Enterprise Mobility and Security Blog

RSS

Howdy folks,

Today I have the cool opportunity to tell you about two new features we’ve just put into preview:

  • Conditional Access for SaaS Apps
  • Azure AD Connect Health

Both of these new features have been high on the list of requests we get from customers. Hundreds of engineer hours have gone into both and our private preview customers have given us very positive feedback about them. Hopefully you’ll find them exciting as well.

Conditional Access for SaaS Apps is a powerful policy evaluation engine built into Azure AD. It gives IT admins an easy way to create access policies that evaluate the context of a user’s login to make real-time decisions about which applications they should be allowed to access.

For example, you could create a policy that specifies that all users in your North American Sales group get seamless SSO to Salesforce.com if they are accessing this service from within your corporate network. However if they are attempting to access it from a remote location like a Starbucks, they will have to complete a Mutli-Factor Authentication challenge before being granted access.

Azure AD Connect Health is a cloud based service and a key part of our effort to help you monitor and secure your cloud and on-premises identity infrastructure. In this first preview, Azure AD Connect Health provides customers who use ADFS with detailed monitoring, reporting and alerts for their ADFS servers.

Every day, over 20,000 organizations around the world use ADFS to federate with Azure AD and Office365 and we’re excited to be able to offer them this new set of high value capabilities.

To give you a detailed run down on these new features I’ve invited two PM’s from my team to write up guest blog posts. Caleb Baker is a Senior Program Manager in our Identity Security and Protection team and Samuel Devasahayam is a Principal Program Manager in our Active Directory Fabric team. You’ll find their write ups below.

I hope you’ll find these new capabilities a valuable part of your identity control plane. And as always, we’d love to hear any feedback or suggestions you have.

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity and Security Services Division

Azure AD Conditional Access Preview for SaaS Apps

Greetings, I’m Caleb Baker from the Cloud Authentication and Authorization Technologies team at Microsoft.

If you’ve been following the news lately, you are painfully aware that from a security standpoint, passwords just aren’t enough anymore. This is one reasons companies and SaaS App providers like Microsoft, Google and Twitter are increasing using Multi-Factor Authentication (MFA).

So it’s no surprise that the Azure MFA service has been one of our most popular services. Azure MFA, first launched in June of 2014, makes it easy to require MFA for all applications a user accesses which is a great option for increasing the security of your cloud applications.

But many of you have asked for the ability to be able to decide whether to require Multi-Factor Authentication (MFA) on a per-application basis.

We heard you, and today we’re announcing that we have turned on the preview of our new Conditional Access service in Azure AD Premium which makes this (and soon many other scenarios) possible. Starting today, you can specify application specific MFA policies for all of the federated SaaS applications that work with Azure AD, including Workday, Salesforce, Concur and Google Apps for Work.

Today’s preview release gives you additional flexibility and granularity in configuring MFA.

  • You can limit the MFA requirement to specific security-sensitive applications.
  • Policies can apply to all users, specific users or to specific security groups.
  • You can allow users coming from a trusted network (e.g., your corporate network) to skip MFA based on a list of trusted IP ranges.

Conditional access rules work with Azure AD MFA. They will also work on-premises if you have deployed ADFS 2012 R2 and set it up with an MFA adapter. AD will perform the conditional access check, and then direct the MFA request to ADFS.

How to configure per-application MFA

Start by signing into the Azure management portal.

Under the Active Directory section, select your directory and then select the Applications tab.

Next, select a federated application such as Workday, Salesforce, Concur or Google Apps for Work. You can configure an application to be federated by choosing the Windows Azure AD Sign-On option when configuring SSO. The screen below shows you how to do this when configuring SSO for Salesforce.

Navigate to the Configure tab

Scroll down to the access rules section:

By default, all users will be required to perform MFA when accessing Salesforce. Alternately, you can choose the Groups option and select one or more security groups whose members will be required to perform MFA when accessing Salesforce.

In this case the access rule will only apply to users within the specified group “Marketing Team.” All others with permission to use this application will not have to perform MFA.

You can also use groups to apply exceptions. You can require MFA for everyone and check the ‘Except’ check box to list exempt groups, which may include, for example, people who do not have cellular coverage and are thus unable to complete the MFA challenge.

Next, select which rule to apply.

  1. Require multi-factor authentication
  2. Require multi-factor authentication when not at work

You can configure the second option, which exempts users coming from a trusted network, by following the “Click here to define/edit your work network location” link.

As we continue to work on pre-integrating additional applications and supporting additional rules, we welcome your feedback or suggestions. For more information about the Conditional Access, please see the documentation.

