In my previous post I explained how we can enroll Windows 10 devices into Microsoft Intune. You can access it using http://www.rebeladmin.com/2018/11/step-step-guide-enroll-windows-10-devices-microsoft-intune-using-autopilot/ . In this post I am going to demonstrate how to publish applications to windows 10 devices via Microsoft Intune (To devices which is enrolled successfully).

Tip

Before you enroll devices make sure you already have enabled MDM & MAM auto enrollment for all users/selected users. Otherwise device will not auto-enroll with Intune. 

These settings are under Azure Active Directory | Mobility (MDM & MAM) 

1. Log in to Azure Portal as Global Administrator

2. Then go to Intune | Devices | All Devices & Verify the status of enrolled devices

3. As next step, I am going to create device group. it will help us to publish applications in to target easily. To do that, go back to Intune home page and click on Groups | New Group

In on-premises Active Directory environment, we use “trusts” to establish identity infrastructure connection between businesses. Based on trust type and access permissions, users from one organization can access resources/services in other infrastructure using their own domain credentials. Azure AD B2B does the same thing for cloud resources but in much more easier way. In this demo I am going to demonstrate how easily we can allow users from other organizations to access our cloud resources using Azure AD B2B. 

In my demo environment, I do have an Azure AD user group called sg-Finance . All the users from Finance department are members of this group. I have assign several SaaS applications to them. Company Contoso recently merge with another company. Few privileged users from new company like to access some financial data belongs to Contoso. The relevant data is currently available via SaaS applications which is used by sg-Finance group members. In this demo, I am going to invite external user to be part of sg-Finance group so they can access same applications. 

1. To start, log in to Azure Portal https://portal.azure.com as Global Administrator

2. Then go to Azure Active Directory | Groups

3. Then go to sg-Finance group and then Members.

4. In here, Megan is a member of this group. I log in to http://myapps.microsoft.com as Megan to verify SaaS application access. In this demo I am using Box as sample app. 

5. Now go back to group page and click on Add members

Complex passwords are a basic requirement to protect a system from cyber-attack. Even today most of the cyber-attack could have prevented if users were using complex, un-guessable passwords. I agree this is not the best solution especially as we are moving towards password-less authentication (Azure AD already released preview for it you can find more about it via http://www.rebeladmin.com/2018/09/step-step-guide-azure-ad-password-less-authentication-public-preview/). However, attackers always try the low hanging fruits first. In on-premises AD environment we can force users to use complex passwords via group policy. however, we couldn’t ban passwords using this method. Now Azure AD support banned password lists and smart lockout for Azure AD & on-premise AD in hybrid setup. Smart lockout is using cloud intelligence to detect password spoofing attempts from attackers. In this demo I am going to demonstrate, how to enable this feature in hybrid environment to protect both sides. 

As the first step, let’s enable the password protection. 

1. Log in to Azure Portal as global admin

2. Click on Azure Active Directory

3. Then Authentication Method

4. New window is to define password protection settings. In this demo, I am keeping the default thresholds for custom smart lockout. To define ban password list, click on Yes for Enforce custom list and then type the passwords you like to ban. 

Password resets requests are very common in any helpdesk. Azure AD self-service password reset service is allowing users to reset their passwords without IT helpdesk involvement. So far this was only supported on Windows 10 Azure AD join devices. Now with few modifications we can do the same thing with Windows 7 or Windows 8.1 devices. In this demo I am going to demonstrate how we can do self-service password reset with these non-windows 10 devices. 

This process required few prerequisites. 

1) Enable SSPR in Azure AD – We need to enable SSPR service in Azure AD first. I have explain those steps in here http://www.rebeladmin.com/2017/11/step-step-guide-reset-user-password-azure-ad-joined-windows-10-device/ 

2) Up to date Patches – Make sure the latest windows updates are applied to Windows 7/ Windows 8.1 devices. 

3) Users need to register with additional verification methods – As part enabling SSPR process, we also need to define how many methods it should use for user verifications. 

If you using multiple methods, make sure user is register with those method before use SSPR service. 

4) TLS 1.2 enabled – In Windows PC you must have TLS 1.2 enabled. It should not just set to auto negotiate. This can be done by using registry entries. 

Under HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols you will be able to see TLS 1.2 (if it is not, go ahead and create a key). under that folder there will be two sub folders called client & server. I prefer to do changes under both roles. In there we need to create a key with following values.

DisabledByDefault – DWORD value 0

From early days of computing “password” is used to protect access to services or data. Passwords are breakable so people start using multi-factor authentication to add extra security to authentication process. With multifactor authentication we have to provide additional PIN or secret. However, it still not eliminates the password fact. The modern identity attacks are getting more and more sophisticated. So, we need to think about all possibilities of a breach. 

Microsoft Azure AD is now ready to provide password-less authentication experience to Azure AD connected apps using Microsoft Authenticator mobile app. with authenticator app we can replace password with fingerprint, face recognition, or PIN. This is still in public preview but it is not too soon to try it out. In this demo I am going to demonstrate how to enable password-less authentication with Azure AD.

1. As first step we need to enable public preview for password less authentication. To do that first install the public preview release of the Azure Active Directory V2 PowerShell Module using https://www.powershellgallery.com/packages/AzureADPreview/2.0.0.114

2. Then type Connect-AzureAD and login with global admin account. 

3. Once successfully authenticated, run New-AzureADPolicy -Type AuthenticatorAppSignInPolicy -Definition '{"AuthenticatorAppSignInPolicy":{"Enabled":true}}' -isOrganizationDefault $true -DisplayName AuthenticatorAppSignIn

4. As next step I need to enable MFA for the Azure AD user that I am going to test. To do that, log in to https://portal.azure.com as Global Administrator. 

5. Then go to Azure Active Directory | Users

In my recent blog posts, I explained few features of azure cloud app security. In this post also, I am going to explain another feature of it. if you not read my previous posts you still can access it using,

Step-by-Step guide to manage Impossible travel activity alert using Azure cloud app security – http://www.rebeladmin.com/2018/09/step-step-guide-manage-impossible-travel-activity-alert-using-azure-cloud-app-security/

Step-by-Step guide to block data download using Azure Cloud App security – http://www.rebeladmin.com/2018/09/step-step-guide-block-data-download-using-azure-cloud-app-security/

In applications, we are using different type of data. Some of these types of data are very sensitive. Credit card numbers, social security numbers, phone numbers are some examples for that. using cloud app security, we can control access to files contains sensitive data. In my demo environment I have salesforce app. it contains some files with credit card information. I do not want anyone to download these files. Let’s see how we can do it using cloud app security.

Before we start, we need to integrate salesforce with cloud app security. I have explain it in details in my previous post http://www.rebeladmin.com/2018/09/step-step-guide-block-data-download-using-azure-cloud-app-security/ so I am not going to repeat it in here 😊.

1. Once integration is done, go to https://portal.cloudappsecurity.com and login as global administrator

2. Go to Settings | Conditional Access App Control

3. Now we should be able to see salesforce under conditional access app control apps tab.

4. Click on session control to create new session control policy.

5. Then under create policy click on Session policy

Let’s assume one of user in your sales team log in to https://myapps.microsoft.com and launch salesforce app successfully from his office in UK. Few minutes later the same user made successful login from Canada. Unless user is using remote connection, it is not impossible. Still someone can’t travel that fast 😊. Azure Active Directory capable of detect this type of impossible sign-in activities. However, detection type for this kind of activities is “offline”. Which means reporting latency for these alerts are between 2 to 4 hours. 

Azure cloud app security also capable of detecting these types of activities but it is real-time as it detects activities based on sessions. It helps administrators to react faster and protect infrastructure from potential breach. In this demo, I am going to demonstrate how to fine tune built in azure cloud app security policy for Impossible travel activity and prevent breach. 

Before we start, first we need to integrate SaaS app with cloud app security. In my previous post I demonstrate how to do that. So please go ahead and read it on http://www.rebeladmin.com/2018/09/step-step-guide-block-data-download-using-azure-cloud-app-security/

In my demo I am using salesforce app. 

1. Once integration is done, log in to https://portal.cloudappsecurity.com as global administrator.

2. Then go to Settings | Conditional access app control

3. There you should be able to see your app under Conditional access app control tab. It should be in healthy connected status. 

4. Then click on Control | Policies

5. Under policies, click on impossible travel policy 

6. This is a built-in policy. as you can see it doesn’t have any actions attached to it. if CAS detect such activity, it will still be reported under CAS dashboards. 

7. In my environment, I like to get an alert if its detect such activity. To do that, click on Send alert as email option under Alerts. Then define email address in text box. 

In my last few blog posts I have talked about Azure AD conditional access policies and how we can use it to control access. In a conditional access policy, we define who have access to what applications from where. This is purely control the access to your app. Azure cloud app security allow us to extend these capabilities further into session level. using cloud app security, we can examine each session to the app in real time basis protect information further. Using cloud app security, we can create policies to,

1. Block downloads – Can define policies to block download of sensitive data. 

2. Protect on downloads – instead of blocking download, we can create policies to allow users to download encrypted document after authentication, even though they are login from unmanaged device. 

3. Monitor risky sessions – we can setup policies to monitor session of risky sign in. all the action from those sessions will be logged for further review. 

4. Block access – If needed we can completely block access to apps if it’s from unmanaged device or non-corporate network.

5. Create read-only mode – we can create policies to create read-only mode for apps (for group of users)

More about cloud app security is available at https://docs.microsoft.com/en-us/cloud-app-security/what-is-cloud-app-security

In this demo, I am going to demonstrate how to integrate an app with cloud app security and then how we can create policies to control download of sensitive data. In this demo I am going to use salesforce application with CAS and block PDF file downloads. To start,

1. Log in to Azure portal https://portal.azure.com as global administrator

2. Click on Azure Active Directory

3. Then click on Enterprise Applications 

4. Search for Salesforce under All applications and click on it. Note – If it is not existing app, you need to go and add app first and configure it for azure ad sso. 

5. Then click on Conditional access 

Azure AD application gallery contains thousands of applications already but there can be situations where organizations uses their own applications. In such scenario Azure AD allows to bring these apps to azure.  

