1. MICROSOFT 365
Virtual MARATHON
May 27 & 28, 2020
36 hours / 2 days
What small businesses need to know about
Azure AD premium
Miguel A. Tena
Office 365 Consultant, 2toLead
@mikeware_tena
Broughtto youby:
TheGlobalMicrosoft Community
M365VirtualMarathon.com| #M365VM

2. MICROSOFT 365
Virtual MARATHON
May 27 & 28, 2020
36 hours / 2 days
Mark Your Calendars:
March 23-25, 2021
MGM Grand Resort
Las Vegas, Nevada, USA
M365Conf.com
#M365CONF
TheSharePoint Conferenceis nowTheMicrosoft 365 CollaborationConference
Broughtto youby:
TheGlobalMicrosoft Community
M365VirtualMarathon.com| #M365VM

3. Thank you to all our generous sponsors

4.  Miguel A. Tena
 Office 365 Consultant, 2toLead / Digital Workplace Crusader
 Participated in TAP for Office 12, immigrated to Canada in 2010.
 Focused on M365, Identity, and SharePoint/Teams.
 Born in Mexico City, “se habla Español”
LET ME INTRODUCE MYSELF…
Broughtto youby:
TheGlobalMicrosoft Community
M365VirtualMarathon.com| #M365VM

5.  Visit the Vendors Booth, Sessions and Watch the Videos
 Submit Your Answers to Enter the Raffle
 You need at least 5 correct answers then submit for a chance to win one of 3
(One in each Americas, APAC, EMEA)
ARE YOU READY FOR A RAFFLE?
We are giving away 3 Oculus Quest All In One!
https://bit.ly/m365raffle

6. CONSIDER DONATING TO THE FOLLOWING CHARITY RELIEF FUNDS:
UNITED WAY OR INTERNATIONAL MEDICAL CORPS
THANK YOU FOR JOINING US!
10% OF FUNDS FROM SPONSORS GO TO SUPPORT COMMUNITY RELIEF
United Way: https://give.uwkc.org/M365VM
International Medical Corps: https://bit.ly/MedicalCorpsFund

7. Broughtto youby:
TheGlobalMicrosoft Community
M365VirtualMarathon.com| #M365VM
https://www.microsoft.com/en-ca/microsoft-365/blog/2020/03/30/new-microsoft-365-
offerings-small-and-medium-sized-businesses/

9. In April 2020, nothing changed.
Broughtto youby:
TheGlobalMicrosoft Community
M365VirtualMarathon.com| #M365VM

10. Or did it…
Broughtto youby:
TheGlobalMicrosoft Community
M365VirtualMarathon.com| #M365VM

11. Or did it…
Broughtto youby:
TheGlobalMicrosoft Community
M365VirtualMarathon.com| #M365VM

12. May 27 & 28, 2020
Miguel Tena | EN
#M365VM
LET’S CHAT ABOUT…
 What is Microsoft 365 Business? Is it right for my business?
 What is Azure AD (Premium)?
 Pain points of the “new normal”
 Where can Azure AD Premium help my business?
 Key next steps
Broughtto youby:
TheGlobalMicrosoft Community
M365VirtualMarathon.com| #M365VM

13.  M365 = Productivity + Device Management + Security
 Productivity = Office 365
 Device Management = Intune
 Azure Active Directory = Security
 Business suite for < 300 seats (licenses)
What is Microsoft 365 Business? Is it right for my business?

14.  Azure AD is your cloud-based identity and access management service.
 If you have Office 365 or M365, you already have one.
 Can help you secure:
 External Resources: Azure, Office 365, 1000s of other SaaS Applications
 Internal Resources: apps in your organization
What is Azure AD?

15. Free
Office 365 Apps
Premium P1
Premium P2
Four “flavors” of Azure AD.

16.  Remote work is exploding, but the pandemic only accelerated an
existing trend of the “gig” economy.
 Global Talent Pool
 Onboarding/Offboarding
 Just enough access
 Work from anywhere
Opportunities and Pain Points of the “new normal”

17.  Safeguard corporate assets and information in a geo-dispersed
organization
 Monitoring for information, security and device management
 Auditing, compliance and security
Opportunities and Pain Points of the “new normal”

18.  Reduce your time to productivity
 Provision assets (corporate/BYOD)
 Provision access (guest/Internal)
Opportunities and Pain Points of the “new normal”

19.  Ensuring the right people have the right access to apps and information
 Standardize for creation, naming and use of groups for improving productivity
and governance.
 Support a remote workforce by simplifying tasks such as password resets,
access to company resources, etc.
Where can Azure AD Premium help my business?

