Successfully reported this slideshow.

What small businesses need to know about Azure AD premium

0

Share

1 of 74
1 of 74

What small businesses need to know about Azure AD premium

0

Share

Download to read offline

Description

In this session I reflect on what Azure AD brings to the table for small businesses an do an introduction of key services in each tier of the identity platform to improve your security posture, improve onboarding/offboarding and enhance productivity through governance.

Transcript

  1. 1. MICROSOFT 365 Virtual MARATHON May 27 & 28, 2020 36 hours / 2 days What small businesses need to know about Azure AD premium Miguel A. Tena Office 365 Consultant, 2toLead @mikeware_tena Broughtto youby: TheGlobalMicrosoft Community M365VirtualMarathon.com| #M365VM
  2. 2. MICROSOFT 365 Virtual MARATHON May 27 & 28, 2020 36 hours / 2 days Mark Your Calendars: March 23-25, 2021 MGM Grand Resort Las Vegas, Nevada, USA M365Conf.com #M365CONF TheSharePoint Conferenceis nowTheMicrosoft 365 CollaborationConference Broughtto youby: TheGlobalMicrosoft Community M365VirtualMarathon.com| #M365VM
  3. 3. Thank you to all our generous sponsors
  4. 4.  Miguel A. Tena  Office 365 Consultant, 2toLead / Digital Workplace Crusader  Participated in TAP for Office 12, immigrated to Canada in 2010.  Focused on M365, Identity, and SharePoint/Teams.  Born in Mexico City, “se habla Español” LET ME INTRODUCE MYSELF… Broughtto youby: TheGlobalMicrosoft Community M365VirtualMarathon.com| #M365VM
  5. 5.  Visit the Vendors Booth, Sessions and Watch the Videos  Submit Your Answers to Enter the Raffle  You need at least 5 correct answers then submit for a chance to win one of 3 (One in each Americas, APAC, EMEA) ARE YOU READY FOR A RAFFLE? We are giving away 3 Oculus Quest All In One! https://bit.ly/m365raffle
  6. 6. CONSIDER DONATING TO THE FOLLOWING CHARITY RELIEF FUNDS: UNITED WAY OR INTERNATIONAL MEDICAL CORPS THANK YOU FOR JOINING US! 10% OF FUNDS FROM SPONSORS GO TO SUPPORT COMMUNITY RELIEF United Way: https://give.uwkc.org/M365VM International Medical Corps: https://bit.ly/MedicalCorpsFund
  7. 7. Broughtto youby: TheGlobalMicrosoft Community M365VirtualMarathon.com| #M365VM https://www.microsoft.com/en-ca/microsoft-365/blog/2020/03/30/new-microsoft-365- offerings-small-and-medium-sized-businesses/
  8. 8. In April 2020, nothing changed. Broughtto youby: TheGlobalMicrosoft Community M365VirtualMarathon.com| #M365VM
  9. 9. Or did it… Broughtto youby: TheGlobalMicrosoft Community M365VirtualMarathon.com| #M365VM
  10. 10. Or did it… Broughtto youby: TheGlobalMicrosoft Community M365VirtualMarathon.com| #M365VM
  11. 11. May 27 & 28, 2020 Miguel Tena | EN #M365VM LET’S CHAT ABOUT…  What is Microsoft 365 Business? Is it right for my business?  What is Azure AD (Premium)?  Pain points of the “new normal”  Where can Azure AD Premium help my business?  Key next steps Broughtto youby: TheGlobalMicrosoft Community M365VirtualMarathon.com| #M365VM
  12. 12.  M365 = Productivity + Device Management + Security  Productivity = Office 365  Device Management = Intune  Azure Active Directory = Security  Business suite for < 300 seats (licenses) What is Microsoft 365 Business? Is it right for my business?
  13. 13.  Azure AD is your cloud-based identity and access management service.  If you have Office 365 or M365, you already have one.  Can help you secure:  External Resources: Azure, Office 365, 1000s of other SaaS Applications  Internal Resources: apps in your organization What is Azure AD?
  14. 14. Free Office 365 Apps Premium P1 Premium P2 Four “flavors” of Azure AD.
  15. 15.  Remote work is exploding, but the pandemic only accelerated an existing trend of the “gig” economy.  Global Talent Pool  Onboarding/Offboarding  Just enough access  Work from anywhere Opportunities and Pain Points of the “new normal”
  16. 16.  Safeguard corporate assets and information in a geo-dispersed organization  Monitoring for information, security and device management  Auditing, compliance and security Opportunities and Pain Points of the “new normal”
  17. 17.  Reduce your time to productivity  Provision assets (corporate/BYOD)  Provision access (guest/Internal) Opportunities and Pain Points of the “new normal”
  18. 18.  Ensuring the right people have the right access to apps and information  Standardize for creation, naming and use of groups for improving productivity and governance.  Support a remote workforce by simplifying tasks such as password resets, access to company resources, etc. Where can Azure AD Premium help my business?
  19. 19.  Single Sign on (SSO)  User (and group) management  Device Registration  Cloud Authentication  Azure AD Connect Sync  Self Service Password change for cloud accounts  Password Protection (Global banned password)  Azure AD Join for desktop SSO  Multi Factor Authentication  Basic reporting  Azure AD B2B Core Services in Azure AD
  20. 20.  Single Sign on (SSO)  User (and group) management  Device Registration  Cloud Authentication  Azure AD Connect Sync  Self Service Password change for cloud accounts  Password Protection (Global banned password)  Azure AD Join for desktop SSO  Multi Factor Authentication  Basic reporting  Azure AD B2B Core Services in Azure AD
