News

Azure Active Directory Access Control Features Previews Released

• By Kurt Mackie
• 10/10/2017

Microsoft is highlighting three Azure Active Directory previews for controlling user access to network resources.

The previews are currently available and were described last week. When released, the new features will require having an Azure AD Premium 1 or 2 subscription plan in place, although they can be tried now using Microsoft's free 90-day Enterprise Mobility + Security E5 trial.

Azure AD Previews
The three new Azure AD features at preview include:

• Privileged Identity Management for Azure AD roles-based access control (requires Premium 2 subscription)
• An access reviews process to affirm user needs for accessing applications and groups (requires Premium 2 subscription)
• A new terms-of-use imposition process before granting access to applications (requires Premium 1 subscription)

The first feature, "Privileged Identity Management for Azure AD roles-based access control," shows up in the Azure management portal under "Azure AD PIM." With it, organizations can specify who can activate an Azure resource management role. Organizations also can seek confirmation from end users to check if they still need access to a resource or not. Expiration dates can be set on access. There's also a reporting process showing "users and groups with role assignments" in Azure. The reporting process will even show "what users did in Azure while activated."

The second feature at preview lets organizations send "access reviews" via e-mail to end users concerning their assignments to applications and groups. It's a compliance check that can be scheduled to poll end users about whether they still need access to those resources. This preview can check on access needs for Office 365 groups, "security groups and DLs" and applications.

The last feature, the "terms of use" preview, presents a document to end users before granting them access to applications. The document, in PDF format, gets uploaded to Azure AD. Organizations enforce the terms of use via conditional access policy settings. This feature also has an auditing capability that shows who consented and when.

Other Azure AD Capabilities
Last month, Microsoft summarized its overall Azure AD Ignite announcements. Here are some highlights.

The Azure AD Pass-Through Authentication feature has now reached "general availability," meaning that it's deemed ready for use in production environments. It's a single sign-on feature that validates user passwords using an organization's local Active Directory. It's designed to work for controlling access to local applications as well as Microsoft's services. Azure AD Pass-Through Authentication depends on using an agent that gets installed at the organization's premises, but it's purportedly easier to set up than using Active Directory Federation Server.

Azure AD now has conditional access support for applications, on top of conditional access support for devices. For instance, access can be granted only for "client applications that support Intune app protection policies." This announcement appears to be separate from the conditional access added to Microsoft Cloud App Security, a service that gives organizations insight into software-as-as-service applications use. The conditional access aspect for the Microsoft Cloud App Security service is currently at the private preview stage.

Microsoft has turned on a public preview of Azure AD conditional access based on specific countries or regions. It can be set to "block access from specific countries and regions based on automatic IP address checks."

Microsoft also announced that the Azure AD conditional access service can tap "two-step authentication solutions from Duo, RSA and Trusona." On the governance side, Azure AD Premium now integrates with solutions from Omada and Saviynt, in addition to Sailpoint.

On the device compliance side, Azure AD now can automatically connect Windows 10 devices to a virtual private network if the devices comply with specified policies.

Microsoft also indicated that the Azure Portal can now "manage device attributes, retrieve BitLocker keys for devices, see device authentication-related audit logs and find support resources related to devices."

Azure Information Protection
Microsoft also described some ancillary Azure Information Protection improvements.

The Office 365 Message Encryption service for e-mails, which reached general availability status in 2014, now permits e-mail sharing from within or outside an organization, Microsoft announced. This sharing capability was enabled though integration with the Azure Information Protection service. That integration has reached the general availability stage, Microsoft indicated.

The integration of Azure Information Protection with Azure AD conditional access lets organizations pose conditions for accessing files. It lets them require end users to pass multifactor authentication challenges or device compliance tests or tests based on location, for instance. This feature is currently at the public preview stage, per Microsoft's announcement.

Lastly, Microsoft is planning to release a "public preview of Azure Information Protection Scanner" sometime this month. The Scanner is designed to automatically find and protect potentially sensitive data, based on the policies that were set up by an organization.