Securing Office 365 requires knowing more than your way around the Admin Center. With Office 365's heavy dependency on Azure Active Directory for authentication (and in some cases authorization) to Office 365 workloads, it is critical that you understand how users access your environment and how you can control that access.
In this session, we'll explore how you can secure your Office 365 tenant with Azure Active Directory, conditional access policies, and more.
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with Azure Active Directory
1.
2.
3. Scott Hoag
Principal Cloud Solutions Architect, Opsgility
Co-host Microsoft Cloud IT Pro Podcast
www.linkedin.com/in/scottmhoag@ciphertxt
shoag@opsgility.com msclouditpro.com
4. DETECT
PROTECT
CLASSIFYMONITOR
MICROSOFT’S
INFORMATION
PROTECTION
SOLUTIONS
WINDOWS INFORMATION PROTECTION
Separate personal vs. work data on Windows 10 devices and
prevent work data from traveling to non-work locations
OFFICE 365 ADVANCED SECURITY MANAGEMENT
Visibility into Office 365 app usage and potential
data abuse
MICROSOFT CLOUD APP SECURITY
Visibility into 15k+ cloud apps, data access & usage,
potential abuse
MESSAGE ENCRYPTION
Send encrypted emails in Office 365 to anyone –
inside or outside of the company
CONDITIONAL ACCESS
Control access to files based on policy, such as identity,
machine configuration, geo location
OFFICE APPS
Protect sensitive information while working in Excel, Word,
PowerPoint, Outlook
AZURE INFORMATION PROTECTION
Classify, label & protect files – beyond Office 365, including
on-prem & hybrid
OFFICE 365 DLP
Prevent data loss across Exchange Online, SharePoint Online,
OneDrive for Business
ISV APPLICATIONS
Enable ISV partners to consume labels, apply protection
OFFICE 365 ADVANCED DATA GOVERNANCE
Apply retention and deletion policies to sensitive and
important data in Office 365
SHAREPOINT & GROUPS
Protect files in libraries and lists
Microsoft’s information protection solutions
6. Data governance &
rights management
Responsibility SaaS PaaS IaaS On-prem
Client endpoints
Account & access
management
Identity & directory
infrastructure
Application
Network controls
Operating system
Physical network
Physical datacenter
CustomerMicrosoft
Physical hosts
Security Updates / Patches
Software / Feature Upgrades
Server Maintenance/Troubleshooting
Server Uptime ( SLA from Microsoft)
Backup and Archive solution
Office 365
7. Data governance &
rights management
Responsibility SaaS PaaS IaaS On-prem
Client endpoints
Account & access
management
Identity & directory
infrastructure
Application
Network controls
Operating system
Physical network
Physical datacenter
CustomerMicrosoft
Physical hosts
Attacks on
Operating System (OS) and OS Admins
Application attacks
Hardware/Firmware
Denial of Service
Physical Attacks
Office 365
8. Data governance &
rights management
Responsibility SaaS PaaS IaaS On-prem
Client endpoints
Account & access
management
Identity & directory
infrastructure
Application
Network controls
Operating system
Physical network
Physical datacenter
CustomerMicrosoft
Physical hosts
Directly connected to internet
User services and interfaces
Administrative interfaces
Implications
Authentication Security is Critical
Multi-factor authentication
Per user (UEBA) anomaly detection across full context
(time, date, geolocation)
Integration of security intelligence
Tenant Security
Configuration is critical
9. Data governance &
rights management
Responsibility SaaS PaaS IaaS On-prem
Client endpoints
Account & access
management
Identity & directory
infrastructure
Application
Network controls
Operating system
Physical network
Physical datacenter
CustomerMicrosoft
Physical hosts
Notable trends
Identity Attacks
Password Spray
Brute Force
Password Re-use
App/Data Layer attacks
Social engineering
Delegation and forwarding rule attacks
PowerShell scripts in attacks
10. Data governance &
rights management
Responsibility SaaS PaaS IaaS On-prem
Client endpoints
Account & access
management
Identity & directory
infrastructure
Application
Network controls
Operating system
Physical network
Physical datacenter
CustomerMicrosoft
Physical hosts
Control plane
PowerShell for administration
Cloud + Browser Authentication Model (changes
protocols, logs, auth flows, etc. )
Consistent Logs are conducive to off the shelf analytics
(e.g. a CASB like MCAS)
Regular release of features and changes
(configurable, but not customizable)
Implications
Always Current Features
Security must regularly review updates
Office 365 Roadmap | O365 Update Series on YouTube
13. I want to provide my employees secure
and easy access to every application
from any location and any device
I need my customers, partners, and users to
access the apps they need from everywhere
and collaborate seamlessly
I want to quickly deploy applications to
devices, do more with less and automate
Join/Move/Leave processes
[dev use case]
I want to protect access to my
resources from advanced threats
I need to comply with industry regulation
and national data protection laws
Conditional
Access
Multi-Factor
Authentication
Addition of
custom cloud
apps
Remote Access
to on-premises
apps
Privileged
Identity
Management
Dynamic Groups
Identity
Protection
Azure AD DS
Office 365 App
Launcher
Group-Based
Licensing
Access
Panel/MyApps
Azure AD
Connect
Connect Health
Provisioning-
Deprovisioning
Azure AD Join
Self-Service
capabilities
MDM-auto
enrollment /
Enterprise State
Roaming
Security
Reporting
Access Reviews
HR App
Integration
B2B
collaboration
