SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with Azure Active Directory
2 likes1,302 views
The document outlines Microsoft's information protection solutions and security capabilities, focusing on tools and practices for data governance, rights management, and secure access across various platforms. It provides guidance for organizations, particularly in election campaigns and the nonprofit sector, on securing email, mobile devices, and cloud applications through strategies like multi-factor authentication, conditional access, and mobile device management. Additionally, it emphasizes the importance of protecting sensitive information while maintaining productivity in a fast-moving environment.
![I want to provide my employees secure
and easy access to every application
from any location and any device
I need my customers, partners, and users to
access the apps they need from everywhere
and collaborate seamlessly
I want to quickly deploy applications to
devices, do more with less and automate
Join/Move/Leave processes
[dev use case]
I want to protect access to my
resources from advanced threats
I need to comply with industry regulation
and national data protection laws
Conditional
Access
Multi-Factor
Authentication
Addition of
custom cloud
apps
Remote Access
to on-premises
apps
Privileged
Identity
Management
Dynamic Groups
Identity
Protection
Azure AD DS
Office 365 App
Launcher
Group-Based
Licensing
Access
Panel/MyApps
Azure AD
Connect
Connect Health
Provisioning-
Deprovisioning
Azure AD Join
Self-Service
capabilities
MDM-auto
enrollment /
Enterprise State
Roaming
Security
Reporting
Access Reviews
HR App
Integration
B2B
collaboration
Azure AD
B2C
SSO to SaaS
Microsoft
Authenticator -
Password-less
Access](https://image.slidesharecdn.com/securingoffice365-aad-spo-180524184825/85/SharePoint-Conference-2018-Securing-Office-365-and-SharePoint-Online-with-Azure-Active-Directory-13-320.jpg)
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with Azure Active Directory
- 3. Scott Hoag Principal Cloud Solutions Architect, Opsgility Co-host Microsoft Cloud IT Pro Podcast www.linkedin.com/in/scottmhoag@ciphertxt shoag@opsgility.com msclouditpro.com
- 4. DETECT PROTECT CLASSIFYMONITOR MICROSOFT’S INFORMATION PROTECTION SOLUTIONS WINDOWS INFORMATION PROTECTION Separate personal vs. work data on Windows 10 devices and prevent work data from traveling to non-work locations OFFICE 365 ADVANCED SECURITY MANAGEMENT Visibility into Office 365 app usage and potential data abuse MICROSOFT CLOUD APP SECURITY Visibility into 15k+ cloud apps, data access & usage, potential abuse MESSAGE ENCRYPTION Send encrypted emails in Office 365 to anyone – inside or outside of the company CONDITIONAL ACCESS Control access to files based on policy, such as identity, machine configuration, geo location OFFICE APPS Protect sensitive information while working in Excel, Word, PowerPoint, Outlook AZURE INFORMATION PROTECTION Classify, label & protect files – beyond Office 365, including on-prem & hybrid OFFICE 365 DLP Prevent data loss across Exchange Online, SharePoint Online, OneDrive for Business ISV APPLICATIONS Enable ISV partners to consume labels, apply protection OFFICE 365 ADVANCED DATA GOVERNANCE Apply retention and deletion policies to sensitive and important data in Office 365 SHAREPOINT & GROUPS Protect files in libraries and lists Microsoft’s information protection solutions
- 5. Data governance & rights management Responsibility SaaS PaaS IaaS On-prem Client endpoints Account & access management Identity & directory infrastructure Application Network controls Operating system Physical network Physical datacenter CustomerMicrosoft Physical hosts
- 6. Data governance & rights management Responsibility SaaS PaaS IaaS On-prem Client endpoints Account & access management Identity & directory infrastructure Application Network controls Operating system Physical network Physical datacenter CustomerMicrosoft Physical hosts Security Updates / Patches Software / Feature Upgrades Server Maintenance/Troubleshooting Server Uptime ( SLA from Microsoft) Backup and Archive solution Office 365
- 7. Data governance & rights management Responsibility SaaS PaaS IaaS On-prem Client endpoints Account & access management Identity & directory infrastructure Application Network controls Operating system Physical network Physical datacenter CustomerMicrosoft Physical hosts Attacks on Operating System (OS) and OS Admins Application attacks Hardware/Firmware Denial of Service Physical Attacks Office 365
- 8. Data governance & rights management Responsibility SaaS PaaS IaaS On-prem Client endpoints Account & access management Identity & directory infrastructure Application Network controls Operating system Physical network Physical datacenter CustomerMicrosoft Physical hosts Directly connected to internet User services and interfaces Administrative interfaces Implications Authentication Security is Critical Multi-factor authentication Per user (UEBA) anomaly detection across full context (time, date, geolocation) Integration of security intelligence Tenant Security Configuration is critical