Azure AD Connect Health Preview

Hi Everyone, Samuel Devasahayam here!

As Alex mentioned in his intro, every day tens of thousands of Microsoft customers use ADFS to provide authentication and SSO to Azure AD/Office 365. They also use ADFS to secure internal LOB applications and collaborate with other organizations.

However this can be challenging for IT organizations in that they must run ADFS as a reliable and highly available service. Afterall, for many businesses, if your employees can’t login, it’s pretty much impossible to get work done! This puts quite a bit of pressure on the IT team, especially because many times they aren’t even of aware of issues until they results in loss of access to critical applications.

To help address these challenges, today we are also releasing a preview of Azure Active Directory Connect Health in the Azure Preview Portal. This feature of Azure Active Directory Premium helps you monitor and gain insight into health, performance and login activity of your on-premises Active Directory infrastructure. While this release supports Active Directory Federation Services (ADFS), we are already working to add support for sync servers in the future.

This release for ADFS has three key capabilities:

  1. Alerts based on events, configuration information, synthetic transactions and perf data. So, when something goes wrong, or is about to go wrong, we let you know.
  2. Graphs of login activity that you can pivot multiple ways for easy viewing. These “usage insights,” are accessible when you enable auditing on your ADFS servers. They are based on audits generated when user’s login and tokens are generated for applications.
  3. Access to key performance indicators across multiple servers, including token request counters, processor, memory, latency, and so forth

Getting this functionality requires downloading and installing an agent on each of your ADFS servers. The Azure AD Connect Health service processes data the agents send to the cloud, displaying alerts and other views into the ADFS service. We support ADFS 2.0 on Windows Server 2008, 2008R2 as well as ADFS in Windows Server 2012 and 2012R2. The agents are supported on ADFS proxy as well as Web Application Proxy servers.

Installing the agent

The first step is to install the agent on each of your ADFS and ADFS proxy/Web Application proxy servers.

  1. Login into the Azure Preview Portal with your Azure AD global administrator account. This account must also be licensed for Azure AD premium.
  2. Click on the Marketplace tile. Under Identity you will find the Azure AD Connect health extension.

    Click on it to enable the service and gain access to Azure AD Connect Health within the portal.

 

  1. Click on the Quick Start tile and download the agent onto your ADFS and proxy servers.
  2. Install the agent that you just downloaded.

     

  3. Fire up a PowerShell window. Use the Register-ADHealthAgent commandlet to configure and register the health agent to securely connect to the Azure AD Connect Health service. You will need admin credentials.

 

Using the Portal to view the health and usage of ADFS

The portal is comprised of three key views. Let’s dive into some of the details.

Alerts

The Azure AD Connect Health Alerts section shows you the list of active alerts requiring administrator attention, which are based on ADFS service events, performance counters and configuration information. These could be issues with certificates, connectivity to domain controllers or as simple as detecting that the ADFS service is not running. They can also warn of potential issues.

Selecting an alert reveals more detailed information, as well as resolution steps and links to relevant documentation. You can also view historical data on previously resolved alerts.

 

Usage Analytics

Usage analytics provide insight to login activity based on security audits that each of the ADFS servers generates and sends to the Azure AD Connect Health for analysis.

Currently we support two views:

  • Successful logins can be viewed by application (relying party trust), network location, authentication method or server. The application pivot is tremendously useful for understanding usage patterns of applications.
  • Unique user count shows the number of unique users accessing applications and can be viewed by application (relying party trust).

To select additional metrics, specify a time range, or change the grouping, simply right-click on the usage analytics blade and select Edit Chart.

We will add views in the near future that show the count and type of issuance failures, such as username/password failures, occurring in the system. If you need addition views, we welcome your feedback.

Performance Data

This is a simple, aggregated view of key performance counters collected from your ADFS and proxy servers, including token requests, CPU, memory and latency. It can also help you detect potential balancing issues within your environment.

Using the Filter option at the top of the blade, you view an individual server’s metrics. To change metrics, simply right-click on the monitoring chart under the monitoring blade and select Edit Chart. You can then select additional metrics and specify a time range for viewing the performance data.

 

What’s coming next?

We are actively working on adding the following capabilities to the service:

  • Email notification of alerts
  • Support for monitoring and reporting on sync servers
  • Failure trending and reports for the ADFS service
  • Health and reporting of Azure AD services such as SaaS applications, MFA and password reset

Your feedback is important to us and helps us prioritize and deliver value to you. Keep it coming! You can read more about this feature of Azure Active Directory Premium at the Azure Active Directory Connect Health page.