Share via

Azure solution "things"to be required

Reham Zouroub 1 Reputation point
2020-05-24T20:37:50.617+00:00

I have a Solution that either using leverage existing ADFS infrastructure or any other alternative and need to restrich the follwoing :
1-ensure not to increase number of existing servers for authentication
2-restrict Current logon hours defined on AD need to be abided to for specific roles
3- No disruption to Exchange Online / hybrid access
4- Password should not be synced to the cloud

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,641 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jai Verma 461 Reputation points
    2020-05-25T00:55:55.173+00:00

    You can achieve all your conditions by either using ADFS or PTA(Pass Through Authentication).

    Instead of using at least 4( depend on your use base) ADFS and proxy servers, you can use mostly 2-3 severs with PTA Agent.

    0 comments
  2. Reham Zouroub 1 Reputation point
    2020-05-25T07:58:59.033+00:00

    is your answer covers the scenario below:
    Brief:
    Contoso Airlines has been leveraging Office 365 for 3 years for 100,000 employees with 40,000 cabin crew, 10,000 front line workers and the rest information workers. They are currently leveraging primarily EXO in hybrid mode as well as SPO, OneDrive, and most recently evaluating Teams and Yammer. BYOD is a core principal as Cabin Crew and Frontline workers leverage their own devices to access corporate resources. Contoso has also started to leverage other SaaS applications that are critical to its business such as Salesforce, Oracle HRMS and a small population of users leveraging Box. Because of its multinational operations, Contoso needs to abide by various regulations such as local data residency, GDPR, etc…

    Business requirements
    They are formulating their cyber security strategy and are looking at leveraging cloud-based security products as much as possible given their existing footprint in the cloud. Below are their key requirements from a business / security perspective.

    1. Need to ensure that user’s identities are as secure as possible with minimal overhead to user’s day to day operations – for example username / password prompts should be kept to a minimum if at all.
    2. There are several internal apps that are used that require VPN, Contoso wants to do away with VPN for various reasons but still need to grant users who are mobile access to these internal apps.
    3. All content needs to be classified regardless of where it is stored (Box/Office 365/Salesforce/on-premise) to help in GDPR compliance. For example, content with EU citizen PII Data needs to be labelled accordingly whereas content with Contract Numbers needs to be encrypted and not allowed to be printed.
    4. Regular security assessment is a requirement for ongoing analysis of organization's cloud security posture based on regular activities and security settings. The goal is to better understand how well aligned the organization is with security best practices and define requirements to improve overall security posture in the light of these security assessment reports.
    5. Educating users and improving their awareness around the common cyber threats to help them understand how they should apply this knowledge in their day to day engagements is an important goal for the company. Practices, methods and ideas for establishing better user adoption and change across the company will be highly valued.
    6. Technical requirements:
    7. Solution should either leverage existing ADFS infrastructure or provide an alternative given the below restrictions.
    8. Current logon hours defined on their AD need to be abided to for specific roles
    9. Password should not be synced to the cloud
    10. No disruption to Exchange Online / hybrid access
    11. Should not increase number of existing servers for authentication
    12. Minimal change on existing apps and architecture
    13. MFA should not be triggered for specific known scenarios (users in corporate network, users coming from domain joined devices, etc.)
    14. Access to Oracle HRMS should be allowed only on corporate domain joined devices or BYOD managed devices
    15. Need to ensure that all BYOD devices meet a specific level of patching and windows updates to connect to corporate resources
    16. Prevent data leakage between corporate and personal apps on mobile devices
    17. Existing unclassified content on SaaS apps should be classified/encrypted on download
    18. Existing unclassified content within on-premises file servers should be classified and encrypted according to corporate information protection policies.
    19. A unified EDR solution is needed for preventative protection, post-breach detection, investigation and response to threats, not only for Windows systems but also supporting macOS and Linux systems as well.
    0 comments