Abstract: In a cloud computing environment, a cross-tenant access security measure monitors conditional access policies for changes or additions that hamper or threaten an authorized access from an assistant tenant user to a focus tenant. Some cross-tenant access security tracks role assignments to detect rogue roles, or detect hampering role changes. In some cases, focus tenant events and assistant tenant events are correlated in an audit. In some cases, the authorized access is a zero standing time bound access. In some cases, the authorized access is constrained to an IP address range, or constrained to login from a managed device, or both. In some cases, assets are excluded from managed response remediation actions. In some, managed response is modulated by product-specific Role Based Access Control. In some, repeated logins are avoided, to permit faster managed responses.

Abstract: In a cloud computing environment, a cross-tenant access security measure includes monitoring conditional access policies for changes or additions that hamper or threaten to hamper an authorized access from an assistant tenant user to a focus tenant. In some cases, cross-tenant access security includes tracking a role assignment list to detect rogue roles, or to detect hampering role changes such as role deletions, or both. In some cases, focus tenant events and assistant tenant events are correlated in an audit. In some cases, the authorized access is a zero standing time bound access. In some cases, the authorized access is constrained to an IP address range, or constrained to login from a managed device, or both. In short, security measures are described that mitigate accidental or surreptitious role or policy changes that would shut down or hinder authorized cross-tenant access.

Abstract: Providing access to one or more resources to a user device. A method includes at a user device, registering with an identity service to obtain an identity credential. The method further includes at the user device, registering with a policy management service by presenting the identity credential. The method further includes at the user device, providing an indication of current state of the user device to the policy management service. The policy management service can then indicate to the identity service the compliance level of the user device. The method further includes the user device receiving a token from the identity service based on the policy management level of the user device as compared to a policy set.

Abstract: Providing access to one or more resources to a user device. A method includes at a user device, registering with an identity service to obtain an identity credential. The method further includes at the user device, registering with a policy management service by presenting the identity credential. The method further includes at the user device, providing an indication of current state of the user device to the policy management service. The policy management service can then indicate to the identity service the compliance level of the user device. The method further includes the user device receiving a token from the identity service based on the policy management level of the user device as compared to a policy set.