Azure AD
B2C
SSO to SaaS
Microsoft
Authenticator -
Password-less
Access
14. I want to provide my employees secure
and easy access to every application
from any location and any device
I need my customers and partners
to access the apps they need from
everywhere and collaborate seamlessly
I want to quickly deploy applications to
devices, do more with less and automate
Join/Move/Leave processes
I want to write applications that work with my
corporate identities in Azure Active Directory
I want to protect access to my
resources from advanced threats
I need to comply with industry regulation
and national data protection laws
Conditional
Access
Multi-Factor
Authentication
Addition of
custom cloud
apps
Remote Access
to on-premises
apps
Privileged
Identity
Management
Dynamic Groups
Identity
Protection
Azure AD DS
Office 365 App
Launcher
Group-Based
Licensing
Access
Panel/MyApps
Azure AD
Connect
Connect Health
Provisioning-
Deprovisioning
Azure AD Join
Self-Service
capabilities
MDM-auto
enrollment /
Enterprise State
Roaming
Security
Reporting
Access Reviews
HR App
Integration
B2B
collaboration
Azure AD
B2C
SSO to SaaS
Microsoft
Authenticator -
Password-less
Access
1
2
3
4
5
6
15. Microsoft Azure
Active Directory
Remote Access
to on-premises
apps
Azure AD
Connect
SSO to SaaS
Access
Panel/MyApps
Self-Service
capabilities
Azure AD DS
Microsoft
Authenticator -
Password-less
Access
Office 365 App
Launcher
Conditional
Access
Multi-Factor
Authentication
Azure AD
Connect
On-
premises
I want to provide my employees secure
and easy access to every application
from any location and any device
1
16. Identity synchronization
using Azure AD
Connect
On-
premises
Password validation requests are sent
to Windows Server Active Directory
via Pass-through authentication
Pass-through
authentication
Microsoft Azure
Active Directory
Pass-through
authentication agent
Office 365, SaaS, and LoB apps
22. Microsoft Cloud
3rd Party SaaS Apps
On Premises Apps
Microsoft Azure
Prevent data leak
Disable print
Restrict download
Enforce MFA
Block sign-in
Allow sign-in
Access Control
Session Restrictions
OS Platform
Is Compliant / Domain joined
Is lost or stolen
Device Risk
Device
User identity
Group membership
Session Risk
User
Mobile or Cloud app
Per app policy
App
Location
IP range
Country / Region
ApplicationsPolicy Controls
Conditional Access
Policy Conditions
Windows
Defender
Azure AD
Identity
Protection
Service
Terms of Use
Partners
25. Application
Employee Contractor
Inside Corp Outside Corp
Inside Corp
Outside
CorpManaged
Device
BYOD
Managed
Device
BYOD
Exchange
Online OWA
Just Allow MFA Just Allow MFA for
Medium, Block
for high
MFA MFA
Outlook
Desktop App
Allow with
Win10 EDP or
Bitlocker
MAM with pin Allow with
Win10 EDP or
Bitlocker
MAM with pin MAM with pin MAM with pin
SharePoint
Online
Just Allow MFA and
reduced session
Just Allow MFA and
reduced session
MFA MFA and
reduced session
OneDrive for
Business
Allow with
Win10 EDP or
Bitlocker
MAM with pin Allow with
Win10 EDP or
Bitlocker
MAM with pint MAM with pin MAM with pin
33. Containing data after it has been accessed
Managed apps
Personal appsPersonal apps
Managed apps Corporate
data
Personal
data
Protect corp data
Control sharing
and
downloading
ITMonitor and
restrict activity
via mobile app via browser
34. Exchange Online
Stateless Protocol
Translator (Azure)
5
7
1
6
Intune
2
Policy
- Approved
Client IDs
8
9
App Store / Google
Play
Step 1: Install
Microsoft
Authenticator /
Company Portal
3
Broker App
4
Outlook for
iOS/Android
Azure Active Directory
39. Do Don’t
Use the Authenticator App
Exclude 1 Admin account from the policy
Enable Identity Protection
Users respond much more favorably to
conditional/situational MFA
Know how to debug Modern Auth issues
Know how to debug MFA authentications
Underestimate the complexity of hybrid CA
Assume users/business units will understand
why
Forget to about the last 5%. But don’t block
on them.
https://diagnostics.outlook.com/#/?env=ExRCA
50. Office 365 Groups
Guests Allowed To
Access Groups
MS Teams
Rely on Groups
external settings
Yes Guest AuthenticationYes
SharePoint Online
External Sharing
Allowed
Office 365 Groups
Owners Allowed to Add
Guests
MS Teams
Apps, Tabs Bots
Files/Notes/Wike
access granted
Access Denied
Teams owners
can add Guests
Only IT admin
can add Guests
App/Tab/Bot
access granted
Access Denied
Success
Fail
Success
Fail
Success
Fail
Authentication
Denied
No
Guest Addition
Denied
Disabled
51.
52. Enforce on-demand, just-in-time
administrative access when needed
Ensure policies are met with alerts, audit
reports and access reviews
Manage admins access in Azure AD and also
in Azure RBAC
User Administrator
Discover, restrict, and monitor privileged identities
UserAdministrator
privileges expire after
a specified interval
56. Advanced Threat
Protection for email drives
the recommendation for E5
for all users with a mailbox.
Advanced Data
Governance capabilities are
used to automate
protection for data loss
prevention.
Compare all Office 365 for Business
Plans
Risk-based conditional
access and Cloud App
Security drive the
recommendation for EMS
E5.
Included with EMS E5.
Risk-based conditional
access can be used with
B2B accounts.
Every Azure AD paid license
includes rights to 5 B2B
collaboration users (5:1
model).
Compare all Enterprise Mobility +
Security Plans
57.
58. Scott Hoag
Principal Cloud Solutions Architect, Opsgility
Co-host Microsoft Cloud IT Pro Podcast
www.linkedin.com/in/scottmhoag@ciphertxt
shoag@opsgility.com msclouditpro.com