-Directory-B2B/bd-p/AzureAD_B2b"><b>Microsoft Tech Community</b></a>!</p> <h2>Learn More</h2> <p>There’s much more detail about the new Azure AD B2B Collaboration features in our <a href="https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-what-is-azure-ad-b2b">updated documentation</a>. Dive in and let us know if you have any questions! <span style="color: black">And if you haven’t seen it yet, check out our<a href="https://www.youtube.com/watch?v=jtBaQHvAUsQ"><span style="color: #0078d7">Ignite Azure AD B2B collaboration talk</span></a><span style="color: #0078d7">,<span style="color: #41424e"> too.</span><br /> </span></span></p> <p>Best Regards,<br /> Alex Simons (@Twitter:<span style="color: #41424e"><a href="https://twitter.com/Alex_A_Simons"><span style="color: #0078d7"><strong>@Alex_A_Simons</strong></span></a></span>)<br /> Director of Program Management<br /> Microsoft Identity Division</p> ]]></content:encoded>
<wfw:commentRss>https://blogs.technet.microsoft.com/enterprisemobility/2017/02/01/azure-ad-b2b-new-updates-make-cross-business-collab-easy/feed/</wfw:commentRss>
<slash:comments>5</slash:comments>
</item>
<item>
<title>New enhanced access controls in Azure AD: Tenant Restrictions is now Generally Available!</title>
<link>https://blogs.technet.microsoft.com/enterprisemobility/2017/01/31/new-enhanced-access-controls-in-azure-ad-tenant-restrictions-is-now-generally-available/</link>
<comments>https://blogs.technet.microsoft.com/enterprisemobility/2017/01/31/new-enhanced-access-controls-in-azure-ad-tenant-restrictions-is-now-generally-available/#comments</comments>
<pubDate>Tue, 31 Jan 2017 18:00:15 +0000</pubDate>
<dc:creator><![CDATA[Alex_SimonsMS]]></dc:creator>
<category><![CDATA[Uncategorized]]></category>
<category><![CDATA[Apps]]></category>
<category><![CDATA[Authentication]]></category>
<category><![CDATA[Cloud]]></category>
<category><![CDATA[Conditional Access]]></category>
<category><![CDATA[Hybrid]]></category>
<category><![CDATA[Hybrid Cloud]]></category>
<category><![CDATA[SaaS]]></category>
<guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=46705</guid>
<description><![CDATA[Howdy folks, Today I’m happy to announce that our new Tenant Restrictions capability is Generally Available! We built Tenant Restrictions with extensive input from our customer in finance, healthcare and pharmaceutical, industries which have relatively strict information access and compliance requirements. Tenant restrictions gives customers with these kinds of requirements enhanced control over access to <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2017/01/31/new-enhanced-access-controls-in-azure-ad-tenant-restrictions-is-now-generally-available/">Continue reading</a></p>]]></description>
<content:encoded><![CDATA[<p>Howdy folks,</p> <p>Today I’m happy to announce that our new Tenant Restrictions capability is Generally Available! We built Tenant Restrictions with extensive input from our customer in finance, healthcare and pharmaceutical, industries which have relatively strict information access and compliance requirements.</p> <p>Tenant restrictions gives customers with these kinds of requirements enhanced control over access to SaaS cloud applications. Admins can now restrict employees using their corporate network to only being able to use Azure AD identities in tenants they have approved. <span style="font-family: Times New Roman;font-size: 12pt"><br /> </span></p> <p>To give you the details about this important new capability, I’ve asked Yossi Banai, a PM in our Identity Security and Protection team to write a blog about this feature. You’ll find it below.</p> <p>I those of you in highly regulated industries will find this featureuseful! And as always, we would love to receive any feedback or suggestions you have!<span style="font-family: Times New Roman;font-size: 12pt"><br /> </span></p> <p>Best Regards,<span style="font-family: Times New Roman;font-size: 12pt"><br /> </span></p> <p>Alex Simons (Twitter: <a target="_blank" href="https://twitter.com/alex_a_simons"><span style="color: blue;text-decoration: underline">@Alex_A_Simons</span></a>)<span style="font-family: Times New Roman;font-size: 12pt"><br /> </span></p> <p>Director of Program Management<span style="font-family: Times New Roman;font-size: 12pt"><br /> </span></p> <p>Microsoft Identity Division<span style="font-family: Times New Roman;font-size: 12pt"><br /> </span></p> <p>________<span style="font-family: Times New Roman;font-size: 12pt"><br /> </span></p> <p>Hello,<span style="font-family: Times New Roman;font-size: 12pt"><br /> </span></p> <p>I’m Yossi Banai, a Program Manager on the Azure Active Directory team. In today’s blog post I’ll cover Tenant Restrictions a new feature we released today for general availability.