- 9. Data governance & rights management Responsibility SaaS PaaS IaaS On-prem Client endpoints Account & access management Identity & directory infrastructure Application Network controls Operating system Physical network Physical datacenter CustomerMicrosoft Physical hosts Notable trends Identity Attacks Password Spray Brute Force Password Re-use App/Data Layer attacks Social engineering Delegation and forwarding rule attacks PowerShell scripts in attacks
- 10. Data governance & rights management Responsibility SaaS PaaS IaaS On-prem Client endpoints Account & access management Identity & directory infrastructure Application Network controls Operating system Physical network Physical datacenter CustomerMicrosoft Physical hosts Control plane PowerShell for administration Cloud + Browser Authentication Model (changes protocols, logs, auth flows, etc. ) Consistent Logs are conducive to off the shelf analytics (e.g. a CASB like MCAS) Regular release of features and changes (configurable, but not customizable) Implications Always Current Features Security must regularly review updates Office 365 Roadmap | O365 Update Series on YouTube
- 12. Windows Server Active Directory Azure Public cloud Microsoft Azure Active Directory Commercial IdPs Consumer IdPs Partners Customers Azure AD Connect
- 13. I want to provide my employees secure and easy access to every application from any location and any device I need my customers, partners, and users to access the apps they need from everywhere and collaborate seamlessly I want to quickly deploy applications to devices, do more with less and automate Join/Move/Leave processes [dev use case] I want to protect access to my resources from advanced threats I need to comply with industry regulation and national data protection laws Conditional Access Multi-Factor Authentication Addition of custom cloud apps Remote Access to on-premises apps Privileged Identity Management Dynamic Groups Identity Protection Azure AD DS Office 365 App Launcher Group-Based Licensing Access Panel/MyApps Azure AD Connect Connect Health Provisioning- Deprovisioning Azure AD Join Self-Service capabilities MDM-auto enrollment / Enterprise State Roaming Security Reporting Access Reviews HR App Integration B2B collaboration Azure AD B2C SSO to SaaS Microsoft Authenticator - Password-less Access
- 14. I want to provide my employees secure and easy access to every application from any location and any device I need my customers and partners to access the apps they need from everywhere and collaborate seamlessly I want to quickly deploy applications to devices, do more with less and automate Join/Move/Leave processes I want to write applications that work with my corporate identities in Azure Active Directory I want to protect access to my resources from advanced threats I need to comply with industry regulation and national data protection laws Conditional Access Multi-Factor Authentication Addition of custom cloud apps Remote Access to on-premises apps Privileged Identity Management Dynamic Groups Identity Protection Azure AD DS Office 365 App Launcher Group-Based Licensing Access Panel/MyApps Azure AD Connect Connect Health Provisioning- Deprovisioning Azure AD Join Self-Service capabilities MDM-auto enrollment / Enterprise State Roaming Security Reporting Access Reviews HR App Integration B2B collaboration Azure AD B2C SSO to SaaS Microsoft Authenticator - Password-less Access 1 2 3 4 5 6
- 15. Microsoft Azure Active Directory Remote Access to on-premises apps Azure AD Connect SSO to SaaS Access Panel/MyApps Self-Service capabilities Azure AD DS Microsoft Authenticator - Password-less Access Office 365 App Launcher Conditional Access Multi-Factor Authentication Azure AD Connect On- premises I want to provide my employees secure and easy access to every application from any location and any device 1
- 16. Identity synchronization using Azure AD Connect On- premises Password validation requests are sent to Windows Server Active Directory via Pass-through authentication Pass-through authentication Microsoft Azure Active Directory Pass-through authentication agent Office 365, SaaS, and LoB apps
- 17. DMZ https://appX-contoso.msappproxy.net/ connectorconnector Microsoft Azure Active Directory connector app app app app connector Application Proxy Azure or 3rd Party IaaS
- 18. On-premises applicationsBlock access Wipe device Enforce MFA Conditions MFA Location (IP range) Device state Risk User group Allow access Multi-Factor Authentication Conditional Access Privileged Identity Management Identity Protection Remote Access to on-premises apps SSO to SaaS Security Reporting I want to protect access to my resources from advanced threats2 Cloud apps On- premises
