Hackfest 2023 - Back to the Future

Unconditionally Conditional - Strong Authentication in Azure AD
2023-10-13, 16:30–17:20, Track #2

Conditional Access in Microsoft Azure Active Directory, when tied with Mobile Application Management and Mobile Device Management in Microsoft Intune are the core pillars for building zero trust based access controls in Microsoft 365 and Azure published services. We will cover MDM and MAM policies, how Intune device compliance is applied to Conditional Access by Intune, when deploying authentication and most importantly a tested model for layered access, specifically as it relates to M365 in a variety of trust states.

This could be considered for Defensive or Security 101.

  • Introduction / Agenda / whomi 2 mins
  • Overview - why conditional access is important, how relates to zero trust - 3 mins
  • Microsoft Intune - start with devices - discuss various aspects of different method of joining devices and assessing device compliance using MS Intune - 15 mins
  • Device join types
  • Requirements for Hybrid Azure joined and Co-Managed
  • MDM vs MAM - differences, similarities and how they relate to one another in a layered approach.
  • MDM policies - details regarding options, successes, and pitfalls when applying device compliance policies.
  • MAM policies - details regarding options, successes, and pitfalls when applying application/container compliance policies.
  • Limitations - notable additional limitations within Intune, especially as it relates to method of onboarding devices, where compliance fits in relation to configuration profiles.
  • What else does Intune do? - reporting, patch management
    Conditional Access policies - there are a number of complications to how conditional access policies apply. Inclusion vs exclusion of items, objects, etc. Detailed discussion of the various filters and controls, how each is applied and managed - 15 mins
  • Users
  • Applications & Actions
  • Conditions
  • Sessions
  • Controls
  • Device filters
  • Limitations & Challenges - limitations discovered during large scale implementation
  • Putting it all together - 10 mins
  • Wide policies vs specific policies - affects of widely applied vs specific policies.
  • OS specific policies
  • Browser only vs App policies - settings that don't work on one or the other.
  • Interesting special cases - things that should never happen, but seem to all the time. Things you will want to block, control, or manage.
  • A blueprint from least to most trust across a grid of situations - 5 mins
  • Includes BYOD, On premise, off premise, fully managed, completely unmanaged and untrusted.
  • How this relates to healthcare settings
  • References
    Questions - 5 mins

Are you releasing a tool? – No