Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

What small businesses need to know about Azure AD premium

168 views

Published on

In this session I reflect on what Azure AD brings to the table for small businesses an do an introduction of key services in each tier of the identity platform to improve your security posture, improve onboarding/offboarding and enhance productivity through governance.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

What small businesses need to know about Azure AD premium

  1. 1. MICROSOFT 365 Virtual MARATHON May 27 & 28, 2020 36 hours / 2 days What small businesses need to know about Azure AD premium Miguel A. Tena Office 365 Consultant, 2toLead @mikeware_tena Broughtto youby: TheGlobalMicrosoft Community M365VirtualMarathon.com| #M365VM
  2. 2. MICROSOFT 365 Virtual MARATHON May 27 & 28, 2020 36 hours / 2 days Mark Your Calendars: March 23-25, 2021 MGM Grand Resort Las Vegas, Nevada, USA M365Conf.com #M365CONF TheSharePoint Conferenceis nowTheMicrosoft 365 CollaborationConference Broughtto youby: TheGlobalMicrosoft Community M365VirtualMarathon.com| #M365VM
  3. 3. Thank you to all our generous sponsors
  4. 4.  Miguel A. Tena  Office 365 Consultant, 2toLead / Digital Workplace Crusader  Participated in TAP for Office 12, immigrated to Canada in 2010.  Focused on M365, Identity, and SharePoint/Teams.  Born in Mexico City, “se habla Español” LET ME INTRODUCE MYSELF… Broughtto youby: TheGlobalMicrosoft Community M365VirtualMarathon.com| #M365VM
  5. 5.  Visit the Vendors Booth, Sessions and Watch the Videos  Submit Your Answers to Enter the Raffle  You need at least 5 correct answers then submit for a chance to win one of 3 (One in each Americas, APAC, EMEA) ARE YOU READY FOR A RAFFLE? We are giving away 3 Oculus Quest All In One! https://bit.ly/m365raffle
  6. 6. CONSIDER DONATING TO THE FOLLOWING CHARITY RELIEF FUNDS: UNITED WAY OR INTERNATIONAL MEDICAL CORPS THANK YOU FOR JOINING US! 10% OF FUNDS FROM SPONSORS GO TO SUPPORT COMMUNITY RELIEF United Way: https://give.uwkc.org/M365VM International Medical Corps: https://bit.ly/MedicalCorpsFund
  7. 7. Broughtto youby: TheGlobalMicrosoft Community M365VirtualMarathon.com| #M365VM https://www.microsoft.com/en-ca/microsoft-365/blog/2020/03/30/new-microsoft-365- offerings-small-and-medium-sized-businesses/
  8. 8. In April 2020, nothing changed. Broughtto youby: TheGlobalMicrosoft Community M365VirtualMarathon.com| #M365VM
  9. 9. Or did it… Broughtto youby: TheGlobalMicrosoft Community M365VirtualMarathon.com| #M365VM
  10. 10. Or did it… Broughtto youby: TheGlobalMicrosoft Community M365VirtualMarathon.com| #M365VM
  11. 11. May 27 & 28, 2020 Miguel Tena | EN #M365VM LET’S CHAT ABOUT…  What is Microsoft 365 Business? Is it right for my business?  What is Azure AD (Premium)?  Pain points of the “new normal”  Where can Azure AD Premium help my business?  Key next steps Broughtto youby: TheGlobalMicrosoft Community M365VirtualMarathon.com| #M365VM
  12. 12.  M365 = Productivity + Device Management + Security  Productivity = Office 365  Device Management = Intune  Azure Active Directory = Security  Business suite for < 300 seats (licenses) What is Microsoft 365 Business? Is it right for my business?
  13. 13.  Azure AD is your cloud-based identity and access management service.  If you have Office 365 or M365, you already have one.  Can help you secure:  External Resources: Azure, Office 365, 1000s of other SaaS Applications  Internal Resources: apps in your organization What is Azure AD?
  14. 14. Free Office 365 Apps Premium P1 Premium P2 Four “flavors” of Azure AD.
  15. 15.  Remote work is exploding, but the pandemic only accelerated an existing trend of the “gig” economy.  Global Talent Pool  Onboarding/Offboarding  Just enough access  Work from anywhere Opportunities and Pain Points of the “new normal”
  16. 16.  Safeguard corporate assets and information in a geo-dispersed organization  Monitoring for information, security and device management  Auditing, compliance and security Opportunities and Pain Points of the “new normal”
  17. 17.  Reduce your time to productivity  Provision assets (corporate/BYOD)  Provision access (guest/Internal) Opportunities and Pain Points of the “new normal”
  18. 18.  Ensuring the right people have the right access to apps and information  Standardize for creation, naming and use of groups for improving productivity and governance.  Support a remote workforce by simplifying tasks such as password resets, access to company resources, etc. Where can Azure AD Premium help my business?
