Skip to content

Enterprise Mobility + Security


Howdy folks!

What an amazing week! It’s the third day of Ignite and it’s been awesome getting to meet so many of you in person, especially when we have so much news to share!

Leading up to the conference, the team worked hard to turn on important new Azure AD capabilities and I’m excited to share a quick recap of everything we announced.

The next wave of conditional access starts now

In June we announced the general availability of the new conditional access admin experience in the Azure portal. This powerful new experience makes it easy to manage policies that bring together services across EMS, including Azure Active Directory, Microsoft Intune. Conditional access also takes advantage of the Microsoft Intelligent Security Graph, which scans billions of signals to determine user risk levels.

Now, we’re bringing to life a new wave of scenarios that expand our conditional access capabilities, including integration across EMS’ Azure Information Protection and Microsoft Cloud App Security services. We’ve grouped the new features into three broad categories:

  • Devices and apps
  • Session control and information protection
  • New conditions and custom controls

Below are highlights from each feature category we’ve previewed at Ignite.

Devices and apps

We recently announced device-based conditional access support for macOS, and now we’re introducing new application-based conditional access capabilities. With this new level of control you can restrict access to services so that only client applications that support Intune app protection policies can use them. And you can combine app-based conditional access policies with device-based policies to protect data for both personal and corporate devices.

Additionally, our conditional access policies now allow you to protect VPN connectivity in your Windows 10 device. So, any users with Windows 10 devices can connect automatically to your VPN only if they’re compliant with device policies.

One more exciting feature we’re introducing is the ability to manage device identities in the Azure portal. With this new feature, you can manage device attributes, retrieve BitLocker keys for devices, see device authentication-related audit logs, and find support resources related to devices, all in the Azure portal.

Session control and information protection

The EMS team has also been making some incredible headway improving session control and data protection.

Session controls allow you to limit access to resources. We’ve had support for SharePoint restricted mode, one of our session control technologies, in public preview . Today, I’m happy to let you know that we’re expanding our session controls in Azure AD Conditional Access to integrate with Microsoft Cloud App Security.

Microsoft Cloud App Security performs real-time monitoring and helps IT gain control over both authorized and unauthorized cloud application usage. This capability is currently in private preview. It will be available in public preview soon and will give you the ability to limit and control the actions your users take in SaaS applications using conditional access policy. For example, you will be able to let users access SaaS apps from an unfamiliar location or unmanaged device, but prevent them from downloading sensitive documents.

And our new conditional access integration with Azure Information Protection (currently in public preview) allows you to apply access polices to protected files. Now, you can set a policy that prompts a user to complete a MFA challenge before accessing a protected document. You can even have the policy serve up a MFA challenge when users are off the corporate network or are flagged as an elevated risk by Identity Protection.

New Conditions & Custom Controls

We’ve just turned on a public preview of country/region-defined IP range conditions. These new conditions make it easy to block access from specific countries and regions based on automatic IP address checks.

We’ve also unveiled custom Terms of Use (ToU) as a control in conditional access. With ToU, you can require a user to consent to your organization’s terms of use before they get access to an application. ​The terms can be any document relevant to your organization’s business or legal policies. When you combine ToU with access reviews, you can collaborate across companies confidently, knowing the right level of information protection is in place.

Finally, we’ve integrated two-step authentication solutions from Duo, RSA, and Trusona. So, if you’re using one of these providers to support two-step authentication, you can easily use them within the Azure AD conditional access engine.

Continuing to enable customers’ journey to the cloud

We’ve heard stories from numerous customers that prove how important it is for their users’ passwords stay firmly within internal boundaries. So, we developed pass-through authentication! This authentication method allows you to use Azure AD for single sign-on without compromising any of your security requirements.

Today, I’m happy to tell you pass-through authentication is now generally available!

Pass-through authentication is an Azure AD sign-in options (along with password hash sync and federation). It’s most appropriate for organizations who can’t or don’t want to permit users’ passwords, even in hashed form, to leave their internal boundaries. Pass-through authentication allows users to sign into both on-premises and cloud applications using the same passwords, and works by securely validating users’ passwords directly against on-premises Active Directory using a lightweight on-premises agent.

To ensure a smooth user experience, we’re also extending seamless single sign-on to pass-through authentication and password hash sync. Hybrid customers will only need to sign into their device once. They will not be prompted again for another login, regardless of which authentication method they use, to access Azure AD-integrated applications on their AD-joined devices within their corporate network.

For more details on this great functionality watch our Microsoft Mechanics show, and visit the pass-through authentication and seamless single sign-on documentation pages.

Casting a light on shadow IT

More than 80 percent of employees admit to using non-approved SaaS applications for work, and discovering which apps they’re using is the first step to managing shadow IT. To that end, we’re upgrading the Cloud App Discovery tool to an enhanced experience powered by Microsoft Cloud App Security.

With this upgrade, IT admins can now discover more than 15,000 apps without needing on-premises agents to do so. They can also receive detailed on-going risk analysis and alerts for new apps in use, get inbound and outbound traffic information, and uncover the top users of discovered apps – all important pieces in gaining a greater understanding of cloud app usage across an organization.

More Governance and Compliance options for Azure AD customers

In addition to Sailpoint, we’re expanding our partnerships in advanced governance with the integration of Omada and Saviynt, two leaders in identity governance. Now you can seamlessly integrate their solutions with Azure Active Directory Premium which gives you rich governance capabilities like Access Requests, Policy based workflows and approvals, enhanced auditing and reporting and fine-grained lifcycle provisioning.  If your looking for a great governance solution for Azure AD, you can’t go wrong with any of these partner solutions.

Azure Active Directory is also adding more granular control functionality so enterprises can determine ‘who has access to what’ across their hybrid deployments and cloud services. These new features, currently in public preview, enable customers to:

  • ask group owners or group members to attest to their need for continued group membership, by starting an access review of that group.
  • ask users with access to an enterprise application, or others in the organization, to recertify their need for continued application access.

We’ve made the Azure AD access review experience more user-friendly by just showing access highlights, including whether the user being reviewed has signed into the application recently.

Azure AD Privileged Identity Management (PIM) is also being extended to manage Azure subscriptions and resources, further governing who can manage resources in Azure. The new Azure AD PIM preview includes ‘just in time’ and time-limited membership of Azure RBAC roles alongside its existing controls of Azure AD and Microsoft Online Services roles.

Wrapping Up

There’s so much to share, and in the weeks to come we’ll be posting more detailed blog posts that get into the meat of many of these new features. Please continue to watch us online or visit us throughout the rest of Ignite, and keep an eye on this blog for more information. We want to hear from you and look forward to connecting!

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division