- 20. Require MFA Allow access Deny access Force password reset****** Limit access Controls On-premises apps Web apps Users Devices Location Apps Conditions Machine learning Policies Real time Evaluation Engine Session Risk 3 10TB Effective policy
- 21. CLOUD APPS CLOUD APP SECURITY Policy Proxy Conditional Access Azure AD ****** Deny access Force password reset Limit access THEN Require MFA Allow access
- 22. Microsoft Cloud 3rd Party SaaS Apps On Premises Apps Microsoft Azure Prevent data leak Disable print Restrict download Enforce MFA Block sign-in Allow sign-in Access Control Session Restrictions OS Platform Is Compliant / Domain joined Is lost or stolen Device Risk Device User identity Group membership Session Risk User Mobile or Cloud app Per app policy App Location IP range Country / Region ApplicationsPolicy Controls Conditional Access Policy Conditions Windows Defender Azure AD Identity Protection Service Terms of Use Partners
- 25. Application Employee Contractor Inside Corp Outside Corp Inside Corp Outside CorpManaged Device BYOD Managed Device BYOD Exchange Online OWA Just Allow MFA Just Allow MFA for Medium, Block for high MFA MFA Outlook Desktop App Allow with Win10 EDP or Bitlocker MAM with pin Allow with Win10 EDP or Bitlocker MAM with pin MAM with pin MAM with pin SharePoint Online Just Allow MFA and reduced session Just Allow MFA and reduced session MFA MFA and reduced session OneDrive for Business Allow with Win10 EDP or Bitlocker MAM with pin Allow with Win10 EDP or Bitlocker MAM with pint MAM with pin MAM with pin
- 26. Microsoft Azure Active Directory Windows Server Active Directory ADFS/WAP MFA Service Windows Server Active Directory 10.10.23.24
- 32. SharePoint Online 5 7 1 6 Intune Company Portal Step 1: Enroll device Unified Enrollment 2 4 3 Device object - device id - isManaged - MDMStatus 8 Azure Active Directory
- 33. Containing data after it has been accessed Managed apps Personal appsPersonal apps Managed apps Corporate data Personal data Protect corp data Control sharing and downloading ITMonitor and restrict activity via mobile app via browser
- 34. Exchange Online Stateless Protocol Translator (Azure) 5 7 1 6 Intune 2 Policy - Approved Client IDs 8 9 App Store / Google Play Step 1: Install Microsoft Authenticator / Company Portal 3 Broker App 4 Outlook for iOS/Android Azure Active Directory
- 39. Do Don’t Use the Authenticator App Exclude 1 Admin account from the policy Enable Identity Protection Users respond much more favorably to conditional/situational MFA Know how to debug Modern Auth issues Know how to debug MFA authentications Underestimate the complexity of hybrid CA Assume users/business units will understand why Forget to about the last 5%. But don’t block on them. https://diagnostics.outlook.com/#/?env=ExRCA
- 40. Analytics
- 42. * Requires a P1 license
- 50. Office 365 Groups Guests Allowed To Access Groups MS Teams Rely on Groups external settings Yes Guest AuthenticationYes SharePoint Online External Sharing Allowed Office 365 Groups Owners Allowed to Add Guests MS Teams Apps, Tabs Bots Files/Notes/Wike access granted Access Denied Teams owners can add Guests Only IT admin can add Guests App/Tab/Bot access granted Access Denied Success Fail Success Fail Success Fail Authentication Denied No Guest Addition Denied Disabled
- 52. Enforce on-demand, just-in-time administrative access when needed Ensure policies are met with alerts, audit reports and access reviews Manage admins access in Azure AD and also in Azure RBAC User Administrator Discover, restrict, and monitor privileged identities UserAdministrator privileges expire after a specified interval
- 54. Unify security management and enable advanced threat protection for hybrid cloud workloads
- 55. Closing thoughts
- 56. Advanced Threat Protection for email drives the recommendation for E5 for all users with a mailbox. Advanced Data Governance capabilities are used to automate protection for data loss prevention. Compare all Office 365 for Business Plans Risk-based conditional access and Cloud App Security drive the recommendation for EMS E5. Included with EMS E5. Risk-based conditional access can be used with B2B accounts. Every Azure AD paid license includes rights to 5 B2B collaboration users (5:1 model). Compare all Enterprise Mobility + Security Plans
- 58. Scott Hoag Principal Cloud Solutions Architect, Opsgility Co-host Microsoft Cloud IT Pro Podcast www.linkedin.com/in/scottmhoag@ciphertxt shoag@opsgility.com msclouditpro.com
