Hackfest 2023 - Back to the Future

Unconditionally Conditional - Strong Authentication in Azure AD
10-13, 16:30–17:20 (Canada/Eastern), Track #2
Language: English

Conditional Access in Microsoft Azure Active Directory, when tied with Mobile Application Management and Mobile Device Management in Microsoft Intune are the core pillars for building zero trust based access controls in Microsoft 365 and Azure published services. We will cover MDM and MAM policies, how Intune device compliance is applied to Conditional Access by Intune, when deploying authentication and most importantly a tested model for layered access, specifically as it relates to M365 in a variety of trust states.


This could be considered for Defensive or Security 101.

  • Introduction / Agenda / whomi 2 mins
  • Overview - why conditional access is important, how relates to zero trust - 3 mins
  • Microsoft Intune - start with devices - discuss various aspects of different method of joining devices and assessing device compliance using MS Intune - 15 mins
  • Device join types
  • Requirements for Hybrid Azure joined and Co-Managed
  • MDM vs MAM - differences, similarities and how they relate to one another in a layered approach.
  • MDM policies - details regarding options, successes, and pitfalls when applying device compliance policies.
  • MAM policies - details regarding options, successes, and pitfalls when applying application/container compliance policies.
  • Limitations - notable additional limitations within Intune, especially as it relates to method of onboarding devices, where compliance fits in relation to configuration profiles.
  • What else does Intune do? - reporting, patch management
    Conditional Access policies - there are a number of complications to how conditional access policies apply. Inclusion vs exclusion of items, objects, etc. Detailed discussion of the various filters and controls, how each is applied and managed - 15 mins
  • Users
  • Applications & Actions
  • Conditions
  • Sessions
  • Controls
  • Device filters
  • Limitations & Challenges - limitations discovered during large scale implementation
  • Putting it all together - 10 mins
  • Wide policies vs specific policies - affects of widely applied vs specific policies.
  • OS specific policies
  • Browser only vs App policies - settings that don't work on one or the other.
  • Interesting special cases - things that should never happen, but seem to all the time. Things you will want to block, control, or manage.
  • A blueprint from least to most trust across a grid of situations - 5 mins
  • Includes BYOD, On premise, off premise, fully managed, completely unmanaged and untrusted.
  • How this relates to healthcare settings
  • References
    Questions - 5 mins

Are you releasing a tool?

No

Don Mallory has over 30 years of experience in enterprise IT, primarily in critical infrastructure, specializing in operations, data storage, disaster recovery, and security for critical infrastructure. Professionally, Don is a Senior Security Analyst in the healthcare sector. He has been involved in various volunteer activities including C3X as a builder and mentor, co-organizer of Hak4Kidz Toronto and the Latow Photographer's Guild at the Art Gallery of Burlington, where he teaches traditional wet darkroom photography.