<span style="font-family: Times New Roman;font-size: 12pt"><br /> </span></p> <h1><span style="color: #2e74b5"><span style="font-family: Calibri Light">Overview</span><br /> </span></h1> <p style="text-align: justify">Companies that want to move their employees to SaaS apps like Office 365 are sometimes worried about opening their networks to information leaks. If users can access Office 365 with their corporate identity, they can also access these same services with other identities.</p> <p style="text-align: justify">Before cloud services, network admins could simply block access to unwanted apps or websites by blocking their URL or IP address. This is no longer an option with SaaS apps, where a single endpoint (like outlook.office.com) is used by all consumers of the SaaS app.</p> <p style="text-align: justify">Our solution for this common IT challenge is Tenant Restrictions. This new feature enables organizations to control access based on the <a target="_blank" href="https://msdn.microsoft.com/en-us/library/azure/jj573650.aspx"><span style="color: #0563c1;text-decoration: underline">Azure AD tenant</span></a> the applications use for single sign-on. For example, you can use Tenant Restrictions to allow access to your organization’s Office 365 applications, while preventing access to other organizations’ instances of these same applications.<span style="font-family: Times New Roman;font-size: 12pt"><br /> </span></p> <h1><span style="font-family: Calibri Light">How it works<span style="color: #2e74b5;font-size: 16pt"><br /> </span></span></h1> <p style="text-align: justify">An on-premises proxy server is configured to intercept authentication traffic going to Azure AD. The Proxy inserts a new header called “<span style="font-family: Consolas;font-size: 10pt">Restrict-Access-To-Tenants”</span> that lists the tenants that users on the network are permitted to access. Azure AD reads the permitted tenant list from the header, and only issues security tokens if the user or resource is in a tenant on that list.</p> <p style="text-align: justify">The following diagram illustrates the high-level traffic flow. <span style="font-family: Times New Roman;font-size: 12pt"><br /> </span></p> <p style="text-align: center"><img alt="" src="https://msdnshared.blob.core.windows.net/media/2017/01/013117_1437_Newenhanced1.png" /><span style="font-family: Times New Roman;font-size: 12pt"><br /> </span></p> <h1>End-user Experience</h1> <p style="text-align: justify">If a user on the Contoso network tries to sign in to the outlook.office.com instance of an unpermitted tenant, he or she will see this message on the web page:</p> <p style="text-align: center"><img alt="" src="https://msdnshared.blob.core.windows.net/media/2017/01/013117_1437_Newenhanced2.png" /></p> <h1>Admin Experience</h1> <p>While configuration of Tenant Restrictions is done on the corporate proxy infrastructure, admins can access the Tenant Restrictions reports in the Azure Portal directly from the Overview page of Azure Active Directory, under ‘Other capabilities’.</p> <p>Using the report, the admin for the tenant specified as the “Restricted-Access-Context” can see all sign-ins blocked because of the Tenant Restrictions policy, including the identity used and the target Tenant ID:</p> <p style="text-align: center"><img alt="" src="https://msdnshared.blob.core.windows.net/media/2017/01/013117_1437_Newenhanced3.png" /></p> <h1>Learn more</h1> <p>When you’re ready to get started, see <a href="https://docs.microsoft.com/azure/active-directory/active-directory-tenant-restrictions">Use Tenant Restrictions to manage access to SaaS cloud applications</a> for more information.</p> <h1>We appreciate your feedback</h1> <p style="text-align: justify">As always, we want to hear your feedback about this new feature. If you have any feedback, questions, or issues to report, please leave a comment at the bottom of this post or tweet with the hashtag #AzureAD.</p> <p>Best regards,</p> <p>Yossi</p> ]]></content:encoded>
<wfw:commentRss>https://blogs.technet.microsoft.com/enterprisemobility/2017/01/31/new-enhanced-access-controls-in-azure-ad-tenant-restrictions-is-now-generally-available/feed/</wfw:commentRss>
<slash:comments>3</slash:comments>
</item>
<item>
<title>#AzureAD Mailbag: MFA Q&A, Round 7!</title>
<link>https://blogs.technet.microsoft.com/enterprisemobility/2017/01/27/azuread-mailbag-mfa-qa-round-7/</link>
