This document outlines a digital transformation roadmap for a "Work-from-Anywhere" initiative between January 2020 and June 2022. It involves several phases: scoping requirements and securing initial budgets for 90-day pilots of BYOD and remote work policies; evaluating learnings from the pilots to scope additional pilots; developing training and communications; and full rollout on a team-by-team basis. The document then provides strategies for securing identity infrastructure, including strengthening credentials with multi-factor authentication, reducing attack surfaces through conditional access policies, automating threat response with tools like Identity Protection, utilizing cloud intelligence from Azure AD, and empowering users with self-service access management.

1. Securing your identity infrastructure

2. Digital transformation roadmap
Jan 1, 2020
Scope requirements
for Work-from-
Anywhere
transformation
initiative
Secure Budget
for V1 Pilots
90 day pilots:
BYOD, 1-day-WFH,
remote meetings
Evaluate
learnings and
scope V2 Pilots
Secure Budget
for V2 Pilots
120 day
pilots with
select teams
Develop training
and internal PR
Complete
Work-from-
Anywhere rollout
Begin
team-by-team
rollouts
Jun 1, 2022

3. Digital transformation roadmap
Jan 1, 2020 Jun 1, 2022
Apr 1, 2020
Scope requirements
for Work-from-
Anywhere
transformation
initiative
Secure Budget
for V1 Pilots
90 day pilots:
BYOD, 1-day-WFH,
remote meetings
Evaluate
learnings and
scope V2 Pilots
Secure Budget
for V2 Pilots
120 day
pilots with
select teams
Develop training
and internal PR
Begin
team-by-team
rollouts
Complete
Work-from-
Anywhere rollout
“We have seen two years’
worth of digital
transformation in two
months.“
Satya Nadella Microsoft CEO

4. Bring your own devices and IoT
Explosion of cloud apps
Expanding Perimeters
Explosion of signal
Composite apps & public restful APIs
Employees, partners, customers, bots
Old World vs. Current World

5. Zero Trust
A modern approach to security
which treats every access
attempt as if it’s originating
from an untrusted network
Never Trust, Always Verify

6. Zero Trust principles and holistic security strategy
Verify explicitly

7. Zero Trust across the esate
Visibility, Analytics,
Automation
Real-time
policy evaluation
Organization
policies
Zero Trust architecture

9. 1. Strengthen your credentials
2. Reduce your attack surface area
3. Automate threat response
4. Utilize cloud intelligence
5. Empower end users with self-service
AKA.MS/SECURITYSTEPS
Helping you
build a strong
identity
foundation

10. Start with a strong identity foundation in the
cloud

11. Azure Active Directory – the world’s largest cloud identity service

12. Secure access to all applications with single sign on
HR systems
Apps and data
Cloud apps
On-premises perimeter-based networks
Azure AD
App delivery controllers
& networks
Azure AD
App Proxy
Active Directory
single sign-on
External users

13. Winning strategy 1
Strengthen your credentials

14. 230% Increase in password spray attacks this year
Nearly 1 in 3 of all attacks on enterprises involve phishing
attacker-driven sign-ins
detected in August 2020
5.8B
high-risk enterprise sign-in
attempts flagged in August 2020
9M
compromised accounts
detected in August 2020
2M
* Chart shows impact of COVID-19 themed attacks across the world by file count (as of April 7, 2020) /
Source Microsoft Threat Intelligence

15. Verify identities with strong authentication

16. Good: Password +
(Preview)
Better: Password +
(Preview)
(Preview)
Best
Bad: Password
123456
qwerty
password
iloveyou
Password1
Deploy the most secure, usable & cost-effective methods

18. Winning
strategies for
strengthening
your credentials
• Enable MFA for all your admins (if you still haven’t)
• Deploy strong authentication for all users
• Start your passwordless journey
• Block legacy authentication

