KEMBAR78
Module 06 - MW11D Intune - Enterprise Data Control | PDF | Computing | Software
Scribd
Upload
30 views22 pages

Module 06 - MW11D Intune - Enterprise Data Control

The document outlines the Enterprise Data Control module by Microsoft, focusing on compliance and conditional access features. It details various policies and tools for managing data security, including Intune Device Compliance, Microsoft Information Protection, and Azure Active Directory. The module emphasizes the importance of compliance reporting, user experience, and the integration of conditional access with cloud services for enhanced data protection.

Uploaded by

jaysla2009
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
30 views22 pages

Module 06 - MW11D Intune - Enterprise Data Control

The document outlines the Enterprise Data Control module by Microsoft, focusing on compliance and conditional access features. It details various policies and tools for managing data security, including Intune Device Compliance, Microsoft Information Protection, and Azure Active Directory. The module emphasizes the importance of compliance reporting, user experience, and the integration of conditional access with cloud services for enhanced data protection.

Uploaded by

jaysla2009
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 22

Enterprise Data Control

Microsoft
Version 2306
Services
Module Overview
• Lesson 1: Compliance
• Lesson 2: Conditional Access
Microsoft Information Protection
Gain visibility and
Grant and restrict access to Protect data on-premises and in
on activities and data
control
data the cloud !

DEFENDER FOR CLOUD


MICROSOFT APPS
INTUNE
Gain deep visibility, strong
Make sure your devices controls, enhanced protection
are compliant and whose DLP and real-time proxy
ENDPOINT DLP secure, while for data stored in Microsoft &
protecting data at the third party cloud apps
Discover & protect corporate application level Classi
data depending applied AIP CONDITION
fy
labels on endpoint AL ACCESS MICROSOFT AZURE
INFORMATION
Locatio Azure
RMS PROTECTION
n Classify, label, protect and
App Acces audit data for persistent
s s security throughout the
grante complete data lifecycle
! Ris d to
k data Discove ! Protec OFFICE 365 DLP
Devic r t Built-in data leakage protection
e ! across Office 365 for corporate
emails and documents
Audit
MICROSOFT
AZURE ACTIVE OFFICE 365 INSIDER
DIRECTORY OFFICE 365 RISK MANAGEMENT
E-DISCOVERY Identify risky activities and
Ensure only authorized Identify electronic management tools to take
users are granted access information for a action on risk alerts
to corporate data using legal request or
This workshop risk-based conditional
access
On-premises investigation
Lesson 1: Compliance
• Compliance Policies
• Default Configurations
• User Experience
• Compliance Reporting
Intune Device Compliance Policy I
• OS Version, Encryption, Passcode,
Define rules and settings
that users and devices …
must meet to be compliant • Custom Scripts

Include actions that apply • Send e-mail, Retire


to devices that are not
compliant • Remote lock

Combine with Conditional


Access to block users and
• Block access
devices that don‘t meet • Grant access
the rules
Intune Device Compliance Policy II

Actions
Check for:
- Secure Boot / Bitlocker
- Encryption
- Windows 10/11 versions
- Password
- Firewall / Defender
- Configuration Manager Include /
Compliance exclude
- MDE risk score assigned
groups
Intune Device Compliance Policy III
• Custom Compliance

Data
from PS
script
Intune Device Compliance Policy IV Email
Notification

• Configure default
compliance behavior
• Notification
Templates
• Location based
(Android)
• Based on networks
Intune Device Compliance Policy V
• Device based control
• Intune forwards compliance report to Azure AD Conditiona
• Intune can manage a „grace period“ delaying AAD compliance l
• Conditional Access Policy uses AAD information Access

Intune
AAD view
view
Device Compliance Reporting
Custom reporting
based on status,
OS, ownership and
trends
Lesson 2: Conditional Access
• Overview
• Requirements
• Conditions and Controls
• Conditional Access Policy
• Device Compliance
• CA with Cloud Services (Exchange Online)
Conditional Access Overview
Conditions Controls
171TB

Allow access
Users Session
Risk
Machin
e 3 Limit access
Devices learnin
g

On-premises apps

Real time Require MFA


Evaluation
Engine

Location
Force
password reset
Policies Effective ******
Apps policy Web apps
Deny access

Enable users to work from


everywhere, from any
device
Conditional Access (CA) Requirement
• Modern Authentication Support
• Token-based & Multi Factor authentication
to Office 365 services
• Office-wide single-sign-on (SSO)
• ADAL (Active Directory Authentication Library)
• Enabled by default in Microsoft 365 Apps
Cloud Services
• Available for Exchange Online, SharePoint Online,
Teams, OneDrive for Business by default
• Think about
• Disable protocols / apps which are using basic
authentication, e.g., IMAP/POP3
CA: Signals And Decisions
• Signals • Decision
• Applications • BLOCK
• Platform • GRANT
• Risk Require compliant
• User / Group device
Require MFA
• IP Locations Require Domain Join
CA: Conditions I – Cloud Services
• Cloud applications
• Microsoft cloud applications
e.g., Exchange Online,
SharePoint, Teams

• Azure AD connected
applications

• Pre-federated SaaS
applications

• AAD Application Proxy


integrated applications
CA: Conditions II – Additional Criteria
Risk (based on
Azure Identity
Protection)

Named locations /
Device platform networks (public
IP)
CA: Conditions III – Client Apps
• Modern authentication clients
• Browser (web-based applications that use
protocols like SAML, WS-Federation, OpenID
Connect)
Supported on Windows 10/11 are Microsoft
Edge, Chrome, Firefox 91+
• Mobile apps and desktop clients, e.g.,
Microsoft 365 Apps, Teams
• …
• Legacy authentication clients
• ActiveSync
• POP3 / IMAP4
Not configured defaults
to „all active“
CA: Controls
• Require compliant device
• Requires MDM enrollment and
compliance policy Intune Device
Compliance
• Only Azure AD known devices Policy
(joined / registered) can be marked
as compliant
• Require approved client
app
• Apps that support Intune App
Protection policies, like Microsoft
Outlook, Word, Excel, …
• Require app protection
policy
User Experience on non-compliant
Device

Desktop app e.g.


Browser session
Outlook
Lab: Protect Exchange
Online Mailbox Access
with Conditional
Access
Module Summary
• You got an impression of data control features,
like Compliance and Conditional Access

• You learned about the prerequisites,


configuration and got an impression from the
user perspective
© 2023 Microsoft Corporation. All rights reserved.

You might also like