<pubDate>Fri, 27 Jan 2017 19:16:51 +0000</pubDate>
<dc:creator><![CDATA[Mark Morowczynski [MSFT]]]></dc:creator>
<category><![CDATA[Uncategorized]]></category>
<category><![CDATA[Azure MFA]]></category>
<category><![CDATA[Mailbag]]></category>
<guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=45855</guid>
<description><![CDATA[Hey yall, Mark Morowczynski here with the second part of our two part MFA mailbag. To read part 1 click here. Also for those that haven’t been reading these mailbags since the beginning you can read all the previous 21 posts using the ‘mailbag‘ tag. We are trying to make these Friday posts a regular <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2017/01/27/azuread-mailbag-mfa-qa-round-7/">Continue reading</a></p>]]></description>
<content:encoded><![CDATA[<p>Hey yall, Mark Morowczynski here with the second part of our two part MFA mailbag. To read part 1 click <a href="https://blogs.technet.microsoft.com/enterprisemobility/2017/01/06/azuread-mailbag-mfa-qa-round-6/">here</a>. Also for those that haven’t been reading these mailbags since the beginning you can read all the previous 21 posts using the ‘<a href="https://blogs.technet.microsoft.com/enterprisemobility/tag/mailbag/">mailbag</a>‘ tag. We are trying to make these Friday posts a regular thing and next week will cover App Proxy. If there are topics you’d like to see us discuss, even some that might require a much deeper dive let us know. Now on to the questions.</p> <p><strong></strong></p> <p><strong>Question 6:</strong></p> <p>If you publish the on-prem <a href="https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal">MFA User Portal</a>/<a href="https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice">MFA Server Mobile App Web Service</a> with Azure AD Application Proxy, does this require a public cert? Can a private cert be used?</p> <p><strong>Answer 6:</strong></p> <p>Technically, you can use a self-signed cert for MFA User Portal if you are willing to have users ignore the cert warnings/errors, but that isnt recommended for an optimal end user experience. The MFA Server Mobile App Web Service on the other hand does in fact require a public certificate. Otherwise, the Microsoft Authenticator App will not be able to connect to the web service successfully, preventing the a successful activation.</p> <p> </p> <p><strong>Question 7:</strong></p> <p>Is there any equivalent feature in the Azure MFA Server for “<a href="https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-whats-next#remember-multi-factor-authentication-for-devices-users-trust">Allow users to remember multi-factor authentication on devices they trust</a>” that is available in Azure MFA?</p> <p><strong>Answer 7:</strong></p> <p>No, except when using IIS Authentication to secure IIS-based websites. In that case, a cookie can be set to only require MFA every X minutes but it isnt something the end user opts into by checking a box. The cookie is set on whichever browser the user signs in from. When using RADIUS or LDAP, MFA is performed with every verification request. Thats typically desired because the verifications are generally for remote access. When securing ADFS, ADFS has full control over when MFA is required and when it isnt.</p> <p> </p> <p><strong>Question 8:</strong></p> <p>Can we use both Azure MFA Server to secure on-premises applications and Azure MFA for Office 365? How do /can they both these work together?</p> <p><strong>Answer 8:</strong></p> <p>You can use Azure MFA Server to secure both on-premises applications and cloud applications that federate to ADFS, including O365 and other apps that federate to Azure AD. It is best to not use both Azure MFA Server and Azure MFA for the same set of users though because they would have to register and manage MFA enrollment data in both places. It make sense to utilize Azure MFA for your cloud-based users and Azure MFA Server for your federated sync’ed users.</p> <p>If you use both, it is best to control it with groups so that certain groups use on-prem MFA and everyone else uses cloud-based MFA. Youll need to ensure that the SupportsMfa setting in the tenant DomainFederationSettings is set to False in this case. When AAD sends the user to ADFS for primary auth, ADFS will force users that are members of designated groups to perform MFA on-premises. So, ADFS will return the AuthMethodsReferences claim indicating that MFA was performed for those users, but not for the other users that arent members of those groups. Then Azure AD can perform cloud-based MFA for all of the other users. This design will apply to all auth flows on the reliant party trust (e.g. all applications that use Azure AD as the IdP).