Intune App Protection Policies

Your employees use mobile devices for both personal and work tasks. While making sure your employees can be productive, you also want to prevent data loss, intentional and unintentional. In addition, you want to have the ability to protect company data accessed using devices even in the case where they are not managed by you.

You can use Intune app protection policies to help protect your company’s data. Because Intune app protection policies can be used independent of any mobile-device management (MDM) solution, you can use it to protect your company’s data with or without enrolling devices in a device management solution. By implementing app-level policies, you can restrict access to company resources and keep data within the purview of your IT department.

Replace ADFS with Pass-through Authentication

The majority of organizations using Azure AD, sync on-prem accounts using AAD Connect. For Authentication, password hash sync has since long been the recommended approach. It is secure since only the hash of the hash of the password is synced to the cloud. And it gives you all the advantages of Azure AD like Identity Protection.

However, historically many organizations have chosen for ADFS. The arguments were often: we don’t want passwords in the cloud, we want SSO and we want to do smart stuff with conditional access and password policies.

The downside of AFDS is the complexity of the solution and the amount of infrastructure it requires. Despite being free from a license perspective, operational cost of ADFS is relatively high.

With Conditional Access and Password Protection in Azure AD, some of the arguments for ADFS have become invalid. And with the introduction of Pass-through Authentication, it is also no longer necessary to sync password hashes to the cloud. The user password can be checked against your on-prem Active Directory, while the authentication and token service runs on the cloud. And it offers Seamless SSO.

Moving from ADFS to PTA is usually a big cost saver, so let’s see in today’s video how PTA is setup and used:


Azure AD B2B Collaboration

Azure Active Directory (Azure AD) business-to-business (B2B) collaboration capabilities enable any organization using Azure AD to work safely and securely with users from any other organization, small or large. Those organizations can be with or without Azure AD, and don’t even need to have an IT department.

In this video, we’re going to invite an external user to Contoso Bank using Azure AD B2B Collaboration.

I’m also going to show you how to add such an invited, external user to the Global Address List of your organization.

Azure AD Password Protection (preview)

Recently Azure AD Password Protection has become available in Public Preview. This new feature consists of several components, intended to eliminate bad passwords in your organization.

The main feature is the Global Banned Password list. On this dynamic list, Microsoft has gathered vulnerable passwords that are deemed to common. The list is not public, but you can imagine passwords like Welcome01 and Password123 are on it.

New in the Public Preview is the possibility to add custom passwords that you want to ban for your own organization. This enables you to ban the company name, brand names and the like, as passwords in your organization.

Password Protection is also available for hybrid scenarios, extending this Azure AD capability to your on-prem Active Directory.

In this video, you will find out how to configure Password Protection and you will see the user experience. I’m also showing you how to install and configure Password Protection for your on-prem AD.

Find out more in this blog post by Alex Simons and of course on Microsoft Docs.

Control Cloud Apps with Microsoft CAS

Moving to the cloud increases flexibility for employees and reduces IT cost, but it also introduces new challenges and complexities for keeping your organization secure. To be able to get the full benefit of cloud applications, an IT team must find the right balance of supporting access while maintaining control, to protect critical data.

This video shows how you can combine Azure AD, Microsoft Cloud App Security and Azure Information Protection to protect your sensitive data. I’m showing how you can enrich a SaaS-application like Box with the capabilities of the Microsoft cloud platform, in order to make sure that sensitive files copied to Box, are automatically classified and protected (encrypted).

Azure Information Protection Scanner

Azure Information Protection is a great solution to classify, label and protect all files you create. But what to do with the files you already have on your on-premises file share or SharePoint environment?

The AIP Scanner offers you the possibility to scan those files and match the file contents with your AIP policies. AIP Scanner can run in reporting mode or in enforce mode – the latter being used to actually apply labels and protection to those files.

In this video, you will see how to install, configure and use the AIP Scanner.

Implement the scanner in your environment? Check this Doc on how to deploy.

Azure AD for non-Microsoft applications

I often hear the misconception that Azure AD is only meant for use with Microsoft products like Office 365 or Azure. And of course Azure AD works great with the Microsoft portfolio, but it is also very easy to use Azure AD to give your users seamless access to non-Microsoft applications.

There’s actually already thousands of applications pre-configured for you, to make it really easy to add them for your users. One of those applications in Salesforce, which I am going to add to Azure AD in today’s video using SAML SSO.

Also want to integrate Salesforce with Azure AD? You can find the tutorial here!

How to use Azure AD Application Proxy

A lot of organizations have moved to Office 365 and started using Azure AD. However, many of these organizations still have on-premises applications which are tied to the on-premises Active Directory. An often overlooked option is the Azure AD Application Proxy. In this video I explain how you can use the Azure AD Application Proxy to easily make your on-prem application available in Azure AD and start using advanced capabilities like SSO and MFA, without changing a line of application code. And in most cases, even firewall changes are unnecessary.

Also want to give secure remote access to your on-premises apps? Learn more:

Intune: set compliance by location of the device

Intune now offers the possibility to set compliance of an Android device, based on the IP address of the device. If the device moves outside the IP range, then the device cannot access corporate resources.

Have a look at my video that shows how to create such a compliance policy and what it will look like for the end user.

More information and all other updates can be found here:

Using Azure AD B2C

Today I’m showing you the B2C capabilities of Azure Active Directory. Azure AD B2C is a great solution to give your customers a very easy way to sign up and sign in to your applications, using the social ID’s they’re already using such as Google or Facebook.

B2C offers support for all platforms and open standards, like OpenID Connect and SAML, and can be fully branded for your organization.

As Azure AD B2C is a cloud service, it can easily scale to hundreds of millions of users.