20.  Single Sign on (SSO)
 User (and group) management
 Device Registration
 Cloud Authentication
 Azure AD Connect Sync
 Self Service Password change for cloud
accounts
 Password Protection (Global banned
password)
 Azure AD Join for desktop SSO
 Multi Factor Authentication
 Basic reporting
 Azure AD B2B
Core Services in Azure AD

21.  Single Sign on (SSO)
 User (and group) management
 Device Registration
 Cloud Authentication
 Azure AD Connect Sync
 Self Service Password change for cloud
accounts
 Password Protection (Global banned
password)
 Azure AD Join for desktop SSO
 Multi Factor Authentication
 Basic reporting
 Azure AD B2B
Core Services in Azure AD

22. AZURE AD REGISTERED VS JOINED DEVICES
Join Model Ownership
Org sign in
to device
required?
Applies to: SSO Device Management
Azure AD
Registered User/Org No
BYOD, Mobile
Win 10, iOS,
Android, MacOS
Cloud Only Resources MDM (Intune)
Azure AD Joined Org Yes
Windows 10
Devices
Cloud + On-Premises
Resources
MDM, Co-managed with
Intune + Endpoint Config
Manager
Hybrid Azure AD
Joined Org Yes
Win 7-10, Win
Server 2008 R2 -
2019
Cloud + On-Premises
Resources
GPO, SCCM and/or Intune

23.  Single Sign on (SSO)
 User (and group) management
 Device Registration
 Cloud Authentication
 Azure AD Connect Sync
 Self Service Password change for
cloud accounts
 Password Protection (Global banned
password)
 Azure AD Join for desktop SSO
 Multi Factor Authentication
 Basic reporting
 Azure AD B2B
Core Services in Azure AD

24.  AD Connect Sync
 Synchronize identities (users/groups) from your
on-premises Active Directory
 Sign-in methods:
 Password Hash sync (auth on cloud using
sync)
 Passthrough Auth (auth happens on-prem
using agent)
 Federated auth (ADFS)
 AD Connect Health
 Monitor Federation service health
Azure AD Connect

25. What auth method to use?

26.  Single Sign on (SSO)
 User (and group) management
 Device Registration
 Cloud Authentication
 Azure AD Connect Sync
 Self Service Password change for
cloud accounts
 Password Protection (Global banned
password)
 Azure AD Join for desktop SSO
 Multi Factor Authentication
 Basic reporting
 Azure AD B2B
Core Services in Azure AD

27. Free
Office 365 Apps
Premium P1
Premium P2
Four “flavors” of Azure AD.

28.  Branding (login/logout)
 Self Service Password reset for cloud accounts
 Backed by SLA
 Device write-back
I & AM for Office 365 apps - Azure AD

29.  Branding (login/logout)
 Self Service Password reset for cloud accounts
 Backed by SLA
 Device write-back
I & AM for Office 365 apps - Azure AD

30.  Provide a personalized experience
 Hint for avoiding being “phished”
 Culture starts at the door. In remote work
environments, sign-in page is the doormat.
Apply your brand to your sign-in experience

31.  Branding (login/logout)
 Self-service password reset for cloud accounts
 Backed by SLA
 Device write-back
I & AM for Office 365 apps - Azure AD

32.  Branding (login/logout)
 Self Service Password reset for cloud accounts
 Backed by SLA
 Device write-back
I & AM for Office 365 apps - Azure AD

33.  Branding (login/logout)
 Self Service Password reset for cloud accounts
 Backed by SLA
 Device write-back (two-way)
I & AM for Office 365 apps - Azure AD

34. Free
Office 365 Apps
Premium P1
Premium P2
Four “flavors” of Azure AD.

35.  Password protection (custom banned password)
 Password protection for Windows Server Active
Directory (global & custom banned password)
 Self-service password reset/change/unlock with on-
premises write-back
 Group access management
 Microsoft Cloud App Discovery
 Azure AD Join: MDM auto-enrolment & local admin
policy customization
 Azure AD Join: self-service bitlocker recovery,
enterprise state roaming
 Advanced security and usage reports
Azure AD Premium (P1 - Now Included!!!)

36.  Password protection (custom banned password)
 Password protection for Windows Server Active
Directory (global & custom banned password)
Azure AD Premium – Password Protection

37. • Users reset their expired or non-expired password without admin or helpdesk for support.
• Writeback allows management of on-premises passwords and lockout though the cloud.
• Activity reports for
• SSPR Registration
• Password Resets
Azure AD Premium – Self Service Password Management

38.  Password protection (custom banned password)
 Password protection for Windows Server Active
Directory (global & custom banned password)
 Group access management
 Microsoft Cloud App Discovery
 Azure AD Join: MDM auto-enrolment & local admin
policy customization
 Azure AD Join: self-service bitlocker recovery,
enterprise state roaming
 Advanced security and usage reports
Azure AD Premium (P1 - Now Included!!!)