</p> <p> </p> <p><strong>Question 9:</strong></p> <p>Is there a way for us to migrate users [from our Azure MFA Server] to Azure MFA so there is no action required from the users perspective?</p> <p><strong>Answer 9:</strong></p> <p>We dont have a way to migrate users today from Azure MFA Server to cloud-based Azure MFA. We have heard this feedback previously and it is something that we are discussing.</p> <p> </p> <p><strong>Question 10:</strong></p> <p>We currently use TMG to proxy the ADFS front end to determine whether the user is coming from external. If they are external, the user is directed to Azure MFA Server to perform MFA. Any issues with this strategy ? Wed like to deprecate TMG over time, but not lose functionality.</p> <p><strong>Answer 10:</strong></p> <p>No issues with that approach. ADFS should be returning the InsideCorporateNetwork claim to Azure AD when users are inside the network, and thus not going through TMG or WAP. InsideCorporateNetwork claim can also be sent to Azure AD to determine whether you are on or off the network as well.</p> <p> </p> <p><strong>Question 11:</strong></p> <p>Can you/How do you secure on-prem OWA with MFA?</p> <p><strong>Answer 11:</strong></p> <p>To secure on-prem OWA (not rich clients), you have the following options:</p> <ol> <li>Publish OWA using Azure AD App Proxy. This allows the customer to either use cloud-based Azure MFA (<a href="https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-get-started-cloud/">https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-get-started-cloud/</a>) or to use Azure MFA Server with ADFS (<a href="https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-get-started-adfs-w2k12/">https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-get-started-adfs-w2k12/</a>).</li> <li>Configure OWA for claims-based auth to ADFS. Use MFA Server to secure ADFS. This requires Exchange 2013 or higher.</li> </ol> <p>If using a reverse proxy such as F5 in front of OWA that can do pre-authenticate via RADIUS or LDAP, you can point the RADIUS or LDAP authentication to MFA Server</p> <p> </p> <p>Thanks for reading. Check back next week for more mailbag goodness.</p> <p>For any questions you can reach us at<br /> <a>AskAzureADBlog@microsoft.com</a>, the <a href="https://social.msdn.microsoft.com/Forums/azure/en-US/home?forum=WindowsAzureAD">Microsoft Forums</a> and on Twitter <a href="https://twitter.com/AzureAD">@AzureAD</a>, <a href="https://twitter.com/markmorow">@MarkMorow</a> and <a href="https://twitter.com/Alex_A_Simons">@Alex_A_Simons</a></p> <p> </p> <p>Chad Hasbrook, Mark Morowczynski, Shawn Bishop, Todd Gugler</p> ]]></content:encoded>
</item>
<item>
<title>Identity Admins rejoice: Azure Active Directory meets Power BI!</title>
<link>https://blogs.technet.microsoft.com/enterprisemobility/2017/01/20/admins-rejoice-azure-active-directory-meets-power-bi/</link>
<comments>https://blogs.technet.microsoft.com/enterprisemobility/2017/01/20/admins-rejoice-azure-active-directory-meets-power-bi/#comments</comments>
<pubDate>Fri, 20 Jan 2017 16:00:42 +0000</pubDate>
<dc:creator><![CDATA[Alex_SimonsMS]]></dc:creator>
<category><![CDATA[Uncategorized]]></category>
<category><![CDATA[Apps]]></category>
<category><![CDATA[Authentication]]></category>
<category><![CDATA[Cloud]]></category>
<category><![CDATA[SaaS]]></category>
<guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=46086</guid>
<description><![CDATA[Howdy folks, We’ve heard from many of our largest customers that it’s critically important to them to have easy access to information that helps them understand how their employees and partners are using Azure Active Directory. That understanding allows them to plan their IT infrastructure, to increase usage and maximize the business value they get <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2017/01/20/admins-rejoice-azure-active-directory-meets-power-bi/">Continue reading</a></p>]]></description>
