Andrea Danti - Fotolia

Get started Bring yourself up to speed with our introductory content.

Less risk in updated Active Directory Federation Services

Microsoft puts more granular control in the hands of administrators, with enhanced conditional access control in Windows Server 2016.

The Azure Active Directory team at Microsoft has long been working toward the goal of using identity as the new control plane. Identity -- who you are and what you should be entitled to work on and with -- should be the lowest common denominator when it comes to access control. Identity ought to establish what is acceptable and what is unavailable, regardless of whether a user is accessing a resource or a device that is owned by the company, located in a data center, is a hosted cloud app or a third-party Web service, or anything else.

To this end, Microsoft has made some improvements in Windows Server 2016's Active Directory Federation Services (AD FS) and its sibling cloud service, Azure Active Directory, to fine-tune how access can be granted in certain situations. Conditional access control has been expanded, so administrators have more control; they can decide how much access and trust a user has, depending on what device they are using and where they are accessing a resource or app.

Intune provides underpinning for control 

The Microsoft Intune cloud system configuration utility is the foundation of this functionality. Intune is generally purchased as part of the Enterprise Mobility Suite (EMS) and is part of Azure AD Premium, which is included in the EMS license. Intune is now responsible for updating a repository of all devices that are either "joined to" an organization or are managed directly by the organization. Intune also tracks a device's state of compliance with policy.

Intune calls this the New Device Trust Level. The level can be one of three states: authenticated, managed or compliant. With those states, the new conditional access feature gives the administrator the ability to create complex rules, such as:

  • Allow employees that are members of the HR group access to the SharePoint Web portal for compensation strategies only if they have successfully passed multifactor authentication;
  • Only allow contractors who are using compliant devices that pass policy to access the Salesforce tenant; and
  • Allow sales personnel to connect to the on-premises quoting application remotely only if their device is joined to our workplace -- not domain.

Identity and devices can be entwined

An administrator can set up rules that test the identity of a user, as well as what roles and groups he or she is permitted to access by virtue of that identity. The IT staff can also pair the device compliance state with that identity to ensure that the right people with secure, policy-compliant devices are accessing sensitive applications.

Some applications might only be allowed on devices that are either domain members or joined to the workplace, so IT can enforce encrypted storage. In other cases, some apps might be for reading and content consumption; in this case, IT only needs to force identity controls.

Windows Server 2016 expands controls

As of Windows Server 2016, this conditional access control works across physical perimeters. The IT staff can establish controls for on-premises applications using Active Directory, as well as cloud services such as Office 365 or other cloud apps that can be federated and secured by Azure Active Directory, including DocuSign and Salesforce. Azure Active Directory will sync device state information to the regular deployment of AD, and the organization publishes the app through Active Directory Application Proxy, which understands these device state restrictions.

The organization just needs to install Azure AD Connect, which replaces the temperamental DirSync product. Azure AD Connect is helpful if the business is invested in a legacy on-premises deployment, but is also using Microsoft Azure. 

No change to app code required

One of the most important benefits is the ability to enforce multifactor authentication with on-premises and cloud apps, without any changes to the application's code being required.

By using AD FS for authentication, apps just need to be claims aware -- most popular protocols are supported, including OAuth 2.0, OpenID Connect, SAML or WS-Federation -- and IT can let Azure Active Directory handle the complexity of multifactor authentication. This makes existing apps significantly more secure for a modest monthly bill for the EMS license and a few hours of work.

Next Steps

How to manage Office 365 from Active Directory

Ensure a smooth upgrade to Windows Server 2016

Azure AD manages user identity

Take proper care of your new ADFS server

Dig Deeper on Microsoft identity and access management