- 59. © 2017 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com. Introduction See topics 2-12 for more information and resources. July 2017 Planning and implementation guidance for fast-moving organizations that have an increased threat profile This topic is 1 of 12 in a series Microsoft Security Guidance for Election Campaigns and Nonprofit Organizations Election campaigns around the world are run by fast-moving organizations with intensive collaboration patterns and security risks that rise with the potential influence a win can achieve. They face challenges from sophisticated actors that can deploy significant resources to breach an organization. This solution demonstrates how to build an environment with essential cloud services. It includes prescriptive security design for protecting identities, email, and access from mobile devices. Office 365 enterprise capabilities Secure email and calendars Office suite and Office Online OneDrive for Business SharePoint Online Business-class email protected with Exchange Online Protection and Office 365 Advanced Threat Protection. The latest Office apps for your PC and Mac, including updates to protect your environment. Create and edit documents from a browser. 1 TB of personal cloud storage that can be accessed from anywhere and syncs with a PC/Mac for offline access. Easily share documents with others and control who can see and edit each file. Office on PCs, tablets, and phones Fully installed Office experience across PCs, Macs, Windows tablets, iPad® and Android tablets, and most mobile devices. Communications sites to keep your organization up to date. Team sites and document libraries protected at the appropriate level for the sensitivity of your data and projects. Online meetings Host online meetings with audio, HD video, and web conferencing over the Internet. Join meetings with a single touch or click from the smartphone, tablet, or PC of your choice. Meeting broadcast Broadcast Skype for Business meetings on the Internet for up to 10,000 people, who can attend in a browser on nearly any device. Meetings include real-time polling and sentiment tracking. Enterprise Mobility + Security (EMS) suite Simplified identity management Centrally manage single sign-on across devices and all of your SaaS and cloud applications. Multi-factor authentication Strengthen sign-in authentication with verification options, including phone calls, text messages, or mobile app notifications. Conditional access Define policies that provide contextual controls at the user, location, device, and app levels to allow, block, or challenge user access. Risk-based conditional access Protect apps and critical data in real time using machine learning and the Microsoft Intelligent Security Graph to block access when risk is detected. Advanced security reporting Monitor suspicious activity with reporting, auditing, and alerts, and mitigate potential security issues using focused recommendations. Mobile device management Enroll corporate and personal devices to provision settings, enforce compliance, and protect your corporate data. Mobile application management Publish, configure, and update mobile apps on enrolled and unenrolled devices, and secure or remove app-associated corporate data. Persistent data protection Encrypt sensitive data and define usage rights for persistent protection regardless of where data is stored or shared. Microsoft Cloud App Security Gain visibility, control, and protection for your cloud- based apps Identify threats, abnormal usage, and other cloud security issues. Azure PaaS analytics environment Azure PaaS Analytics Recommended environment you can build using SQL Data Warehouse and Azure Data Lake. Protect access to this environment using the same capabilities as Office 365. This solution includes capabilities across Office 365, Enterprise Mobility + Security (EMS) suite, and Azure PaaS. EMS makes it possible to integrate other cloud services and use the same identity provider, secure access capabilities, and monitoring solutions across your entire environment. This guidance includes only cloud services but you can also use these recommendations with a hybrid on-premises environment. Core cloud capabilities in this solution Data governance & rights management Security responsibility SaaS PaaS IaaS On-prem Client endpoints (devices) Account & access management Identity & directory infrastructure Application Network controls Operating system Physical network Physical datacenter CustomerMicrosoft Physical hosts By using Microsoft cloud services, you greatly reduce the attack surface you are responsible for. This solution shows you how to configure the controls that are provided for you to secure your data, devices, and identities. Identity & directory infrastructure refers to integration with on-premises directories. If you re using cloud-only accounts, this doesn t apply to you. The guidance in this solution is designed for cloud-only environments, but can also be used with hybrid environments with on-premises directories. By using Microsoft cloud services, you greatly reduce the amount of work required to keep your environment secure. Decades of engineering experience has enabled Microsoft to develop leading-edge best practices in the design and management of online services. Through industry-leading security practices and unmatched experience running some of the largest online services around the globe, Microsoft delivers enterprise cloud services you can trust. For more information, see Microsoft Cloud Security for Legal and Compliance Professionals Reduce your security responsibility In addition to these cloud capabilities, Windows 10 includes capabilities that are recommended for this solution. Windows 10 is not required. 