<content:encoded><![CDATA[<p><span style="font-size: 10pt">Howdy folks,<br /> </span></p> <p><span style="font-size: 10pt">We’ve heard from many of our largest customers that it’s critically important to them to have easy access to information that helps them understand how their employees and partners are using Azure Active Directory. That understanding allows them to plan their IT infrastructure, to increase usage and maximize the business value they get from Azure AD.<br /> </span></p> <p><span style="font-size: 10pt">The<a href="https://portal.azure.com/">usage and activity reports</a>in the Azure admin portal are a great starting point for accessing and digesting usage trends. But many of you have told us you want the ability to gather richer insights into what’s going on with the various capabilities you rely on in Azure Active Directory. So, today I am excited to announce the new Power BI Content Pack for Azure Active Directory!<br /> </span></p> <p><span style="font-size: 10pt">With this integration of Azure Active Directory APIs with Power BI, you can easily download pre-built content packs and dig deeper into all the activities within your Azure Active Directory, and all this data is enhanced by the rich visualization experience Power BI offers. And you can create your own dashboard and share it easily with anyone in your organization.<br /> </span></p> <p><img class="aligncenter" alt="" src="https://msdnshared.blob.core.windows.net/media/2017/01/011917_0047_Adminsrejoi1.png" /></p> <h3><span style="color: #404040;font-family: Segoe UI;font-size: 18pt">Richer Usage, App Trends and Audit insights<br /> </span></h3> <p><span style="font-size: 10pt">The Azure AD Power BI content pack has three main reports you can use to create your dashboard view. The default dashboard view shows the specific metrics around usage of your Azure AD features. You can get detailed access by clicking into the metrics.<br /> </span></p> <p><span style="font-size: 10pt">Here are the key reports you get with this content pack:<br /> </span></p> <ul> <li><span style="font-size: 10pt"><strong>App Usage and Trend report: </strong>Provides insight into the apps used in your organization, including which ones are being used the most and when. Use this report to see how an app you recently rolled out in your organization is being used or find out which apps are popular. By doing this, you can improve usage if you see the app is not being used.<br /> </span></li> <li><span style="font-size: 10pt"><strong>Sign-ins by location and users: </strong>Provides insight into all the sign-ins performed using Azure Identity and into the identity of the users. With this report, you can look at individual sign-ins to find information such as where a user signed in from, which user has signed in the most, and whether the sign-in was successful. And you can drill into details by clicking on a specific date or location.<strong><br /> </strong></span></li> </ul> <h3><span style="color: #404040;font-family: Segoe UI;font-size: 18pt">Let us know what you think!<br /> </span></h3> <p>It’s important to note that you need to have <a href="https://azure.microsoft.com/en-us/pricing/details/active-directory/">Azure AD Premium</a> to access this content pack. You can learn more about <a href="https://powerbi.microsoft.com/en-us/blog/azure-active-directory-meets-power-bi/preview/"><span style="font-family: Segoe UI"><strong>how to install and get started with the Azure AD</strong></span></a> content pack by checking out the Azure AD content pack documentation.<span style="color: #333333;font-family: Segoe UI;font-size: 10pt"><br /> </span></p> <p><a></a>Give these new features a try and let the<a href="mailto:aadreportinghelp@microsoft.com?subject=Azure%20AD%20Activity%20Logs%20Power%20BI%20Content%20Pack%20Feedback">AAD Reporting team</a> know what you think! We read every piece of feedback to make sure the Azure AD administration experience is top-notch, so let us know what works for you and what doesn’t. I look forward to hearing from you!</p> <p>Best regards,</p> <p>Alex Simons (Twitter: <a href="http://www.twitter.com/alex_a_simons">@Alex_A_Simons</a>)</p> <p>Director of Program Management</p> <p>Microsoft Identity Division</p> ]]></content:encoded>
<wfw:commentRss>https://blogs.technet.microsoft.com/enterprisemobility/2017/01/20/admins-rejoice-azure-active-directory-meets-power-bi/feed/</wfw:commentRss>
<slash:comments>4</slash:comments>
</item>
<item>
<title>#AzureAD Mailbag: MFA Q&A, Round 6!</title>
<link>https://blogs.technet.microsoft.com/enterprisemobility/2017/01/06/azuread-mailbag-mfa-qa-round-6/</link>
<pubDate>Fri, 06 Jan 2017 18:04:08 +0000</pubDate>
<dc:creator><![CDATA[Mark Morowczynski [MSFT]]]></dc:creator>
<category><![CDATA[Uncategorized]]></category>
<category><![CDATA[Azure MFA]]></category>
<category><![CDATA[Mailbag]]></category>
<guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=45606</guid>
