Shulou(Shulou.com)06/03 Report--

In a mobile-first, cloud-first world, Azure Active Directory (Azure AD) enables single sign-on to devices, applications, and services from anywhere. With the popularity of devices such as bring-your-own-device (BYOD), IT professionals face two opposing goals:

1. Enable end users to work efficiently anytime, anywhere

2. Keep enterprise assets at all times

Users can access corporate assets through devices. To protect enterprise assets, IT administrators need to control these devices. This ensures that users access resources using devices that meet security and compliance standards.

Device management is also the basis of device-based conditional access. Device-based conditional access ensures that only managed devices can access resources in the environment.

Azure AD and Windows Server AD are compared as follows:

Https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-comparison

So join the device to the Azure AD domain in Office365, you can achieve more conditional application access has been a variety of cool functions.

Let's take a look at how to join a device to the Azure AD domain.

First log in to Office365 Admin Center, then click the administrator to enter Azure AD, and select the device.

Select all the devices, and then click on the right to select the user can join the device to the Azure AD domain, if you select all, then users in the entire organization can join the device to the Azure AD domain, here I use my account to demonstrate. The following option requires MFA authentication to join the Azure AD domain (or yes, but the Office365 user identity will be re-authenticated when joining the Azure AD domain)

Select to add members, and remember to click OK in the lower left corner after adding.

After clicking OK, remember to click Save at the top of the policy.

Then, when I open my old laptop and open any Office application, the following message pops up, of course, to allow the organization to manage my device.

Then I will re-prepare Office after entering my email account password.

Continue to click accept and launch

Now my computer property is still a workgroup working group mode.

When I go back to Azure AD and check all the devices, I can see that my laptop has been registered with Azure AD (in fact, registration to Azure AD is restricted as long as the Office365 client is installed and login activation is performed on any computer), as shown in the following figure.

Then open my notebook, check the system properties, and choose to connect to the work unit or school, and then enter the Office365 account.

Since we didn't really buy Azure AD, we only used the Azure AD that came with Office365, so there is no URL for MDM (the settings of MDM in Azure AD are all gray and the balls hurt). Here we manually click to join the Azure AD domain.

Then enter the user name and password again

Then the user will be prompted to confirm whether to join the organization.

After you click join, you can log in using the account and password you have entered.

Then eventually join the notebook to the Azure AD domain of the company's Office365

At this time, open the system properties again, and you can see that the laptop has joined the company organization.

At this time, my notebook is still logged in using a local account. Next, let's switch to log in using a domain account (Office365 account) to see the effect.

The pictures below are all taken by mobile phones, which may not be very clear.

Enter the password for your Office365 account, and you will be prompted to log in to your work account or school account below.

My DisplayName has been retrieved.

Because the notebook has a fingerprint identification module, it will prompt to set the fingerprint unlocking device, which can be set or skipped here.

Next comes the policy of the Azure AD organization, which must be set up for Windows hello

Start setting up accounts

Select the method of account verification

Select a phone call (the default phone information here is from Azure AD user authentication reservation information. You can refer to my previous blog Office365 to enable SSPR (user self-reset password), which describes how to configure this information.

Then the Microsoft system calls my mobile phone number.

If I connect here, it will be finished. If I hang up, I will not be able to get through here. During the But account switching process, the whole system has no network, which will directly lead to all subsequent verification failures.

Then you will be prompted to skip the policy section, but remember to set the Windows hello later

Next, after logging in to the system, I will set up Windows hello.

Start setup

Continue to set up PIN

Perform additional verification on the current account

Choose SMS method

The mobile phone receives a text message.

Fill in the verification code

Set the PIN code after completing all the above account verification

Setup complete

Then log in to the Azure AD administration center and see that the user's device is also displayed as Azure AD Joined status, which is the real way to join the device to the Azure AD domain.

Next, you can enable some custom advanced features, such as starting BitLocker that has joined the Azure AD computer

Isn't it difficult to store the recovery key in Azure AD?

Enter the Azure AD Management Center to check that the devices that have joined the Azure AD have stored the BitLocker recovery key

At the beginning of the article, the main purpose of adding devices to Azure AD is to control where users can access what by configuring conditional access policies. If the device is not added to the Azure AD, users cannot be well restricted to access services in the entire Azure (not limited to Office365's SaaS services).

In a mobile-first, cloud-first world, users can access organizational resources from anywhere using a variety of devices and applications. Therefore, focusing only on who has access to resources can no longer meet the needs. In order to grasp the balance between security and efficiency, it is also necessary to consider the access mode of resources as a factor in access control decisions. This requirement can be handled using Azure Active Directory (Azure AD) conditional access. Conditional access is a feature of Azure Active Directory. When using conditional access, you can implement automated access control decisions on access to cloud applications based on the conditions.

The conditional access policy is enforced after the first factor authentication is completed. Therefore, conditional access is not the first line of defense against scenarios such as denial of service (DoS) *, but can use signals from these events (for example, login risk level, requested location, etc.) to determine access rights.

The following figure gives a good understanding of this problem. Of course, you can also refer to Microsoft's official description of conditional access.

Https://docs.microsoft.com/zh-cn/azure/active-directory/conditional-access/overview

But!!! Conditional access policy requires an Azure AD Premium license, and our company's Azure AD is only a very basic version attached to Office365, not specifically to buy Azure AD, so I do not have this license, so I naively click on the free trial and activate it.

However, there is no ghost in the distribution permit.

At 9: 00 p.m. on 2019-1-9, join the Azure AD device to establish and verify the conditional access policy of the test pawn.

So it is almost impossible to carry out meaningful testing! But I found another interesting feature:

The documents I edited on the Azure AD notebook are saved directly on the desktop, which is a very routine action, but I open Word on the new PC (log in to Office with the same Office365 account) and find that all my documents on other computers can be easily opened here.

Then open it and check the contents exactly like what I edited on that device.

I have to admire it! Microsoft × × Niu! The real realization of the information to go with the account!

Finally, let me ask you a question: if my account has MFA enabled in Office365, will I log in to the computer with multiple authentication?

When you have an opportunity later, test the condition-based access of devices that have joined Azure AD, and issue various policies.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.