I couldn’t be more excited than I am about today’s blog post. I’ve been looking forward to it for weeks now because I’m so proud of the work here and the huge benefits it will deliver to customers. It’s the culmination of nearly 18 months of work across Microsoft and is a great illustration of our vision:
“Identity is the new control plane”
With these new capabilities, Windows 10 and the Enterprise Mobility Suite (Azure AD Premium, Intune and Azure RMS) are modernizing enterprise mobility:
- We’re eliminating the hassles of MDM enrollment. When a user joins their Windows 10 device to Azure AD, it will be automatically enrolled for MDM (based on corporate policy).
We’re giving customers an end-to-end solution for securing their enterprise resource using policy based access control based on:
- Application sensitivity
- Device health and compliance state
- User profile/attributes/group membership
- Authentication strength
- Access location
- We’re giving users access to both their cloud apps and their on-premises apps, all controlled by the same set of policies and protections.
- We’re doing it all using the power of the cloud! No new servers to buy or network gear to install! No VPN to support! You can have then entire solution up and running in a few hours.
To walk you through the details of how this all works, I’ve asked Mahesh Unnikrishnan from the AD PM team to do a guest blog which you’ll find below.
This is one of the coolest things I’ve had the privilege to work on here at Microsoft and I’m really glad we can finally share the details with you! Hopefully you’ll be just as excited about it as we are.
And of course as always, we would love to get any feedback or suggestions you have!
Alex Simons (Twitter: @Alex_A_Simons)
Director of Program Management
Microsoft Identity and Security Services Division
Hi there! I’m Mahesh Unnikrishnan, the PM responsible for integrating mobile device management (MDM) solutions such as Microsoft Intune with Azure AD. Alex’s previous blog post introduced cool new capabilities in Windows 10 powered by Azure AD. With Windows 10, we’re excited to enable automatic MDM enrollment of both corporate owned devices as well as personally owned BYO devices, powered by Azure AD.
As more organizations adopt a ‘bring-your-own-device’ (BYOD) friendly approach, their IT departments are faced with the challenge of ensuring corporate data stays secure on mobile devices. Devices pose ongoing risks to corporate data accessed from them. Devices are frequently lost/stolen, and jail-broken, they have risky apps installed on them and they a frequently configured insecurely (for example: no PIN/passcode, device encryption disabled etc.) MDM solutions help mitigate these risks by ensuring compliance with corporate security policies. To deliver a secure experience for applications across these devices, we’ve partnered closely with Microsoft Intune and Office 365. If you follow the blog, you’ve probably read about some of the work we’ve done here:
Enterprise Mobility Suite (EMS): A suite of cloud services that protect corporate data on devices, within apps and in transit. This includes Azure AD Premium (for identity/access management), Azure Rights Management (for information protection and rights management) and Microsoft Intune (for MDM and mobile application management). Brad Anderson’s blog post introducing EMS is a great source for more information.
Built-in mobile device management for Office 365: MDM capabilities powered by Microsoft Intune and Azure AD are built in to Office 365. These help manage corporate Office 365 data securely across a wide range of devices.
These are pretty exciting innovations and they’ve been greeted by strong customer demand. For example, in just over 1 year, 13000 customers have purchased the Enterprise Mobility Suite.
But Windows 10, we’re really putting things into overdrive! With Windows 10 and the Enterprise Mobility suite, IT administrators can:
Create policy that requires automatic Intune MDM enrollment for corporate owned devices that are joined to Azure AD.
Require automatic Intune enrollment when an Azure AD account is added to a personally owned BYO device.
Create access policies in Azure AD Premium that use our cloud based conditional access engine to check a devices health and compliance state as reported by the Intune service before granting access to a corporate resource.
Note: We are working with third party MDM ISVs to support automated MDM enrollment and policy based access checks. I share more on that front later this year.
This powerful combination of capabilities, all based in the cloud, illustrates what Alex means when he talks about “Identity is the new control plane”. Without a dollar of new on-premises infrastructure, you can quickly deploy an end-to-end solution for managing users, devices and critical applications like Office 365 in accordance with your corporate policy. And no other vendor offers this kind of complete, modern & entirely cloud based enterprise mobility solution.
Automatic Intune enrollment on corporate owned devices
If you accept these terms, your device is joined to Azure AD and subsequently automatically enrolled for management with Microsoft Intune. You do not need to locate the appropriate app to use from the Windows Store or perform any manual steps to enroll your device! If you decline to have your corporate owned device be managed you will not be able to join the device to Azure AD.
Automatic Intune enrollment on personally owned devices
If you accept these terms, your Azure AD account is added to your device and subsequently enrolled for management with Microsoft Intune. This seamless experience saves you the trouble of having to enroll your device separately for management or perform other manual steps to do so.