  19. 19.  Single Sign on (SSO)  User (and group) management  Device Registration  Cloud Authentication  Azure AD Connect Sync  Self Service Password change for cloud accounts  Password Protection (Global banned password)  Azure AD Join for desktop SSO  Multi Factor Authentication  Basic reporting  Azure AD B2B Core Services in Azure AD
  20. 20.  Single Sign on (SSO)  User (and group) management  Device Registration  Cloud Authentication  Azure AD Connect Sync  Self Service Password change for cloud accounts  Password Protection (Global banned password)  Azure AD Join for desktop SSO  Multi Factor Authentication  Basic reporting  Azure AD B2B Core Services in Azure AD
  21. 21. AZURE AD REGISTERED VS JOINED DEVICES Join Model Ownership Org sign in to device required? Applies to: SSO Device Management Azure AD Registered User/Org No BYOD, Mobile Win 10, iOS, Android, MacOS Cloud Only Resources MDM (Intune) Azure AD Joined Org Yes Windows 10 Devices Cloud + On-Premises Resources MDM, Co-managed with Intune + Endpoint Config Manager Hybrid Azure AD Joined Org Yes Win 7-10, Win Server 2008 R2 - 2019 Cloud + On-Premises Resources GPO, SCCM and/or Intune
  22. 22.  Single Sign on (SSO)  User (and group) management  Device Registration  Cloud Authentication  Azure AD Connect Sync  Self Service Password change for cloud accounts  Password Protection (Global banned password)  Azure AD Join for desktop SSO  Multi Factor Authentication  Basic reporting  Azure AD B2B Core Services in Azure AD
  23. 23.  AD Connect Sync  Synchronize identities (users/groups) from your on-premises Active Directory  Sign-in methods:  Password Hash sync (auth on cloud using sync)  Passthrough Auth (auth happens on-prem using agent)  Federated auth (ADFS)  AD Connect Health  Monitor Federation service health Azure AD Connect
  24. 24. What auth method to use?
  25. 25.  Single Sign on (SSO)  User (and group) management  Device Registration  Cloud Authentication  Azure AD Connect Sync  Self Service Password change for cloud accounts  Password Protection (Global banned password)  Azure AD Join for desktop SSO  Multi Factor Authentication  Basic reporting  Azure AD B2B Core Services in Azure AD
  26. 26. Free Office 365 Apps Premium P1 Premium P2 Four “flavors” of Azure AD.
  27. 27.  Branding (login/logout)  Self Service Password reset for cloud accounts  Backed by SLA  Device write-back I & AM for Office 365 apps - Azure AD
  28. 28.  Branding (login/logout)  Self Service Password reset for cloud accounts  Backed by SLA  Device write-back I & AM for Office 365 apps - Azure AD
  29. 29.  Provide a personalized experience  Hint for avoiding being “phished”  Culture starts at the door. In remote work environments, sign-in page is the doormat. Apply your brand to your sign-in experience
  30. 30.  Branding (login/logout)  Self-service password reset for cloud accounts  Backed by SLA  Device write-back I & AM for Office 365 apps - Azure AD
  31. 31.  Branding (login/logout)  Self Service Password reset for cloud accounts  Backed by SLA  Device write-back I & AM for Office 365 apps - Azure AD
  32. 32.  Branding (login/logout)  Self Service Password reset for cloud accounts  Backed by SLA  Device write-back (two-way) I & AM for Office 365 apps - Azure AD
  33. 33. Free Office 365 Apps Premium P1 Premium P2 Four “flavors” of Azure AD.
  34. 34.  Password protection (custom banned password)  Password protection for Windows Server Active Directory (global & custom banned password)  Self-service password reset/change/unlock with on- premises write-back  Group access management  Microsoft Cloud App Discovery  Azure AD Join: MDM auto-enrolment & local admin policy customization  Azure AD Join: self-service bitlocker recovery, enterprise state roaming  Advanced security and usage reports Azure AD Premium (P1 - Now Included!!!)
  35. 35.  Password protection (custom banned password)  Password protection for Windows Server Active Directory (global & custom banned password) Azure AD Premium – Password Protection
  36. 36. • Users reset their expired or non-expired password without admin or helpdesk for support. • Writeback allows management of on-premises passwords and lockout though the cloud. • Activity reports for • SSPR Registration • Password Resets Azure AD Premium – Self Service Password Management
  37. 37.  Password protection (custom banned password)  Password protection for Windows Server Active Directory (global & custom banned password)  Group access management  Microsoft Cloud App Discovery  Azure AD Join: MDM auto-enrolment & local admin policy customization  Azure AD Join: self-service bitlocker recovery, enterprise state roaming  Advanced security and usage reports Azure AD Premium (P1 - Now Included!!!)