<description><![CDATA[All right, it’s time for some more mandatory fun! Chad here again kicking off 2017 and ready with another MFA mailbag. In the last couple months, I’ve been having a lot of conversations with customers around Azure MFA Server licenses requirements, billing, and split configurations. In this mailbag, I’ve taken some of these “What if.” <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2017/01/06/azuread-mailbag-mfa-qa-round-6/">Continue reading</a></p>]]></description>
<content:encoded><![CDATA[<p>All right, it’s time for some more mandatory fun!</p> <p>Chad here again kicking off 2017 and ready with another MFA mailbag. In the last couple months, I’ve been having a lot of conversations with customers around Azure MFA Server licenses requirements, billing, and split configurations. In this mailbag, I’ve taken some of these “What if.” and “How does this work?” questions that you implementers can get stuck on and will hopefully provide the answers you need to get started on your deployment. Also our team has really grown lately and some of these faces are going to join in on our blogging efforts. Check back on Fridays for a new posts.</p> <p> </p> <p><strong>Question 1:</strong></p> <p>I know when I use the text message option of Azure MFA, I get a 6 digit code texted to me. How long is that code good for? Can I change the length of the code and the length time the code is valid?</p> <p> </p> <p><strong>Answer 1:</strong></p> <p>When using Azure MFA Server, the default timeout is 5 minutes. There is no UX to configure it. It can be configured via a registry key setting.</p> <p>When using (cloud-based) Azure MFA, the timeout is 3 minutes; this is not configurable. The length of the code (6 digits) is not configurable.</p> <p> </p> <p><strong>Questions 2:</strong></p> <p>Does the downloadable <a href="https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-sdk">MFA SDK</a> used for Azure MFA Server supports texting and calling to international numbers? Is there any additional cost associated with doing so?</p> <p> </p> <p><strong>Answer 2:</strong></p> <p>Yes, the downloadable SDKs supports both texting & phone calls to international calls. However, users may incur charges for receiving or replying to international calls and texts depending on the terms of their cellular plan and carrier.</p> <p> </p> <p><strong>Question 3:</strong></p> <p>Can you explain to me about how billing works for Azure MFA Server?</p> <p><strong></strong></p> <p><strong>Answer 3:</strong></p> <p>There are several options for billing:</p> <ol> <li>Per-User Consumption: Create a per-user MFA Provider in an Azure subscription. MFA Server reports the number of users marked as Enabled to our cloud service. The cloud service reports the number of users to the Commerce system to bill the Azure subscription for the number of users enabled.</li> <li>Per-Authentication Consumption: Create a per-authentication MFA provider in an Azure subscription. The cloud service reports the number of verification requests that have occurred daily to the Commerce system to bill the Azure subscription.</li> <li>License: Purchase standalone MFA, Azure AD Premium and/or EMS licenses. MFA Server reports the number of users marked as Enabled to the cloud service. The customer needs enough licenses to cover the number of users enabled. While we encourage licenses to be assigned to AAD users, the MFA system only looks at the total count of users enabled for MFA.</li> </ol> <p>You can mix options 1 and 3 by creating a per-user MFA Provider in an Azure subscription that is linked to your Azure AD tenant that has your MFA, AAD Premium and/or EMS licenses. The Azure subscription will only be billed for the number of users enabled for MFA that exceed the number of licenses owned. For more information, please visit our Multi-Factor Authentication Pricing documentation. For more information, please visit our <a href="https://azure.microsoft.com/en-us/pricing/details/multi-factor-authentication/">Multi-Factor Authentication Pricing documentation</a>.</p> <p> </p> <p><strong>Question 4:</strong></p> <p>I want to understand if there are charges for failed authentications? Also, can I use a hybrid model with some users set as pay per user per month and others set up to pay per authentication?</p> <p><strong>Answer 4:</strong></p> <p>The only way to do a hybrid where some are per-user and other are per-authentication would be to have two separate MFA Providers that are used with two different environments or user groups. Another option would be to use Azure MFA (cloud) and a MFA Provider that is configured per auth. Azure MFA today only works for cloud-based resources and when using AD FS 2016. For per-authentication billing, we bill for each authentication attempt, including failed attempts.