39.  Provide access to:
 Cloud Apps
 On-premises apps (requires App Proxy)
 Resources: role assignments in Azure,
Office 365, other SaaS apps, etc.
 Groups synced from on-prem are managed
there.
 Distribution lists and email enabled groups are
managed in Exchange admin center or M365
Admin portal.
Azure AD Premium - Group access management

40.  Direct assignment
 Group assignment
 Rule-based assignment
 (aka Dynamic groups)
 External authority
 On-premises AD or other SaaS apps
manage group membership
Azure AD Premium – Types of Rights Assignment

41.  Enable remote users to (SSO) access on-premises
(internal network) resources from a remote client.
 Instead of VPN, uses a Proxy Service in Azure and a
connector on premises.
 Can be used with:
 Web Applications that use Integrated
Windows Auth, form based or header-based
access
 Web APIs
 Applications hosted behind a Remote
Desktop Gateway
 Rich client apps using ADAL.
Azure AD Premium – Application Proxy

42.  Password protection (custom banned password)
 Password protection for Windows Server Active
Directory (global & custom banned password)
 Group access management
 Microsoft Cloud App Discovery
 Azure AD Join: MDM auto-enrolment & local admin
policy customization
 Azure AD Join: self-service bitlocker recovery,
enterprise state roaming
 Advanced security and usage reports
Azure AD Premium (P1 - Now Included!!!)

43.  Monitor and assess usage of Cloud Applications
your workforce uses.
 Detect shadow IT, risky usage and suspicious
activities.
 Apply governance for sanctioned/unsanctioned
apps.
 It analyzes traffic logs and can report on over
16k known apps.
 Integration with major proxy/firewall (Zcaler,
Juniper, etc.) and Microsoft Defender ATP
 Can enforce access to applications using
Conditional Access Policies
Azure AD Premium – Cloud App Discovery

44.  Password protection (custom banned password)
 Password protection for Windows Server Active
Directory (global & custom banned password)
 Group access management
 Microsoft Cloud App Discovery
 Azure AD Join: MDM auto-enrolment & local admin
policy customization
 Azure AD Join: self-service bitlocker recovery,
enterprise state roaming
 Advanced security and usage reports
Azure AD Premium (P1 - Now Included!!!)

45.  MDM auto-enrolment & local admin policy
customization
 Enforce enrolment to your MDM (Intune) to manage device and
set up policies
 Configure local admins to support Help Desk and IT personnel
to access devices
 Self-service bitlocker recovery
 Users can retrieve their bitlocker key without requiring help
desk/IT Support
 Enterprise state roaming
 Ability to take settings (apps/themes/etc.) across devices
Azure AD Premium – Azure AD Join

46.  Password protection (custom banned password)
 Password protection for Windows Server Active
Directory (global & custom banned password)
 Group access management
 Microsoft Cloud App Discovery
 Azure AD Join: MDM auto-enrolment & local admin
policy customization
 Azure AD Join: self-service bitlocker recovery,
enterprise state roaming
 Advanced security and usage reports
Azure AD Premium (P1 - Now Included!!!)

47.  Security Reports
 Users flagged for risk
 user accounts that might be compromised
 Risky sign-ins
 Sign-in attempts by others than the owner of
account
Advanced security and usage reports
All types of Azure AD licenses provide some level of reporting. Premium licenses allow for additional details
and/or control.

48.  Activity Reports
 Audit logs
 History of every task performed in your
tenant.
 Sign-ins
 Correlate tasks with who has executed them
Advanced security and usage reports

49.  Dynamic groups
 Group creation permission delegation
 Group naming policy
 Group expiration
 Usage guidelines
 Default classification
Azure AD Premium - Advanced Group access management

50.  Dynamic groups
 Group creation permission delegation
 Group naming policy
 Group expiration
 Usage guidelines
 Default classification
Azure AD Premium - Advanced Group access management

51.  Allow users in the organization to create and manage groups.
 This is usually on for everyone by default.
 To prevent group sprawl, can be restricted to a few members.
 Users allowed to create groups require Premium licenses.
Group creation permission delegation

52.  Dynamic groups
 Group creation permission delegation
 Group naming policy
 Group expiration
 Usage guidelines
 Default classification
Azure AD Premium - Advanced Group access management

