IBM Security MaaS360

 View Only
Expand all | Collapse all

Conditional access for MS365 using Verify and MaaS360

  • 1.  Conditional access for MS365 using Verify and MaaS360

    Posted Wed April 06, 2022 08:09 AM

    I have a couple of questions regarding conditional access for MS365 app integration with Verify using MaaS360.

    Use-case: I want to have a conditional access policy only for my 500 users out of total 1000 users in my organization. The condition is to use any MS365 app first user have to enroll their BYOD devices within MaaS360 then only they can have access to all the MS365 apps they are entitled for.

    Now for the above use-case I was going through the documents (in Knowledge Center) and videos in SLA for using MS365 apps first we need to federate the domain of production MS Office which is done for the over all domain and by default for all the users.

    1. If the domain is federated for all the user's which I have also tested with my test domain then do we have to also integrate the Azure AD within verify portal in order to authenticate the users while signing in MS office portal after federation?

    2. If I have put the conditional access policy for MS apps then whether this policy will be applicable for all the users? If yes, then how can we give the exceptions or can only apply this policy to a particular group of users?

    3. Is verify used only for SSO or can we apply the DLP policies as well for all the MS365 apps/cloud apps?



    ------------------------------
    Ashyen Jaiswal
    Security Specialist
    Crayon Software Experts
    ------------------------------


  • 2.  RE: Conditional access for MS365 using Verify and MaaS360

    Posted Thu April 07, 2022 12:10 PM
    Hi..

    I'll try and answer your questions.

    1. This depends on your Identity Source. If the Identity Source is Azure AD (not common), then you would have to add Azure AD as Identity Source in Verify. The easier thing to do if you are starting from scratch is to use Verify Cloud as your Identity Source.

    2. In Verify, on a per-app basis, you can add Groups to which an Access Policy would apply. These Groups would be imported from your Identity Source (AD, Azure AD, etc) or from within the Verify Cloud Directory.

    3. DLP is a separate thing entirely. For MS apps, you will have to use Intune App Protection to control data flow in and out of O365 apps. See https://www.ibm.com/docs/en/maas360?topic=miapp-configuring-microsoft-intune-app-protection-integration-in-maas360-portal. Be aware that the Groups you target will again be a function of the Groups in your Identity Source. Note that App Protection policies have to be targeted at Azure AD Groups, so you will either have to use Azure AD as your identity Source or use Azure AD Connect to replicate users and groups to Azure AD.

    There are a couple of blogs that may help:

    https://community.ibm.com/community/user/security/blogs/margaret-radford/2021/06/28/migrating-to-office-365-exchange-online-with-ibm-s

    https://community.ibm.com/community/user/security/blogs/margaret-radford/2021/09/09/migrating-from-on-premise-ad-to-azure-ad-with-ibm

    Thanks...






    ------------------------------
    Clinton Adams
    ------------------------------

    Original Message