If you decline to have your personally owned device be managed your Azure AD account will still be added to your device. You may continue to enjoy single-sign-on to some corporate resources or applications. However, you will be denied access to sensitive corporate resources or applications that your IT administrator has configured to allow access only from policy compliant devices.
Azure AD and Microsoft Intune – working together to keep corporate data secure
Your organization’s IT administrator configures device management policies in Microsoft Intune. For instance, your IT administrator may require that devices have a PIN or passcode enabled on them, have encryption turned on and are regularly updated. Additionally they may choose to implement more sophisticated policies such as jailbreak detection etc. These policies are configured in the Intune console and are used by Microsoft Intune to evaluate whether a device complies with corporate policy.
Your organization’s IT administrator configures conditional access control policies in Azure AD. For instance, your IT administrator may require that in order to access a cloud app used by your organization, users’ devices need to be managed by Intune and compliant with the device management policy configured on Intune. These conditional access control policies are configured in the Azure AD portal and are used by Azure AD to determine whether to allow a user to access an application secured by it.
Microsoft Intune periodically evaluates whether your device is compliant with the required device management policies configured by your IT administrator. This compliance information is then reported to Azure AD. If your device falls out of compliance at a later stage (say the PIN/passcode was disabled on it), Microsoft Intune notifies Azure AD of the device being out of compliance.
There are a couple of other scenarios in which Microsoft Intune notifies Azure AD:
- Your device was lost/stolen and you reported that using the Intune self-service portal or app.
- Your device was offline for a long period and Microsoft Intune was unable to determine whether the device continues to comply with policy.
Now, let’s say you’re trying to access the cloud application secured by Azure AD. Your organization’s IT administrator has configured a conditional access control policy for this application that requires policy compliant devices.
If your device complies with required device management policy and has been reported by Microsoft Intune as compliant, Azure AD will allow access to the cloud application. If your device falls out of compliance (say you disabled a PIN/passcode or turned off device encryption), Microsoft Intune reports the device as non-compliant and Azure AD will block access to the cloud application.
Additionally, when your device is found to be non-compliant with policy, Azure AD provides a link that helps you remediate the situation and regain access. This link launches the Intune app on your device, which can then tell you exactly why your device is out of compliance and how to remediate the situation. We believe this self-service remediation helps end-users remain productive without having to wait for IT administrators to help remediate access denied issues.
Conditional access control
The integration we’re building between Intune and Azure AD enables IT administrators to rely on device compliance state reported by Intune, in order to determine whether to grant access to applications. This is powered by our conditional access engine which Alex has blog about previously.
A sample conditional access control policy your IT administrator would be able to configure is illustrated below:
|“Allow users in our finance department to access the Finweb portal only if they have performed multiple factor authentication and are using a policy compliant device.”|
Notice how this policy expresses requirements using a combination of conditions, in order to grant access to an application. These conditions include the identity of the user, the strength of their authentication as well as whether their device is considered policy compliant. Such policies can be configured in Azure AD on a per-application basis. Azure AD conditional access control enables your IT administrators to apply stricter access control policies for sensitive applications.
Conditional access control for cloud applications
Your IT administrator can configure conditional access control policies for cloud applications such as Office 365 and the other 2500-odd SaaS applications secured by Azure AD. If your IT administrator requires policy compliant devices to enable access to these cloud applications, Azure AD will leverage the compliance information reported by Intune in order to determine whether to allow access.
Conditional access control for on-premises applications
For on-premises applications there are two options to enable conditional access control based on a device’s compliance state. For on-premises applications that are published through the Azure AD Application Proxy, you can configure conditional access control policies similar to how you’d do so for cloud applications. For more details, refer to Alex’s blog post from earlier this year.
Additionally, Azure AD Connect (which should GA in the next week or two) will soon sync device compliance information from Azure AD to your on-premises AD (requires Windows Server 2016). ADFS on Windows Server 2016 supports conditional access control based on a device’s compliance state. Your IT administrator can configure conditional access control policies in ADFS that use the device’s compliance state as reported by Intune to secure on-premises applications.
Conditional access control is an Azure AD Premium feature that’s also available with EMS. If you don’t have an Azure AD Premium subscription you can get a trial here.
Questions and Feedback
Automatic MDM enrollment with Azure AD and Intune will soon be available through the Windows 10 Technical Preview. Please give these features a try and send us your questions and feedback. Keep watching this space to learn more about the cool features we’re building in Windows 10 and Azure AD as we continue this blog series.
As always we look forward to and welcome your feedback.
Senior Program Manager
Microsoft Identity and Security Services Division