</p> <p> </p> <p><strong>Question 5:</strong></p> <p>Can my organization switch between per-user and per-authentication consumption billing models at any time?</p> <p><strong>Answer 5:</strong></p> <p>If you are using an Azure MFA Provider that is linked to your Azure AD tenant, you can safely delete the current provider and recreate it with the other usage model as long as you link the new one to that same Azure AD tenant. There are only issues deleting and recreating MFA Providers that aren’t linked to an Azure AD tenant.</p> <p> </p> <p>And that finishes up your Azure MFA FAQ’s for the week! We hope you took away something new or had an “ah ha” moment Keep the feedback coming to the GTP Team.</p> <p> </p> <p>For any questions you can reach us at<br /> <a>AskAzureADBlog@microsoft.com</a>, the <a href="https://social.msdn.microsoft.com/Forums/azure/en-US/home?forum=WindowsAzureAD">Microsoft Forums</a> and on Twitter <a href="https://twitter.com/AzureAD">@AzureAD</a>, <a href="https://twitter.com/markmorow">@MarkMorow</a> and <a href="https://twitter.com/Alex_A_Simons">@Alex_A_Simons</a></p> <p> </p> <p>Chad Hasbrook, Mark Morowczynski, Shawn Bishop, Todd Gugler</p> ]]></content:encoded>
</item>
<item>
<title>Breaking down EMS Conditional Access: Part 2</title>
<link>https://blogs.technet.microsoft.com/enterprisemobility/2017/01/05/breaking-down-ems-conditional-access-part-2/</link>
<pubDate>Thu, 05 Jan 2017 16:00:25 +0000</pubDate>
<dc:creator><![CDATA[Enterprise Mobility Team]]></dc:creator>
<category><![CDATA[Uncategorized]]></category>
<guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=45505</guid>
<description><![CDATA[This post is the second in a three-part series detailing Conditional Access from Microsoft Enterprise Mobility + Security. Today, the typical employee connects an average of four devices to their corporate network. Usually theyre connecting from their own mobile device or PC, but thats not always the case. Maybe they use their daughters iPad in <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2017/01/05/breaking-down-ems-conditional-access-part-2/">Continue reading</a></p>]]></description>
<content:encoded><![CDATA[<p><i>This post is the second in a three-part series detailing </i><a href="https://www.microsoft.com/en-us/cloud-platform/conditional-access"><i>Conditional Access</i></a><i> from Microsoft Enterprise Mobility + Security.</i></p> <p>Today, the typical employee connects an average of four devices to their corporate network. Usually theyre connecting from their own mobile device or PC, but thats not always the case. Maybe they use their daughters iPad in a pinch, or log on from a friends house, or use a hotel kiosk to connect. You might be OK with allowing access in some cases, but in other circumstances you may want to provide access only to certain employees, only to specific data, or only from known and compliant devices.</p> <p>Device-based conditional access from Microsoft Enterprise Mobility + Security (EMS) helps you make sure that only compliant mobile devices and PCsthose that meet the standards youve sethave access to corporate data.</p> <h2>Device Compliance</h2> <p>Device compliance policies help you protect company data by making sure the devices used to access your data or sensitive apps comply with your specific requirements or standards. Administrators can set these policies to enforce device compliance requirements before users attempt to access company resources. These can include settings for device enrollment, domain join, passwords and encryption, as well for the OS platform running on the device.</p> <p>You can use <a href="https://docs.microsoft.com/en-us/intune/deploy-use/introduction-to-device-compliance-policies-in-microsoft-intune">compliance policy settings</a> in Microsoft Intune to create a set of rules for and to evaluate the compliance of employee devices. When devices don’t meet the conditions set in the policies, the end user is guided though the process of enrolling the device and fixing the issue that prevents the device from being compliant.</p> <p><a href="https://docs.microsoft.com/en-us/intune/deploy-use/restrict-access-to-email-and-o365-services-with-microsoft-intune">Conditional access policies</a> are a set of rules that can restrict or allow access to a specific service based on whether the user meets the requirements you define. When you use a conditional access policy in combination with a device compliance policy, only users with compliant devicesin addition to any other rules youve setwill be allowed to access the service. Since both policies are applied at the user level, any device from which the user tries to access services will be checked for compliance.