19. Winning strategy 2
Reduce your attack surface

20. Protect identities with Conditional Access and
multifactor authentication
Require MFA
Allow access
Application
User and location Device
Real-time risk
Limit access
Password reset
Monitor access
Signals Verify every access attempt Access apps and data

21. # admins with highest levels of privileges over time
Risks with Privileged Access
Number
of
permissions
Time
Admin #1
Admin #2
Admin #3

22. Secure and compliant by default, governed by the principle of Zero Standing
Access, with Just-in-Time & Just-Enough-Access
What you want - Least Privileged Access
Number
of
permissions
Time
Admin #1
Admin #2
Admin #3
Password Admin 1 hr Security Admin 2 hrs Global Admin .5hr
Admin #1
Password Admin 1 hr
Admin #3
Global Admin .5 hr

23. Access
reviewed &
revised
Job changes
Ongoing auditing
& reporting
Access rights
provisioned
Requests
additional
access
User onboarded
Azure AD entitlement management

24. Winning
strategies for
reducing your
attack surface
• Enable timebound just-in-time (JIT) access via
Privileged Identity Management if you haven’t
• Block invalid authentication points via Conditional
Access
• Perform lifecycle management via Entitlement
Management
• Periodically recertify privileged users via Access
Reviews
• Require admins to elevate permissions when needed
for sensitive apps

25. Winning strategy 3
Automate threat response

26. Identity Protection intelligently detects and responds to compromise
Continuously improving to prevent attack
Automatedremediation
Policy enforcement
Improved machine
learning
MoreMicrosoft ecosystem
innovation
Extended threat
intelligence
Risk assessment
Investigation
Real time session risk
Microsoft Graph API and Security Graph,
Logic apps
MCAS, Azure ATP

27. Azure AD · Identity Protection · Risk types
Users with leaked
credentials
Sign-ins from anonymous
IP addresses
Impossible travel to
atypical locations
Sign-ins from
infected devices
Sign-ins from IP addresses
with suspicious activity
Sign-ins from
unfamiliar locations
New risk alerts are added as new threats emerge
?

28. Winning
strategies for
automating
threat response
• Require MFA or block risky sign-ins via Conditional
Access
• Enforce secured password change or block risky users
via Conditional Access

29. Winning strategy 4
Utilize cloud intelligence

30. Actionable insights in Azure AD
Identity Protection
Privileged Identity
Management
Workbook analytics:
 CA insights
 Legacy authentication
workbook
 Access package
activity

31. Azure Sentinel
integration

32. Winning
strategies for
utilizing cloud
intelligence
• Watch for alerts emails - Privileged Identity
Management activation and Identity Protection
• Check your identity secure score
• Monitor your Azure AD audit and sign-in logs
• Strengthen your Conditional Access policies and
Privileged Identity Management via insight reporting
• Create dashboards with Azure AD workbooks

33. Winning strategy 5
Empower end users with self-service

34. Improve productivity with self-service tools
Single sign-on (SSO)
Self-serve password reset
Application launching portal

35. My sign-ins · Users can report unusual sign-ins
Looks unfamiliar?
This wasn’t me
Security
info

36. Provide oversight for which
users have access to what
resources
Prompts users to ensure
their access is limited to the
resources they need
Applies to employees
and guest users

37. Winning
strategies for
end user self-
service
• Empower users with self-service password reset and
group / application access
• Maintain access compliance with Azure AD access
reviews
• Create access packages via Entitlement Management
• Train users how to self-report risky sign-ins and verify
their Security contact information

38. 5 winning strategies
Enable self-help for more predictable
and complete end user security
Increase your awareness with
auditing and monitor security alerts
Automate threat response
Reduce your attack surface
Strengthen your credentials
Blocking legacy authentication
reduces compromise by 67%.
Implementing risk policies
reduces compromise by 96%
Attackers escape detection inside a victim’s
network for a median of 101 days. (Source: FireEye)
60% of enterprises experienced social
engineering attacks in 2016. (Source: Agari)
MFA reduces compromise by 99.99%

39. Thank you