53.  Prefix-suffix naming policies
 Fixed
 group_[GroupName]
 User attributes
 I.E. O365G [Department] [GroupName]
 Supported: [Department], [Company], [Office],
[StateOrProvince], [CountryOrRegion], [Title].
 Blocked words
 List of phrases to be blocked in group names and
aliases
 I.E: CEO, projectX.
Group Naming Policy

54.  Groups can be set to expire after a certain period of
inactivity
 Active groups are automatically renews based on
activities in:
 SharePoint (view, edit, move, share or upload)
 Outlook (Join, read/write group message from group
space, Like message in OWA)
 Teams: Visit a Teams Channel
 Owners of groups near expiration receive email
notifications 30/15/1 day prior to expiry and can renew
group by just clicking on the email.
Group Expiration

55.  Dynamic groups
 Group creation permission delegation
 Group naming policy
 Group expiration
 Usage guidelines
 Default classification
Azure AD Premium - Advanced Group access management

56.  Provide guidelines for using groups on group creation.
 Can be defined for Guests and internal users.
 Link is shown on any area where groups can be created.
Usage Guidelines

57.  Dynamic groups
 Group creation permission delegation
 Group naming policy
 Group expiration
 Usage guidelines
 Default classification
Azure AD Premium - Advanced Group access management

58.  Define your Information classification for groups
 For example:
 Top Secret
 Confidential
 Operational
 Public
 Set a Default Classification for new groups
Default Group Classification

59.  Conditional Access based on group, location and device status
 Azure Information Protection integration
 SharePoint limited access
 Terms of Use (set up terms of use for specific access)
 Multi-factor authentication with conditional access
 Third-party identity governance partners integration
Azure AD Premium - Conditional Access

60.  Conditional Access based on group, location and device status
 Azure Information Protection integration
 SharePoint limited access
 Terms of Use (set up terms of use for specific access)
 Multi-factor authentication with conditional access
 Third-party identity governance partners integration
Azure AD Premium - Conditional Access

61. Azure AD Premium - Conditional Access

62.  Conditional Access based on group, location and device status
 Azure Information Protection integration
 SharePoint limited access
 Terms of Use (set up terms of use for specific access)
 Multi-factor authentication with conditional access
 Third-party identity governance partners integration
Azure AD Premium - Conditional Access

63.  Classify and secure information based on labels.
 Enforce certain rules such as forwarding,
printing, etc.
 Integrates with Conditional Access to ensure
content of a specific label is accessed based on
specific conditions.
Azure Information Protection

64.  Conditional Access based on group, location and device status
 Azure Information Protection integration
 SharePoint limited access
 Terms of Use (set up terms of use for specific access)
 Multi-factor authentication with conditional access
 Third-party identity governance partners integration
Azure AD Premium - Conditional Access

65.  Using Conditional Access, you can set up rules that
prevent access to SharePoint sites and OneDrive from
users in certain groups, or conditions.
 The access can be limited globally, or per-site basis.
 Advanced scenarios for types of actions such as
restricting editing, browse only view of files, limit file
previews, etc.
SharePoint limited access

66.  Conditional Access based on group, location and device status
 Azure Information Protection integration
 SharePoint limited access
 Terms of Use (set up terms of use for specific access)
 Multi-factor authentication with conditional access
 Third-party identity governance partners integration
Azure AD Premium - Conditional Access

67.  Present legal disclaimers or terms of use for legal
or compliance.
 Track who has accepted/declined Terms of use
 Associate by group or conditional access policy
Terms of use

68. Free
Office 365 Apps
Premium P1
Premium P2
Four “flavors” of Azure AD.

69.  Identity protection
 Vulnerabilities and risky accounts detection
 Risk events investigation
 Risk-based Conditional Access policies
 Identity Governance
 Privileged Identity Management (PIM)
 Access reviews
 Entitlement management
Azure AD Premium (P2 – need to buy)

70. Free
Office 365 Apps
Premium P1
Premium P2
Four “flavors” of Azure AD.

71.  Ensure you have M365 Business.
 Leverage key resources to get started:
 Microsoft Tech Community
 Microsoft Docs
 Partners
 Have a plan, no need to light everything up on day one.
 Consider change management/adoption
Key next steps

72. MICROSOFT 365
Virtual MARATHON
May 27 & 28, 2020
36 hours / 2 days
THANK YOU FOR JOINING US!
DO YOU HAVE ANY QUESTIONS?
Let’s Connect!
@mikeware_tena
Broughtto youby:
TheGlobalMicrosoft Community
M365VirtualMarathon.com| #M365VM

73. ICON STORE SLIDE #1

74. ICON STORE SLIDE #2