![]() Azure AD also has a feature called Continuous Access Evaluation (CAE) which allows applications that support it, like Exchange Online and SharePoint, to subscribe to an event feed and near instantly revoke access after receiving the API call to revoke the user sessions. Because we use seamless sign-on with certificates, the reauthentication on compliant devices is transparent to the user. This will require the user to sign in again as soon as the Access token time-to-live ends. ![]() To mitigate this, we can revoke the Refresh token used by the application by revoking all sign-in sessions for a specific user. No new authentication is required in this flow and during that time no check on compliance would happen and non-compliant devices would still have access to resources and services. So, any time the Access token runs out, the Refresh token is used with the token auth endpoint to receive a new token. The Access token is a short-lived authorization by default valid for a random value between 60-90 minutes and the refresh token is also constantly renewed and has a maximum inactive time of 90 days. ![]() Only blanket conditional access policies can be applied, with no granular policies per service.įurther, this works during initial authentication but when authorizing the user to the specific service, Azure AD uses ID, OAuth2 Access, and Refresh tokens. One caveat with this we authenticate to Azure AD and not the service itself, without knowing which specific service (Teams, Exchange Online, SharePoint) we authenticate for. This allows Workspace ONE Access to not only check the validity of the certificate and the user it is created for but also the device’s management and compliance state before authenticating the user to Azure AD. Workspace ONE Access is configured to use this certificate-based authentication method in Workspace ONE UEM. To recap, Azure AD is federated with Workspace ONE Access as an IDP, and whenever a user signs into a service integrated with Azure AD, the authentication passes through Workspace ONE Access and uses a certificate that includes user and device information in the form of the Device UDID. The Zero Trust during Authentication video explains the flow of components involved to create this solution. A benefit of this solution is that it does not require advanced Microsoft licenses to be enabled. Microsoft Office 365 is authorized through Azure AD which can be federated to Workspace ONE Access for users synced from an external source like an on-premises AD or another identity source. With Workspace ONE Access, we can integrate with Workspace ONE UEM which manages the users’ devices and leverage that compliance status during authentication into any application using SAML or OIDC federated to Workspace ONE Access. Zero Trust during Authentication - Architecture If you are new to Workspace ONE, review the Evaluation Guide: Managing Apps and Devices with Cloud-Based VMware Workspace ONE which has step-by-step exercises implementing features like mobile single sign-on (SSO) in UEM and Workspace ONE Access. Knowledge of other technologies, such as Azure AD and Postman, is also helpful. Familiarity with Active Directory, identity management, and directory services is assumed. This tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |