Securing Office 365 requires knowing more than your way around the Admin Center. With Office 365's heavy dependency on Azure Active Directory for authentication (and in some cases authorization) to Office 365 workloads, it is critical that you understand how users access your environment and how you can control that access. In this session, we'll explore how you can secure your Office 365 tenant with Azure Active Directory, conditional access policies, and more.

3. Scott Hoag
Principal Cloud Solutions Architect, Opsgility
Co-host Microsoft Cloud IT Pro Podcast
www.linkedin.com/in/scottmhoag@ciphertxt
shoag@opsgility.com msclouditpro.com

4. DETECT
PROTECT
CLASSIFYMONITOR
MICROSOFT’S
INFORMATION
PROTECTION
SOLUTIONS
WINDOWS INFORMATION PROTECTION
Separate personal vs. work data on Windows 10 devices and
prevent work data from traveling to non-work locations
OFFICE 365 ADVANCED SECURITY MANAGEMENT
Visibility into Office 365 app usage and potential
data abuse
MICROSOFT CLOUD APP SECURITY
Visibility into 15k+ cloud apps, data access & usage,
potential abuse
MESSAGE ENCRYPTION
Send encrypted emails in Office 365 to anyone –
inside or outside of the company
CONDITIONAL ACCESS
Control access to files based on policy, such as identity,
machine configuration, geo location
OFFICE APPS
Protect sensitive information while working in Excel, Word,
PowerPoint, Outlook
AZURE INFORMATION PROTECTION
Classify, label & protect files – beyond Office 365, including
on-prem & hybrid
OFFICE 365 DLP
Prevent data loss across Exchange Online, SharePoint Online,
OneDrive for Business
ISV APPLICATIONS
Enable ISV partners to consume labels, apply protection
OFFICE 365 ADVANCED DATA GOVERNANCE
Apply retention and deletion policies to sensitive and
important data in Office 365
SHAREPOINT & GROUPS
Protect files in libraries and lists
Microsoft’s information protection solutions

5. Data governance &
rights management
Responsibility SaaS PaaS IaaS On-prem
Client endpoints
Account & access
management
Identity & directory
infrastructure
Application
Network controls
Operating system
Physical network
Physical datacenter
CustomerMicrosoft
Physical hosts

6. Data governance &
rights management
Responsibility SaaS PaaS IaaS On-prem
Client endpoints
Account & access
management
Identity & directory
infrastructure
Application
Network controls
Operating system
Physical network
Physical datacenter
CustomerMicrosoft
Physical hosts
Security Updates / Patches
Software / Feature Upgrades
Server Maintenance/Troubleshooting
Server Uptime ( SLA from Microsoft)
Backup and Archive solution
Office 365

7. Data governance &
rights management
Responsibility SaaS PaaS IaaS On-prem
Client endpoints
Account & access
management
Identity & directory
infrastructure
Application
Network controls
Operating system
Physical network
Physical datacenter
CustomerMicrosoft
Physical hosts
Attacks on
Operating System (OS) and OS Admins
Application attacks
Hardware/Firmware
Denial of Service
Physical Attacks
Office 365

8. Data governance &
rights management
Responsibility SaaS PaaS IaaS On-prem
Client endpoints
Account & access
management
Identity & directory
infrastructure
Application
Network controls
Operating system
Physical network
Physical datacenter
CustomerMicrosoft
Physical hosts
Directly connected to internet
User services and interfaces
Administrative interfaces
Implications
Authentication Security is Critical
Multi-factor authentication
Per user (UEBA) anomaly detection across full context
(time, date, geolocation)
Integration of security intelligence
Tenant Security
Configuration is critical

9. Data governance &
rights management
Responsibility SaaS PaaS IaaS On-prem
Client endpoints
Account & access
management
Identity & directory
infrastructure
Application
Network controls
Operating system
Physical network
Physical datacenter
CustomerMicrosoft
Physical hosts
Notable trends
Identity Attacks
Password Spray
Brute Force
Password Re-use
App/Data Layer attacks
Social engineering
Delegation and forwarding rule attacks
PowerShell scripts in attacks

10. Data governance &
rights management
Responsibility SaaS PaaS IaaS On-prem
Client endpoints
Account & access
management
Identity & directory
infrastructure
Application
Network controls
Operating system
Physical network
Physical datacenter
CustomerMicrosoft
Physical hosts
Control plane
PowerShell for administration
Cloud + Browser Authentication Model (changes
protocols, logs, auth flows, etc. )
Consistent Logs are conducive to off the shelf analytics
(e.g. a CASB like MCAS)
Regular release of features and changes
(configurable, but not customizable)
Implications
Always Current Features
Security must regularly review updates
Office 365 Roadmap | O365 Update Series on YouTube

11. Azure
Active
Directory

12. Windows Server
Active Directory
Azure
Public cloud
Microsoft Azure
Active Directory
Commercial
IdPs
Consumer
IdPs
Partners
Customers
Azure AD
Connect

13. I want to provide my employees secure
and easy access to every application
from any location and any device
I need my customers, partners, and users to
access the apps they need from everywhere
and collaborate seamlessly
I want to quickly deploy applications to
devices, do more with less and automate
Join/Move/Leave processes
[dev use case]
I want to protect access to my
resources from advanced threats
I need to comply with industry regulation
and national data protection laws
Conditional
Access
Multi-Factor
Authentication
Addition of
custom cloud
apps
Remote Access
to on-premises
apps
Privileged
Identity
Management
Dynamic Groups
Identity
Protection
Azure AD DS
Office 365 App
Launcher
Group-Based
Licensing
Access
Panel/MyApps
Azure AD
Connect
Connect Health
Provisioning-
Deprovisioning
Azure AD Join
Self-Service
capabilities
MDM-auto
enrollment /
Enterprise State
Roaming
Security
Reporting
Access Reviews
HR App
Integration
B2B
collaboration
Azure AD
B2C
SSO to SaaS
Microsoft
Authenticator -
Password-less
Access

14. I want to provide my employees secure
and easy access to every application
from any location and any device
I need my customers and partners
to access the apps they need from
everywhere and collaborate seamlessly
I want to quickly deploy applications to
devices, do more with less and automate
Join/Move/Leave processes
I want to write applications that work with my
corporate identities in Azure Active Directory
I want to protect access to my
resources from advanced threats
I need to comply with industry regulation
and national data protection laws
Conditional
Access
Multi-Factor
Authentication
Addition of
custom cloud
apps
Remote Access
to on-premises
apps
Privileged
Identity
Management
Dynamic Groups
Identity
Protection
Azure AD DS
Office 365 App
Launcher
Group-Based
Licensing
Access
Panel/MyApps
Azure AD
Connect
Connect Health
Provisioning-
Deprovisioning
Azure AD Join
Self-Service
capabilities
MDM-auto
enrollment /
Enterprise State
Roaming
Security
Reporting
Access Reviews
HR App
Integration
B2B
collaboration
Azure AD
B2C
SSO to SaaS
Microsoft
Authenticator -
Password-less
Access
1
2
3
4
5
6

15. Microsoft Azure
Active Directory
Remote Access
to on-premises
apps
Azure AD
Connect
SSO to SaaS
Access
Panel/MyApps
Self-Service
capabilities
Azure AD DS
Microsoft
Authenticator -
Password-less
Access
Office 365 App
Launcher
Conditional
Access
Multi-Factor
Authentication
Azure AD
Connect
On-
premises
I want to provide my employees secure
and easy access to every application
from any location and any device
1

16. Identity synchronization
using Azure AD
Connect
On-
premises
Password validation requests are sent
to Windows Server Active Directory
via Pass-through authentication
Pass-through
authentication
Microsoft Azure
Active Directory
Pass-through
authentication agent
Office 365, SaaS, and LoB apps

17. DMZ
https://appX-contoso.msappproxy.net/
connectorconnector
Microsoft Azure
Active Directory
connector
app app app app
connector
Application
Proxy
Azure or
3rd Party IaaS

18. On-premises
applicationsBlock access
Wipe device
Enforce
MFA
Conditions
MFA
Location
(IP range)
Device
state
Risk
User
group
Allow access
Multi-Factor
Authentication
Conditional
Access
Privileged
Identity
Management
Identity
Protection
Remote Access
to on-premises
apps
SSO to SaaS
Security
Reporting
I want to protect access to my
resources from advanced threats2
Cloud apps
On-
premises

19. Conditional Access

20. Require MFA
Allow access
Deny access
Force
password reset******
Limit access
Controls
On-premises apps
Web apps
Users
Devices
Location
Apps
Conditions
Machine
learning
Policies
Real time
Evaluation
Engine
Session
Risk
3
10TB
Effective
policy

21. CLOUD
APPS
CLOUD APP
SECURITY
Policy
Proxy
Conditional
Access
Azure AD
******
Deny access
Force
password reset
Limit access
THEN
Require MFA
Allow access

22. Microsoft Cloud
3rd Party SaaS Apps
On Premises Apps
Microsoft Azure
Prevent data leak
Disable print
Restrict download
Enforce MFA
Block sign-in
Allow sign-in
Access Control
Session Restrictions
OS Platform
Is Compliant / Domain joined
Is lost or stolen
Device Risk
Device
User identity
Group membership
Session Risk
User
Mobile or Cloud app
Per app policy
App
Location
IP range
Country / Region
ApplicationsPolicy Controls
Conditional Access
Policy Conditions
Windows
Defender
Azure AD
Identity
Protection
Service
Terms of Use
Partners

24. Sensitive
protection
Highly regulatedBaseline
protection
Aka.ms/m365docs

25. Application
Employee Contractor
Inside Corp Outside Corp
Inside Corp
Outside
CorpManaged
Device
BYOD
Managed
Device
BYOD
Exchange
Online OWA
Just Allow MFA Just Allow MFA for
Medium, Block
for high
MFA MFA
Outlook
Desktop App
Allow with
Win10 EDP or
Bitlocker
MAM with pin Allow with
Win10 EDP or
Bitlocker
MAM with pin MAM with pin MAM with pin
SharePoint
Online
Just Allow MFA and
reduced session
Just Allow MFA and
reduced session
MFA MFA and
reduced session
OneDrive for
Business
Allow with
Win10 EDP or
Bitlocker
MAM with pin Allow with
Win10 EDP or
Bitlocker
MAM with pint MAM with pin MAM with pin

26. Microsoft Azure
Active Directory
Windows Server
Active Directory
ADFS/WAP
MFA Service
Windows Server
Active Directory
10.10.23.24

31. https://aka.ms/CASPOEXO

32. SharePoint Online
5
7
1
6
Intune
Company Portal
Step 1: Enroll
device
Unified
Enrollment
2
4
3
Device object
- device id
- isManaged
- MDMStatus
8
Azure Active Directory

33. Containing data after it has been accessed
Managed apps
Personal appsPersonal apps
Managed apps Corporate
data
Personal
data
Protect corp data
Control sharing
and
downloading
ITMonitor and
restrict activity
via mobile app via browser

34. Exchange Online
Stateless Protocol
Translator (Azure)
5
7
1
6
Intune
2
Policy
- Approved
Client IDs
8
9
App Store / Google
Play
Step 1: Install
Microsoft
Authenticator /
Company Portal
3
Broker App
4
Outlook for
iOS/Android
Azure Active Directory

37. https://aka.ms/OutlookEMSTAP

38. https://aka.ms/spolimitedaccessdocs

39. Do Don’t
Use the Authenticator App
Exclude 1 Admin account from the policy
Enable Identity Protection
Users respond much more favorably to
conditional/situational MFA
Know how to debug Modern Auth issues
Know how to debug MFA authentications
Underestimate the complexity of hybrid CA
Assume users/business units will understand
why
Forget to about the last 5%. But don’t block
on them.
https://diagnostics.outlook.com/#/?env=ExRCA

40. Analytics

42. * Requires a P1 license

43. External Collaboration
Controls

44. https://aka.ms/b2bmechanics

50. Office 365 Groups
Guests Allowed To
Access Groups
MS Teams
Rely on Groups
external settings
Yes Guest AuthenticationYes
SharePoint Online
External Sharing
Allowed
Office 365 Groups
Owners Allowed to Add
Guests
MS Teams
Apps, Tabs Bots
Files/Notes/Wike
access granted
Access Denied
Teams owners
can add Guests
Only IT admin
can add Guests
App/Tab/Bot
access granted
Access Denied
Success
Fail
Success
Fail
Success
Fail
Authentication
Denied
No
Guest Addition
Denied
Disabled

52. Enforce on-demand, just-in-time
administrative access when needed
Ensure policies are met with alerts, audit
reports and access reviews
Manage admins access in Azure AD and also
in Azure RBAC
User Administrator
Discover, restrict, and monitor privileged identities
UserAdministrator
privileges expire after
a specified interval

53. Azure Specific
Controls
Y
A
X B

54. Unify security management and enable advanced threat protection for hybrid cloud workloads

55. Closing thoughts

56. Advanced Threat
Protection for email drives
the recommendation for E5
for all users with a mailbox.
Advanced Data
Governance capabilities are
used to automate
protection for data loss
prevention.
Compare all Office 365 for Business
Plans
Risk-based conditional
access and Cloud App
Security drive the
recommendation for EMS
E5.
Included with EMS E5.
Risk-based conditional
access can be used with
B2B accounts.
Every Azure AD paid license
includes rights to 5 B2B
collaboration users (5:1
model).
Compare all Enterprise Mobility +
Security Plans

58. Scott Hoag
Principal Cloud Solutions Architect, Opsgility
Co-host Microsoft Cloud IT Pro Podcast
www.linkedin.com/in/scottmhoag@ciphertxt
shoag@opsgility.com msclouditpro.com

59. © 2017 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.
Introduction
See topics 2-12 for more information and resources.
July 2017
Planning and implementation guidance for fast-moving
organizations that have an increased threat profile
This topic is 1 of 12 in a series
Microsoft Security Guidance
for Election Campaigns and
Nonprofit Organizations
Election campaigns around the world are run by fast-moving organizations
with intensive collaboration patterns and security risks that rise with the
potential influence a win can achieve. They face challenges from
sophisticated actors that can deploy significant resources to breach an
organization. This solution demonstrates how to build an environment with
essential cloud services. It includes prescriptive security design for protecting
identities, email, and access from mobile devices.
Office 365 enterprise capabilities
Secure email and
calendars
Office suite and
Office Online
OneDrive for
Business
SharePoint Online
Business-class email protected with Exchange Online
Protection and Office 365 Advanced Threat Protection.
The latest Office apps for your PC and Mac, including
updates to protect your environment. Create and edit
documents from a browser.
1 TB of personal cloud storage that can be accessed from
anywhere and syncs with a PC/Mac for offline access.
Easily share documents with others and control who can
see and edit each file.
Office on PCs,
tablets, and phones
Fully installed Office experience across PCs, Macs,
Windows tablets, iPad® and Android tablets, and most
mobile devices.
Communications sites to keep your organization up to
date. Team sites and document libraries protected at the
appropriate level for the sensitivity of your data and
projects.
Online meetings
Host online meetings with audio, HD video, and web
conferencing over the Internet. Join meetings with a single
touch or click from the smartphone, tablet, or PC of your
choice.
Meeting broadcast
Broadcast Skype for Business meetings on the Internet for
up to 10,000 people, who can attend in a browser on
nearly any device. Meetings include real-time polling and
sentiment tracking.
Enterprise Mobility + Security (EMS) suite
Simplified identity
management
Centrally manage single sign-on across devices and
all of your SaaS and cloud applications.
Multi-factor
authentication
Strengthen sign-in authentication with verification
options, including phone calls, text messages, or
mobile app notifications.
Conditional access
Define policies that provide contextual controls at the
user, location, device, and app levels to allow, block,
or challenge user access.
Risk-based
conditional access
Protect apps and critical data in real time using
machine learning and the Microsoft Intelligent
Security Graph to block access when risk is detected.
Advanced security
reporting
Monitor suspicious activity with reporting, auditing,
and alerts, and mitigate potential security issues using
focused recommendations.
Mobile device
management
Enroll corporate and personal devices to provision
settings, enforce compliance, and protect your
corporate data.
Mobile application
management
Publish, configure, and update mobile apps on
enrolled and unenrolled devices, and secure or
remove app-associated corporate data.
Persistent data
protection
Encrypt sensitive data and define usage rights for
persistent protection regardless of where data is
stored or shared.
Microsoft Cloud
App Security
Gain visibility, control, and protection for your cloud-
based apps Identify threats, abnormal usage, and
other cloud security issues.
Azure PaaS analytics environment
Azure PaaS
Analytics
Recommended environment you can build using SQL
Data Warehouse and Azure Data Lake. Protect access to
this environment using the same capabilities as Office 365.
This solution includes capabilities across Office 365, Enterprise Mobility +
Security (EMS) suite, and Azure PaaS. EMS makes it possible to integrate
other cloud services and use the same identity provider, secure access
capabilities, and monitoring solutions across your entire environment.
This guidance includes only cloud services but you can also use these
recommendations with a hybrid on-premises environment.
Core cloud capabilities in this solution
Data governance &
rights management
Security responsibility SaaS PaaS IaaS On-prem
Client endpoints (devices)
Account & access
management
Identity & directory
infrastructure
Application
Network controls
Operating system
Physical network
Physical datacenter
CustomerMicrosoft
Physical hosts
By using Microsoft cloud services, you greatly reduce the attack surface you
are responsible for. This solution shows you how to configure the controls
that are provided for you to secure your data, devices, and identities.
Identity & directory infrastructure refers to integration with on-premises
directories. If you re using cloud-only accounts, this doesn t apply to you. The
guidance in this solution is designed for cloud-only environments, but can
also be used with hybrid environments with on-premises directories.
By using Microsoft cloud services, you greatly reduce the amount of work
required to keep your environment secure. Decades of engineering
experience has enabled Microsoft to develop leading-edge best practices in
the design and management of online services. Through industry-leading
security practices and unmatched experience running some of the largest
online services around the globe, Microsoft delivers enterprise cloud services
you can trust.
For more information, see Microsoft Cloud Security for Legal and Compliance
Professionals
Reduce your security responsibility
In addition to these cloud capabilities, Windows 10 includes capabilities that are
recommended for this solution. Windows 10 is not required.
1 2 3 4 5 6
7 8 9 10 11 12
© 2017 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.July 2017
Microsoft Security Guidance
for Election Campaigns and
Nonprofit Organizations
Device protection and access
Azure Active Directory
Tenant domain accounts Azure B2B accounts
(without additional licensing)
Multi-factor authentication and conditional access
Mobile Application
Management (MAM)
Device enrollment and
management
Only one org can manage
a device
You can gain a lot of protection on devices, even for unmanaged BYOD
devices, by using capabilities in the EMS E5 suite.
First, understand what capabilities are available per account type. See the
illustration to the right.
This topic includes recommendations you can use as a starting point. You ll
need to make a few decisions to adjust these recommendations for your
environment.
 B2B accounts — Intune capabilities require additional licensing for B2B
users. For B2B users that have access to sensitive data, consider licensing
these with EMS E5 so you can apply Mobile Application Management
(MAM) capabilities.
 Managing devices — Choose whether to enroll devices into Intune for
management. Only one organization can be a management authority for
a device. Therefore, managing devices of B2B users might not be an option
because these devices might already be managed by their organization.
 Windows 10 — Windows 10 includes compelling security capabilities that
make this a recommendation for organizations with a high threat profile. At
a minimum, consider using Windows 10 for users who are the highest value
targets for cyber attacks.
Windows 10 security capabilities
(conditional access based on device compliance requires
device management)
Starting-point recommendation
This guidance is intended for lightweight, rapidly moving organizations.
These starting-point recommendations acknowledge that you might not have
a lot of control over the devices users bring to the environment. These
recommendations are also intended to provide a variety of options for
protecting devices, including data on the devices. Adjust this guidance for
your organization based on your threat profile.
This solution provides prescriptive guidance for protecting access to email,
files, and other resources with multi-factor authentication, conditional access
rules, and Intune management. The guidance is based on these starting-point
recommendations. You can adjust this guidance to support the decisions you
make for your environment.
Mac support for managed devices is coming soon.
Intune-managed BYOD PCs with device compliance policies to ensure the
health of these devices.
Latest versions of Office 2016, including updates.
Senior and strategic staff
IT staff
Analytics staff
Regular core staff
Field staff
Hourly paid contract staff
Consultants and vendors
Tenant domain accounts Azure B2B accounts
(without additional licensing)
Intune-managed PCs.
Windows 10 with BitLocker, Windows Defender, Windows Firewall, and
Windows Information Protection (WIP) as a minimum configuration.
If Windows 10 is not used, enroll PCs in Intune and use device compliance
policies to ensure the health of these devices.
Latest versions of Office 2016, including updates.
Conditional access rules requiring multi-factor authentication and apps that
support modern authentication.
Intune-managed phones/tablets. Phones registered with Azure AD for phone
authentication.
Approved phone/tablet apps from the app stores — apps that can be
managed by Intune Application Management.
Intune app management policies to protect business data on phones.
Phones registered with Azure AD for phone authentication.
Approved phone/tablet apps from the app stores—apps that can be
managed by Intune Application Management.
Intune application management policies to protect business data on phones.
Phones registered with Azure AD for phone authentication.
Conditional access rules requiring multi-factor authentication.
Approved phone/tablet apps from the app stores — apps that support
modern authentication.
Operations staff
This topic is 1 of 12 in a series 1 2 3 4 5 6
7 8 9 10 11 12
Planning and implementation guidance for fast-moving
organizations that have an increased threat profile
aka.ms/SecureCampaign

60. Office 365: Manage Identities using Azure AD connect
https://aka.ms/365enterpriseident
aka.ms/365Enterprise