  38. 38.  Provide access to:  Cloud Apps  On-premises apps (requires App Proxy)  Resources: role assignments in Azure, Office 365, other SaaS apps, etc.  Groups synced from on-prem are managed there.  Distribution lists and email enabled groups are managed in Exchange admin center or M365 Admin portal. Azure AD Premium - Group access management
  39. 39.  Direct assignment  Group assignment  Rule-based assignment  (aka Dynamic groups)  External authority  On-premises AD or other SaaS apps manage group membership Azure AD Premium – Types of Rights Assignment
  40. 40.  Enable remote users to (SSO) access on-premises (internal network) resources from a remote client.  Instead of VPN, uses a Proxy Service in Azure and a connector on premises.  Can be used with:  Web Applications that use Integrated Windows Auth, form based or header-based access  Web APIs  Applications hosted behind a Remote Desktop Gateway  Rich client apps using ADAL. Azure AD Premium – Application Proxy
  41. 41.  Password protection (custom banned password)  Password protection for Windows Server Active Directory (global & custom banned password)  Group access management  Microsoft Cloud App Discovery  Azure AD Join: MDM auto-enrolment & local admin policy customization  Azure AD Join: self-service bitlocker recovery, enterprise state roaming  Advanced security and usage reports Azure AD Premium (P1 - Now Included!!!)
  42. 42.  Monitor and assess usage of Cloud Applications your workforce uses.  Detect shadow IT, risky usage and suspicious activities.  Apply governance for sanctioned/unsanctioned apps.  It analyzes traffic logs and can report on over 16k known apps.  Integration with major proxy/firewall (Zcaler, Juniper, etc.) and Microsoft Defender ATP  Can enforce access to applications using Conditional Access Policies Azure AD Premium – Cloud App Discovery
  43. 43.  Password protection (custom banned password)  Password protection for Windows Server Active Directory (global & custom banned password)  Group access management  Microsoft Cloud App Discovery  Azure AD Join: MDM auto-enrolment & local admin policy customization  Azure AD Join: self-service bitlocker recovery, enterprise state roaming  Advanced security and usage reports Azure AD Premium (P1 - Now Included!!!)
  44. 44.  MDM auto-enrolment & local admin policy customization  Enforce enrolment to your MDM (Intune) to manage device and set up policies  Configure local admins to support Help Desk and IT personnel to access devices  Self-service bitlocker recovery  Users can retrieve their bitlocker key without requiring help desk/IT Support  Enterprise state roaming  Ability to take settings (apps/themes/etc.) across devices Azure AD Premium – Azure AD Join
  45. 45.  Password protection (custom banned password)  Password protection for Windows Server Active Directory (global & custom banned password)  Group access management  Microsoft Cloud App Discovery  Azure AD Join: MDM auto-enrolment & local admin policy customization  Azure AD Join: self-service bitlocker recovery, enterprise state roaming  Advanced security and usage reports Azure AD Premium (P1 - Now Included!!!)
  46. 46.  Security Reports  Users flagged for risk  user accounts that might be compromised  Risky sign-ins  Sign-in attempts by others than the owner of account Advanced security and usage reports All types of Azure AD licenses provide some level of reporting. Premium licenses allow for additional details and/or control.
  47. 47.  Activity Reports  Audit logs  History of every task performed in your tenant.  Sign-ins  Correlate tasks with who has executed them Advanced security and usage reports
  48. 48.  Dynamic groups  Group creation permission delegation  Group naming policy  Group expiration  Usage guidelines  Default classification Azure AD Premium - Advanced Group access management
  49. 49.  Dynamic groups  Group creation permission delegation  Group naming policy  Group expiration  Usage guidelines  Default classification Azure AD Premium - Advanced Group access management
  50. 50.  Allow users in the organization to create and manage groups.  This is usually on for everyone by default.  To prevent group sprawl, can be restricted to a few members.  Users allowed to create groups require Premium licenses. Group creation permission delegation
  51. 51.  Dynamic groups  Group creation permission delegation  Group naming policy  Group expiration  Usage guidelines  Default classification Azure AD Premium - Advanced Group access management
  52. 52.  Prefix-suffix naming policies  Fixed  group_[GroupName]  User attributes  I.E. O365G [Department] [GroupName]  Supported: [Department], [Company], [Office], [StateOrProvince], [CountryOrRegion], [Title].  Blocked words  List of phrases to be blocked in group names and aliases  I.E: CEO, projectX. Group Naming Policy
