News

Azure Information Protection and Azure AD Conditional Access Released

• By Kurt Mackie
• October 06, 2016

Two of Microsoft's Azure Active Directory products hit their "general availability" milestones this week.

Per Microsoft's nomenclature, general availability (GA) means that the product is deemed ready for use in production environments. Confusingly, however, Microsoft sometimes announces GA milestones for just parts of its products, especially for services.

This week, Microsoft indicated that its Conditional Access service and its Information Protection service for Azure AD were generally available, with caveats.

Azure AD Conditional Access
The first Microsoft GA announcement is that Conditional Access polices now can be set when using Azure AD to manage mobile devices, including those running Android, iOS and Windows (10, 8.1 and 7 versions) operating systems.

Microsoft had previously announced that Azure AD Conditional Access was at the GA stage in late July. However, apparently the company was trying to communicate back then that just the use of multifactor authentication and location-based policies were at the GA stage for Azure AD.

So, possibly not all Conditional Access parts are at the GA stage this week. It's hard to tell from Microsoft's fragmented announcements.

The only specific caveat in this week's announcement was that some pending work needs to be done to enable Conditional Access via the Azure management portal and Office 365 portal:

We still have some work to do to add Microsoft services such as the Azure management portal and the Office365 portal to Conditional Access. That work is already underway and shouldn't take too long to complete.

Of course, such a caveat seems to imply that IT pros can't actually set Conditional Access policies using those management tools, which renders Microsoft's GA announcement kind of moot.

Using the Azure AD Conditional Access service requires having an Azure AD Premium subscription in place. In addition, the devices need to be registered with the Azure AD service for the Conditional Access scheme to work. Domain-joined Windows devices are more easily registered, while Android and iOS devices appear to need the assistance of a mobile device management solution to register with Azure AD (Microsoft suggests using its Microsoft Intune product). Conditional Access rules can be set for groups, devices or various application types.

Azure Information Protection
Microsoft also announced this week that its Azure Information Protection service has hit the GA milestone. Azure Information Protection combines the Microsoft Azure Rights Management content-sharing protection service with technology acquired from Secure Islands that's used to classify document files. Microsoft had described forming this new service back in June.

In addition, the Azure Information Protection client for Office and Windows is generally available. However, clients for other platforms don't appear to have all of Azure Information Protection's capabilities yet, per Microsoft's announcement:

We currently provide for the consumption of protected content on all platforms. In the near future we will also provide additional support for classification and labeling across other platforms including Mac, iOS, Android, and Web.

Microsoft is now releasing new Azure Information Protection mobile applications for Android and iOS devices. These new mobile apps will replace the older RMS Sharing apps that were available in the Apple and Google Play Stores. An in-place update will happen automatically with the existing RMS Sharing apps, so no actions are needed to get the new mobile apps.

One Azure Information Protection component that hasn't reached GA status yet is the Hold Your Own Key (HYOK) encryption key protection scheme. Under HYOK, the organization has possession of the encryption key. Currently, HYOK is at the preview stage.

Microsoft also has a Bring Your Own Key (BYOK) scheme for Azure Information Protection. With BYOK, the encryption key is stored in Microsoft's datacenters using its Azure Key Vault hardware security module.

Microsoft Authenticator
On a related note, Microsoft has shipped an updated Microsoft Authenticator app for iOS devices, and it will now push approvals for those end users that had used Microsoft accounts. However, these users will have to add the account again if they previously had used one-time passcodes with the old Microsoft Authenticator app, Microsoft noted, in an announcement this week.

Microsoft Authenticator apps, which users download from applications stores (such as Google Play, Apple Store, etc.), simplify the Azure AD authentication process for end users. Microsoft had previously indicated that it would release new Microsoft Authenticator apps "in all mobile apps stores" by Aug. 15. However, the company indicated in this week's announcement that it is still working on a Microsoft Authenticator app for Windows Phone users.