When you want to integrate other products into your Conditional Access
environment you can use “Custom controls” to include products from
other vendors into your Conditional Access conditions. If a custom control is
used the browser is redirected to the external service, performs any required
authentication or validation activities, and is then redirected back to Azure
Active Directory. If the user was successfully authenticated or validated, the
user continues in the Conditional Access flow. More information and some
samples can be found here: Azure AD + 3rd party MFA = Azure AD Custom Controls
– https://blogs.technet.microsoft.com/cbernier/2017/10/16/azure-ad-3rd-party-mfa-azure-ad-custom-controls/. This feature is still in preview
but very promising for 3rd party vendors who want to integrate with Conditional
each conditional access policy created, we will create an exclusion group, so
that we can deal with exceptions in our environment. These exception groups
will be setup with Access review functionality (if available) to make sure that
the membership of these groups are evaluated on a regular basis.
When designing a Conditional Access strategy for a customer we first
need to start with an inventory of the environment, in the most ideal situation
you would design and implement conditional access in a green field scenario,
but I for sure never had that luxury before so it’s better to assume that the
customer is already using cloud apps and wants to implement conditional access
as an security measure.
Microsoft explains Conditional Access in the following way. Conditional Access consists of access scenario’s called Conditional Access policies. An Conditional Access policy follows the following pattern:
“When this happens” defines the reason for triggering your policy. This reason is characterized by a group of conditions that have been satisfied. With “Then do this” you define how users can access your cloud apps.
Technically this is translated to Conditions (When this happens) and Access controls (Then do this)
Microsoft describes Conditional Access as followed: “With Conditional Access, you can implement automated access control decisions for accessing your cloud apps that are based on conditions.” and “Conditional Access policies are enforced after the first-factor authentication has been completed. Therefore, Conditional Access is not intended as a first line defense for scenarios like denial-of-service (DoS) attacks, but can utilize signals from these events (e.g. the sign-in risk level, location of the request, and so on) to determine access.”
The way I see it, the best way to explain what Conditional Access does,
is by making the comparison to a firewall. A firewall determines what traffic
can access your resources, under what circumstances and Conditional Access sort
of does the same. Conditional Access describes under what circumstances users
can access your cloud applications.
When Microsoft released the Consumer Preview of Windows 8, they also introduced the Windows Assessment and Deployment Kit, in short Windows ADK. With the release of the Windows 8 Release Preview (or release candidate) Microsoft also supplied an updated version of the ADK.
The Windows ADK contains updated tools which used to be part of both the Windows Automated Installation Kit (AIK) and the Windows OEM Preinstallation Kit (Windows OPK). Windows APK can be used for two scenarios: Windows Deployment and Windows assessment.
The Windows Deployment tools help IT Professionals with the deployment of a new version of Windows. Most of these tools are used as a basis for other Deployment tools, like the Microsoft Deployment Toolkit (MDT), the Operating System Deployment (OSD) functionality in System Center Configuration Manager (ConfigMgr) and since version 2012 also for System Center Virtual Machine Manager (SCVMM) to deploy both Operating Systems to bare metal servers and Operating Systems running on top of on of the three Hypervisors that SCVMM can manage (Microsoft Hyper-V, VMware vShpere and Citrix Xen). The products using the functionality of the Windows ADK will most probably be updated after the release of Windows 8 and Windows Server 2012 so that they can use the Windows ADK instead of the Windows AIK. ConfigMgr and SCVMM currently don’t support the use of the ADK and MDT provides support for the ADK for non production Windows deployments
Besides that the Deployment tools contain tools to test and mitigate application compatibility issues, migrate user data from an old OS to a new OS and Manage licenses across many machines from a central console.Read More