1 2 3 4 5 6 7 8 9 10 11 12 © 2017 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.July 2017 Microsoft Security Guidance for Election Campaigns and Nonprofit Organizations Device protection and access Azure Active Directory Tenant domain accounts Azure B2B accounts (without additional licensing) Multi-factor authentication and conditional access Mobile Application Management (MAM) Device enrollment and management Only one org can manage a device You can gain a lot of protection on devices, even for unmanaged BYOD devices, by using capabilities in the EMS E5 suite. First, understand what capabilities are available per account type. See the illustration to the right. This topic includes recommendations you can use as a starting point. You ll need to make a few decisions to adjust these recommendations for your environment. B2B accounts — Intune capabilities require additional licensing for B2B users. For B2B users that have access to sensitive data, consider licensing these with EMS E5 so you can apply Mobile Application Management (MAM) capabilities. Managing devices — Choose whether to enroll devices into Intune for management. Only one organization can be a management authority for a device. Therefore, managing devices of B2B users might not be an option because these devices might already be managed by their organization. Windows 10 — Windows 10 includes compelling security capabilities that make this a recommendation for organizations with a high threat profile. At a minimum, consider using Windows 10 for users who are the highest value targets for cyber attacks. Windows 10 security capabilities (conditional access based on device compliance requires device management) Starting-point recommendation This guidance is intended for lightweight, rapidly moving organizations. These starting-point recommendations acknowledge that you might not have a lot of control over the devices users bring to the environment. These recommendations are also intended to provide a variety of options for protecting devices, including data on the devices. Adjust this guidance for your organization based on your threat profile. This solution provides prescriptive guidance for protecting access to email, files, and other resources with multi-factor authentication, conditional access rules, and Intune management. The guidance is based on these starting-point recommendations. You can adjust this guidance to support the decisions you make for your environment. Mac support for managed devices is coming soon. Intune-managed BYOD PCs with device compliance policies to ensure the health of these devices. Latest versions of Office 2016, including updates. Senior and strategic staff IT staff Analytics staff Regular core staff Field staff Hourly paid contract staff Consultants and vendors Tenant domain accounts Azure B2B accounts (without additional licensing) Intune-managed PCs. Windows 10 with BitLocker, Windows Defender, Windows Firewall, and Windows Information Protection (WIP) as a minimum configuration. If Windows 10 is not used, enroll PCs in Intune and use device compliance policies to ensure the health of these devices. Latest versions of Office 2016, including updates. Conditional access rules requiring multi-factor authentication and apps that support modern authentication. Intune-managed phones/tablets. Phones registered with Azure AD for phone authentication. Approved phone/tablet apps from the app stores — apps that can be managed by Intune Application Management. Intune app management policies to protect business data on phones. Phones registered with Azure AD for phone authentication. Approved phone/tablet apps from the app stores—apps that can be managed by Intune Application Management. Intune application management policies to protect business data on phones. Phones registered with Azure AD for phone authentication. Conditional access rules requiring multi-factor authentication. Approved phone/tablet apps from the app stores — apps that support modern authentication. Operations staff This topic is 1 of 12 in a series 1 2 3 4 5 6 7 8 9 10 11 12 Planning and implementation guidance for fast-moving organizations that have an increased threat profile aka.ms/SecureCampaign
- 60. Office 365: Manage Identities using Azure AD connect https://aka.ms/365enterpriseident aka.ms/365Enterprise