Enterprise Remote Access Evolution with Microsoft EMS – Notes from the field

If your company is using cloud resources or publishes their OnPrem Resources to the Internet then most of you just use Username/Password or probably Multifactor Authentication (MFA) for Authentication? To securely publish OnPrem Resources you are using Reverse Proxies in your DMZ? If you answer these questions with yes then, you must read this blog.

Some of the solutions you use are easily to configure, but mostly they need some OnPrem Systems, which therefore require regularly updates and new investments in hardware. Additionally, you must keep in mind, that it is not enough to have two reverse proxies for redundancy, you then need also a redundant load balancer and redundant internet connections. If you put all of this together then you see, that you have very hight cost and probably not always the newest technology.

Imagine, there is a solution for that. Just use the Microsoft Enterprise Mobility and Security Suite, which will not only solve the issues described above. It will give you also a lot of other benefits like a Mobile Device Management (MDM) system with Intune or Azure AD Premium, which has Self-Service capabilities built-in to reduce the workload on your support team. The best of all could be, if you already own the EMS Subscription, but didn’t know the whole potential of it. Here are few examples from the field, which could be quick wins in your company:

• Azure AD Application Proxy – The Reverse Proxy Replacement
  You can publish internal Applications to the internet by installing one or more Azure AD Application Proxy Connectors to your network. You don’t need a DMZ for that, because there are no incoming ports to open. So, it is also working without a fix public IP Address. The endpoint is hold in Azure (Prevents DDOS attacks to your Network) and the connectors are automatically updated. You don’t need any load balancers or other infrastructure; the Connector servers just need internet access. The setup can be done in minutes and you can protect all of these applications with Azure AD functions. So before buying new proxy servers, checkout this solution. Here you find a great article about this topic: MS Blog
• Azure AD Conditional Access – Advanced Access Protection
  Today, I assume, you will give access to resources based on AD Groups. If a user is in the group, then he has access. Is that enough for the future? I have customers which had security breaches with stolen credentials. Therefore, the attacker has access to all resources, where the user has permission for. With Conditional Access, you can block that, because you can include User Risk State, Device Compliance or Location to the Access Rule. I will explain the possibilities in more details in the Conditional Access Blog Post.
• Azure AD Self Service Capabilities – Give the users the flexibility to manage their resource on their own
  The users can manage group memberships on their own for groups they own or just manage their own memberships for open groups or applications. Additionally, they can use Self Service Password Reset to Reset their own Password with various verification options. Another option is to provide them access to the Bitlocker Recovery Key.
• Identity Management System
  Last week a customer told me, that he is evaluating Identity Management Systems and that they are very expensive. Then I just asked, why he is not looking at the Microsoft Identity Manager, which can do all of his planned things, like syncing employee data from SAP to Active Directory and other systems. The answer was: “This product was too expensive!” Hmm, he already owns EMS, so he can use it already with no additional cost.
• Azure Information Protection – Protect Date wherever they are, not only on the encrypted notebooks.
  AIP allows you to encrypt and limit access your document based on Labels, which can automatically be applied or manually chosen by your users. The documents can be opened with all newer Office versions. Therefore, most of the external recipients don’t need an extra piece of software, like with other solutions. So, it is end user friendlier than most of the other solutions. Read more about it in one of my earlier blog posts.
• Intune – Mobile Device Management and Mobile Application Management
  With Intune, you have great solution to manage your mobile devices or also your Windows 10 devices. If you need more options to manage Windows 10, then have a look on our extensions in the Syntaro Portal.

In this few examples, you could see how much issues Microsoft EMS can solve. It is a big toolset and will also help you in some questions regarding to the new European General Data Protection Regulation (GDPR). In regards to GDPR, you find a lot of useful information also on the Microsoft Blog. As soon I have more experience from the field to share, I will to that.

• About
• Latest Posts

Follow me

Thomas Kurth

Principal Security Consultant | MVP at baseVISION AG

I’m a consultant, trainer and architect for modern workplace and enterprise mobility projects with Microsoft Technologies in the past ten years. I love to push and design the modern workplace based on Microsoft 365 for my customers which is the only answer for the current security threats, agile world and the fast-changing business requirements of my customers. Important for me is to simplify and automate the operational processes, because there are the highest costs.

Follow me

Latest posts by Thomas Kurth (see all)

• Microsoft Sentinel ASIM Parser demystified - March 31, 2024
• Enhancing Network Security Insights with IDS/IPS of Ubiquiti Dream Machine Pro and Microsoft Sentinel - March 10, 2024
• Ubiquiti Dream Machine Pro Logs to Microsoft Sentinel - February 6, 2024