In my previous blog post “Step-by-Step guide to Azure AD Password-based single-sign on”, I explained Azure AD password-based single-sign on and how we can use it. If you not read it yet, you can access it  using http://www.rebeladmin.com/2018/09/step-step-guide-azure-ad-password-based-single-sign/ . In this blog post, I am going to demonstrate how we can bring our own app to Azure AD and use Password-based single-sign on with it. 

In my demo environment I have cloud app called Woodgrove Expense Manager and I can access it using https://woodgroveexpensemanager.azurewebsites.net I need my sales and marketing team to use it. Also, I need them to share one login. However, I do not want end user to know these credentials. 

As first part of this demo, I need to integrate my app with Azure AD. To do that,

1. Log in to https://portal.azure.com as global admin.

2. Click on Azure Active Directory on the left-hand panel.

3. Then click on Enterprise applications 

4. In new window, click on + New application 

5. In application panel, click on Non-gallery application 

6. Then in new wizard, type name for app and click on Add

7. In new app window, click on Single sign-on 

8. Then select password-based single sign-on as SSO mode. Under sign-on URL define the application URL. in my demo it is https://woodgroveexpensemanager.azurewebsites.net . at last click on Save to apply the changes. 

9. Once settings are saved, click on Configure Woodgrove Expense Manager Password Single Sign-on Settings

10. In new window, select Manually detect sign-in fields and then capture sign in fields.

11. This will load up new tab with application page. Type the sign in details and then click on sign-in.

12. Then in app window it asks if we want to save captured login details. Click on Ok to capture data. 

13. After that, it will go back to sign-on page, in this page click on Ok, I was able to sign-in to the app successfully and then Ok to save the config.

14. Once configuration is saved, click on user & groups.

15. Then click on Add user

16. From the list of user & groups, I have selected group for my sales & marketing team. Once selection is done, click on Assign credentials.

17. In new window Set Assign credentials to be shared among all group members to Yes and type credentials for the https://woodgroveexpensemanager.azurewebsites.net . To complete the process, click on Ok & then Assign

18. This completes the configuration part. Next step is to test it. for that I am log in to https://myapps.microsoft.com as a user from sales & marketing group. Then click on Woodgrove Expense Manager

19. As expected, without any other additional logins, it log me in to the Woodgrove Expense Manager. cool ha? 

This marks the end of this blog post. Hope now you have better understanding how to bring your own app to Azure AD and use password-based single sign-on with it. If you have any further questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Single-sign on provides seamless sing on experience to multiple systems using one identity platform. Azure AD supports three types of single-sign configuration methods for applications. 

Federated single sign-on – This is the most commonly used SSO type. when it is in use, applications redirect users to Azure AD for authentication. This method can use with any application that use SAML 2.0, WS-Federation, or OpenID Connect authentication protocols.  

Password-based single sign-on – In this method, Azure AD manages credentials for the application and replay when required. In this method end user do not need to know the credentials to access the application. 

Linked single sign-on – This allows to link existing single-sign on configuration for an application with Azure AD. This also allows to link applications with Azure or Office 365 portals. 

In this post I am going to explain what is password-based single sign-on and how we can use it with third part SaaS application. 

Azure AD Password-based single sign-on works with any third-party SaaS app which have HTML based sign in page. In this method, application credential will be saved in directory and when required Azure AD will retrieve credentials and pass it to application sign in page on behalf of user. There are two types of credential management methods.

Administrator managed – In this method administrator will create & manage credentials for the application. Credentials will be securely saved in directory and administrator can assign it to user or groups as required. When user access the application, credentials will be retrieved from directory and pass it to application sign in process automatically. So, end user does not require to know the credentials for the app. 

User managed – In this method, administrator assign application to users or groups. When user logins for first time they can enter their own username and password to the application. Then these credentials will be saved securely in directory and use for future logins. In this scenario end user have full control over their own credentials. 

Now it is time to configure Password-based single sign-on for SaaS app and see how it works. in my demo I am going to use twitter app for this. Before we start, we need to create demo account in twitter using https://twitter.com/signup

1. To configure Password-based single sign-on for twitter, log in to https://portal.azure.com as global administrator

2. Then go to Azure Active Directory 

3. In new window, click on Enterprise applications 

4. Then select all applications under application type and search for twitter app. Once app is return under search results, click on it. if you do not have twitter app under the results, click on New Applications to add the app from gallery. 

5. In new windows, click on Single sign-on under Manage. Then from the mode drop down select Password-based single sign-on and click on Save.

6. Click on Overview and then total users to select groups. In my demo I am going to assign it to sales & marketing group. once group is selected, click on Update Credentials. 

7. Then in next window, type the credentials for the app and click on Save. 

8. Once it is done, I logged in to the https://myapps.microsoft.com as member of selected group and click on to launch twitter. 

9. Then it asks me to install the extension. 

10. Once it is done, I relaunch twitter app and it log me in direct.

This marks the end of this blog post. Hope now you have better understanding what is password-based single sign-on and how to use it. If you have any further questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.