  53. 53.  Groups can be set to expire after a certain period of inactivity  Active groups are automatically renews based on activities in:  SharePoint (view, edit, move, share or upload)  Outlook (Join, read/write group message from group space, Like message in OWA)  Teams: Visit a Teams Channel  Owners of groups near expiration receive email notifications 30/15/1 day prior to expiry and can renew group by just clicking on the email. Group Expiration
  54. 54.  Dynamic groups  Group creation permission delegation  Group naming policy  Group expiration  Usage guidelines  Default classification Azure AD Premium - Advanced Group access management
  55. 55.  Provide guidelines for using groups on group creation.  Can be defined for Guests and internal users.  Link is shown on any area where groups can be created. Usage Guidelines
  56. 56.  Dynamic groups  Group creation permission delegation  Group naming policy  Group expiration  Usage guidelines  Default classification Azure AD Premium - Advanced Group access management
  57. 57.  Define your Information classification for groups  For example:  Top Secret  Confidential  Operational  Public  Set a Default Classification for new groups Default Group Classification
  58. 58.  Conditional Access based on group, location and device status  Azure Information Protection integration  SharePoint limited access  Terms of Use (set up terms of use for specific access)  Multi-factor authentication with conditional access  Third-party identity governance partners integration Azure AD Premium - Conditional Access
  59. 59.  Conditional Access based on group, location and device status  Azure Information Protection integration  SharePoint limited access  Terms of Use (set up terms of use for specific access)  Multi-factor authentication with conditional access  Third-party identity governance partners integration Azure AD Premium - Conditional Access
  60. 60. Azure AD Premium - Conditional Access
  61. 61.  Conditional Access based on group, location and device status  Azure Information Protection integration  SharePoint limited access  Terms of Use (set up terms of use for specific access)  Multi-factor authentication with conditional access  Third-party identity governance partners integration Azure AD Premium - Conditional Access
  62. 62.  Classify and secure information based on labels.  Enforce certain rules such as forwarding, printing, etc.  Integrates with Conditional Access to ensure content of a specific label is accessed based on specific conditions. Azure Information Protection
  63. 63.  Conditional Access based on group, location and device status  Azure Information Protection integration  SharePoint limited access  Terms of Use (set up terms of use for specific access)  Multi-factor authentication with conditional access  Third-party identity governance partners integration Azure AD Premium - Conditional Access
  64. 64.  Using Conditional Access, you can set up rules that prevent access to SharePoint sites and OneDrive from users in certain groups, or conditions.  The access can be limited globally, or per-site basis.  Advanced scenarios for types of actions such as restricting editing, browse only view of files, limit file previews, etc. SharePoint limited access
  65. 65.  Conditional Access based on group, location and device status  Azure Information Protection integration  SharePoint limited access  Terms of Use (set up terms of use for specific access)  Multi-factor authentication with conditional access  Third-party identity governance partners integration Azure AD Premium - Conditional Access
  66. 66.  Present legal disclaimers or terms of use for legal or compliance.  Track who has accepted/declined Terms of use  Associate by group or conditional access policy Terms of use
  67. 67. Free Office 365 Apps Premium P1 Premium P2 Four “flavors” of Azure AD.
  68. 68.  Identity protection  Vulnerabilities and risky accounts detection  Risk events investigation  Risk-based Conditional Access policies  Identity Governance  Privileged Identity Management (PIM)  Access reviews  Entitlement management Azure AD Premium (P2 – need to buy)
  69. 69. Free Office 365 Apps Premium P1 Premium P2 Four “flavors” of Azure AD.
  70. 70.  Ensure you have M365 Business.  Leverage key resources to get started:  Microsoft Tech Community  Microsoft Docs  Partners  Have a plan, no need to light everything up on day one.  Consider change management/adoption Key next steps
  71. 71. MICROSOFT 365 Virtual MARATHON May 27 & 28, 2020 36 hours / 2 days THANK YOU FOR JOINING US! DO YOU HAVE ANY QUESTIONS? Let’s Connect! @mikeware_tena Broughtto youby: TheGlobalMicrosoft Community M365VirtualMarathon.com| #M365VM
  72. 72. ICON STORE SLIDE #1
  73. 73. ICON STORE SLIDE #2

×