With the masses of information coming out of Ignite 2017 last week, I thought i'd throw together a quick summary of the key Azure AD announcements for your perusal. Some really great announcements and major enhancements in Conditional Access.
Pass Through Authentication (PTA) is now generally available - This feature has been in preview for a while and is now GA including the S-SSO scenarios provided with PTA and Password Hash Synchronisation. More information here
Conditional Access Enhancements - Conditional Access has taken a big step forward with the announcements of the following functionality.
- Azure Information Protection Integration (Preview) - For me this is the big one and customers have been waiting for this!. It was announced that Conditional Access now has integration with Azure Information Protection (AIP). So this means you can protect documents with AIP and use conditional access policies to control access to these files. Whereas before, access to AIP protected documents relied on only user authentication, now with conditional access integration you can factor in User, Device state, Location, Risk into the authentication process. More information here.
- Support for macOS device based conditional access (Preview) - Now you can configure conditional access policies for Intune managed macOS devices, More information here.
- New IP based Conditional Access Conditions (Preview) - historically, when defining IP ranges to allow\block with conditional access you only had the option to manually add IP ranges. Now you will also be able to select country\region based IP ranges that allow you to allow\block based on country\region. Can save quite a bit of work!
- 3rd Party MFA Providers - So we all love Azure MFA... but feedback from customers highlighted they would like the option to use 3rd party MFA providers with Azure AD. @Ignite it was announced that Microsoft have formed partnerships with Duo, RSA and Trusona to provide MFA with Azure AD. Having had a quick look at each option they all look very good. All integrate easily and you can select an MFA provider that suits your needs.
- Session Control (Preview) - There has been a session control preview available for SharePoint Online for some time. Essentially its the ability to grant access to an application but provide reduced functionality in that session. e.g. The user is logging in from a unknown location, allow log on but restrict the session so the user cannot download data. @Ignite it was announced that Azure AD Conditional Access will integrate with Microsoft Cloud App Security to extend this capability to many more SaaS applications. The Microsoft Cloud App Security Integration is currently in private preview but will bring some seriously great control to SaaS apps secured using Azure AD. See here for details.
Azure AD Privileged Identity Management (PIM) - Has been extended to the Azure platform to enable you to do "Just in Time" administration for Azure workloads. i.e. provide time limited access to Azure RBAC roles to manage VM's etc.
Additional Identity types for B2B - @Ignite it was announced that additional identity providers would be added to the current Azure B2B platform. This will provide the ability for additional identities e.g. Google to be used for B2B scenarios.
Hope that's helpful and I'll blog about some of these new capabilities soon!