Hi Folks,
As alluded to in the subject, I wanted to share some
of my findings and understandings around all things ADFS / Modern
Authentication and Client Access Polices that have cropped up in conversation
pieces / issues / designs of late.
First of all, none of this information is new as such and
much of it is splattered across various blogs in various terminologies and
scenarios, What I have tried to do is combine this information into some sort
of logical breakdown for what we as a team will probably need to know and
understand.
What we know today and what has been for a few years…
So Microsoft offer some pretty standard ADFS Control
Policies and scenarios of controlling access to Office 365. (See the below).
All pretty standard and Office 365 and ADFS 2.0 and later (inc 2016) will fully support these
scenarios in a “Out of the Box” Configuration today. ! (But…
will see later)
So, Little bit of a scene setter as it were.
Company A (Government / Bank / Lawyers) will
mostly look at all these scenarios (As above).
o 1.
Block All external Access to Office 365 (Easy, But kind of defeats
the object of O365)
o 2.
Block external Access to O365 except ActiveSync (Sounds Cool, so yeah, quite
common)
o 3.
Block all external Access except for Web Based Apps (So OWA, Sharepoint yada,
yada, yada)
o 4.
Block external Access based on Group membership (as it says on the tin)
So, let’s say we implement option 2. (Block External
Access except ActiveSync). This works by looking at client application
information sent by the client in the ADFS claims request and decides if its
allowed or not. (In this case (x-ms-client-application
Microsoft.Exchange.ActiveSync). This information is presented
kindly by Exchange Online into the request. (In Basic Authentication mode)
So, it’s pretty clear the claims rule looks at the request
(working out a:) its external, as it has come via the Proxy (claims/x-ms-proxy), and b:) contains the claims
info for ActiveSync).
So all good right. No one externally can use Outlook
or OWA or Sharepoint, but can sync email using ActiveSync….job done..
The but…. So Introducing Modern Authentication
So this has been on the cards for a while and is in full
flight, Well sort of, Outlook 2016 onwards has this enabled by default
from a client perspective. (Outlook 2013 needs SP and RegKey, But supports
Modern Auth)
So what does it bring to the table. A couple of key
points that makes things Fizz for us (probably a load more, but that’s for another
day I guess) !
1. Native
Support for Multi-Factor Auth (No more app passwords). So aimed at ADFS 2016
and Azure MFA out of the box support!
2. Better
support for “real” seamless SSO (i.e. When used internally
against ADFS there are no more Authentication prompts !!!! Yey !!!.
Have seen this first hand and works a treat.
Note: It uses WIA (Windows Int Auth so ADFS Proxies don’t support WIA and won’t be seamless external, will still get prompted)
Note: It uses WIA (Windows Int Auth so ADFS Proxies don’t support WIA and won’t be seamless external, will still get prompted)
Modern Authentication if “OFF” by default on Office
365
So Modern Auth, sounds awesome right !.. and for a good “%”
of all customers it’s a “no brainer”. However as it stands today Exchange
Online has Modern Authentication “Disabled”. ! But why !!
it’s awesome ! it’s also worth noting even if we turn on MA, legacy
clients can still fall back to Basic Auth and carry on working !!.. so what’s
the catch. !!! and until I really looked into this, I wasn’t entirely
sure.
The Catch
So, as you guessed it`s around Access Policies. So Customer
A (Who has these polices enabled). See`s the benefits of Modern Auth and thinks
yes, we need this… So, they turn it on and a world of pain now opens up
on the helpdesk (quite slowly after ~24 hrs because ActiveSync cached auth
token etc.…..) and depending on scenario of course. (so we assume most
of our Mobile devices use Microsoft Office / Outlook (IOS / Outlook for Android
/ Windows Phone). So what’s happened. All of a sudden only a few
users are getting email on their mobile device. My Chief exec of course
and his VIP friends cant on their fancy IPad`s with office and his other funky
mobile devices.
So what the F**K.. so what has happened. So
Modern Auth has happened. As I mentioned MA is supported on Office
2013+. But is Also supported on Outlook for IOS and Android !!.
(Cool yeah !?)
so here’s the curve ball. When using MA, it’s now
“browser based” and is more agnostic on what service is using the
authentication. So what has changed?, The Information that was originally in
the claims request from exchange (ActiveSync) is no longer embedded in the
request, With modern authentication all clients will use Passive Flows
(WS-Federation). And has we have not allowed “web based” applications and
only allowed ActiveSync. These users can no longer get their email ….!!!
Ok, so what next, just turn it off ? or look to the future ?.. Well “WE
(pro`s)” look to the future of course. ! don’t we?
So, there is no real Like for like option. but here are some
options I have looked at that are dead easy to create with ADFS 2016, using
some awesome built-in policy templates and rules.
- Option 1. – We can base external Access to
only allow “members of a certain group”. But this then allows all access
(OWA, Sharepoint, Outlook and ActiveSync, un-managed devices)
- Option 2 – Full Microsoft World , Fully
deploy Intune MDM and use Intune Policies, force enrollment etc.
- Option 3 – If using 3rd Party MDM,
i.e. MobileIron, and only allow access from MobileIron IP Sentries, but this
rule alone won’t then allow access for other devices / laptops etc. for your
Execs.
- Option 4 – Exchange Mobile Device Polices
(Quarantine / Approve) for each user, very Admin intensive… not
really viable for more than a 50/hundred users/devices..
So no perfect replacement, but we can be a little clever
with access polices with and / or scenarios, so my personal favorite is,
we can combine, let’s say Option 1 and Option 3.. ! so this will give us….
-
Allow All “managed” devices
-
Allow our VIPs / Mobile power workers full
access based on Security group…
So as an example, this would look like…
So there you go, In essence, that’s why we now
know why MA is turned off by default and what we need to consider for Company’s
who want to control access to O365 when we get into FULL MA World.
Sorry, if it’s a little long winded, but it’s a lot shorter
than trawling google and TechNet for days on end !!!...