</p> <p><a href="https://msdnshared.blob.core.windows.net/media/2017/01/Conditional-Access-Policy-Scenario.png"><img width="790" height="463" title="Conditional Access Policy Scenario" class="aligncenter" style="float: none;padding-top: 0px;padding-left: 0px;margin-left: auto;padding-right: 0px;margin-right: auto;border: 0px" alt="Conditional Access Policy Scenario" src="https://msdnshared.blob.core.windows.net/media/2017/01/Conditional-Access-Policy-Scenario_thumb.png" border="0" /></a></p> <p align="center"><em>In this scenario, IT has applied a policy that blocks unmanaged devices from accessing and opening files stored on OneDrive for Business. Devices need to be enrolled first, before the location can be accessed.</em></p> <h2>EMS + Lookout, providing additional mobile endpoint security</h2> <p><a href="https://www.lookout.com/about/partners/microsoft">Lookouts deep integration with EMS</a> gives you real-time visibility into mobile device risks, including advanced mobile threats and app data leakage, which can inform your conditional access policies. Lookout provides visibility across all three mobile risk vectors: app-based risks (such as malware), network-based risks (such as man-in-the-middle attacks), and OS-based risks (such as malicious OS compromise).</p> <p>The integration between Lookout and EMS makes it easy to apply this threat intelligence to your conditional access policies. If a device is found to be non-compliant due to a mobile risk identified by Lookout, access is blocked and the user is prompted to resolve the issue with one-step guidance from Lookout before they can regain access. <em>Note that Lookout licenses must be purchased separately from EMS.</em></p> <p><a href="https://msdnshared.blob.core.windows.net/media/2017/01/EMS-Intune-Lookout.png"><img width="850" height="351" title="EMS Intune Lookout" class="aligncenter" style="float: none;padding-top: 0px;padding-left: 0px;margin-left: auto;padding-right: 0px;margin-right: auto;border: 0px" alt="EMS Intune Lookout" src="https://msdnshared.blob.core.windows.net/media/2017/01/EMS-Intune-Lookout_thumb.png" border="0" /></a></p> <h2>Device-based conditional access to on-premises resources</h2> <p>EMS conditional access capabilities help you to secure access to both your cloud and on-premises resources. Our customers often manage broad and complex networks, so with that in mind, weve built partnerships with popular network access providers such as Cisco ISE, Aruba ClearPass, and Citrix NetScaler. Now you can extend your Intune conditional access capabilities to work with these networks.</p> <p>Partner network providers can implement checks for Intune-managed and compliant devices as a requirement before allowing user access through either your wireless or virtual private network. When you <a href="https://docs.microsoft.com/en-us/intune/deploy-use/restrict-access-to-networks">extend device compliance policies to network providers</a>, you can ensure that only managed and compliant devices will be able to connect to your on-premises corporate network.</p> <p>EMS offers you some great access simplifications: you can still enable <a href="https://docs.microsoft.com/en-us/enterprise-mobility-security/solutions/protect-on-premises-data-with-intune">secure access to on-premises</a> applications without VPNs, DMZs, or on-premises reverse proxies by leveraging the Azure Active Directory Application Proxy. Best of all, all of this can be done without installing or maintaining additional on-premises infrastructure or opening your company firewall to route traffic through it. Conditional access capabilities will work for this scenario as well.</p> <h2>Additional Resources</h2> <ul> <li><a href="https://blogs.technet.microsoft.com/enterprisemobility/2016/10/31/breaking-down-ems-conditional-access-part-1/">Breaking down EMS Conditional Access: Part 1</a></li> <li><a href="https://microsoftintune.uservoice.com/?WT.mc_id=Blog_Intune_Announce_PCIT">Submit feedback and suggestions to the Intune engineering team</a></li> <li><a href="https://docs.microsoft.com/en-us/enterprise-mobility-security/solutions/protect-office365-data-with-intune">Read more about device based conditional access on the Intune docs site</a></li> <li><a href="https://blogs.technet.microsoft.com/enterprisemobility/feed/?product=microsoft-intune">Subscribe to the Intune blog RSS feed</a></li> <li>Follow us on <a href="https://twitter.com/MSFTMobility">Twitter</a></li> </ul> ]]></content:encoded>
</item>
</channel>
</rss>