  21. 21. AZURE AD REGISTERED VS JOINED DEVICES Join Model Ownership Org sign in to device required? Applies to: SSO Device Management Azure AD Registered User/Org No BYOD, Mobile Win 10, iOS, Android, MacOS Cloud Only Resources MDM (Intune) Azure AD Joined Org Yes Windows 10 Devices Cloud + On-Premises Resources MDM, Co-managed with Intune + Endpoint Config Manager Hybrid Azure AD Joined Org Yes Win 7-10, Win Server 2008 R2 - 2019 Cloud + On-Premises Resources GPO, SCCM and/or Intune
  22. 22.  Single Sign on (SSO)  User (and group) management  Device Registration  Cloud Authentication  Azure AD Connect Sync  Self Service Password change for cloud accounts  Password Protection (Global banned password)  Azure AD Join for desktop SSO  Multi Factor Authentication  Basic reporting  Azure AD B2B Core Services in Azure AD
  23. 23.  AD Connect Sync  Synchronize identities (users/groups) from your on-premises Active Directory  Sign-in methods:  Password Hash sync (auth on cloud using sync)  Passthrough Auth (auth happens on-prem using agent)  Federated auth (ADFS)  AD Connect Health  Monitor Federation service health Azure AD Connect
  24. 24. What auth method to use?
  25. 25.  Single Sign on (SSO)  User (and group) management  Device Registration  Cloud Authentication  Azure AD Connect Sync  Self Service Password change for cloud accounts  Password Protection (Global banned password)  Azure AD Join for desktop SSO  Multi Factor Authentication  Basic reporting  Azure AD B2B Core Services in Azure AD
  26. 26. Free Office 365 Apps Premium P1 Premium P2 Four “flavors” of Azure AD.
  27. 27.  Branding (login/logout)  Self Service Password reset for cloud accounts  Backed by SLA  Device write-back I & AM for Office 365 apps - Azure AD
  28. 28.  Branding (login/logout)  Self Service Password reset for cloud accounts  Backed by SLA  Device write-back I & AM for Office 365 apps - Azure AD
  29. 29.  Provide a personalized experience  Hint for avoiding being “phished”  Culture starts at the door. In remote work environments, sign-in page is the doormat. Apply your brand to your sign-in experience
  30. 30.  Branding (login/logout)  Self-service password reset for cloud accounts  Backed by SLA  Device write-back I & AM for Office 365 apps - Azure AD
  31. 31.  Branding (login/logout)  Self Service Password reset for cloud accounts  Backed by SLA  Device write-back I & AM for Office 365 apps - Azure AD
  32. 32.  Branding (login/logout)  Self Service Password reset for cloud accounts  Backed by SLA  Device write-back (two-way) I & AM for Office 365 apps - Azure AD
  33. 33. Free Office 365 Apps Premium P1 Premium P2 Four “flavors” of Azure AD.
  34. 34.  Password protection (custom banned password)  Password protection for Windows Server Active Directory (global & custom banned password)  Self-service password reset/change/unlock with on- premises write-back  Group access management  Microsoft Cloud App Discovery  Azure AD Join: MDM auto-enrolment & local admin policy customization  Azure AD Join: self-service bitlocker recovery, enterprise state roaming  Advanced security and usage reports Azure AD Premium (P1 - Now Included!!!)
  35. 35.  Password protection (custom banned password)  Password protection for Windows Server Active Directory (global & custom banned password) Azure AD Premium – Password Protection
  36. 36. • Users reset their expired or non-expired password without admin or helpdesk for support. • Writeback allows management of on-premises passwords and lockout though the cloud. • Activity reports for • SSPR Registration • Password Resets Azure AD Premium – Self Service Password Management
  37. 37.  Password protection (custom banned password)  Password protection for Windows Server Active Directory (global & custom banned password)  Group access management  Microsoft Cloud App Discovery  Azure AD Join: MDM auto-enrolment & local admin policy customization  Azure AD Join: self-service bitlocker recovery, enterprise state roaming  Advanced security and usage reports Azure AD Premium (P1 - Now Included!!!)
  38. 38.  Provide access to:  Cloud Apps  On-premises apps (requires App Proxy)  Resources: role assignments in Azure, Office 365, other SaaS apps, etc.  Groups synced from on-prem are managed there.  Distribution lists and email enabled groups are managed in Exchange admin center or M365 Admin portal. Azure AD Premium - Group access management
  39. 39.  Direct assignment  Group assignment  Rule-based assignment  (aka Dynamic groups)  External authority  On-premises AD or other SaaS apps manage group membership Azure AD Premium – Types of Rights Assignment
  40. 40.  Enable remote users to (SSO) access on-premises (internal network) resources from a remote client.  Instead of VPN, uses a Proxy Service in Azure and a connector on premises.  Can be used with:  Web Applications that use Integrated Windows Auth, form based or header-based access  Web APIs  Applications hosted behind a Remote Desktop Gateway  Rich client apps using ADAL. Azure AD Premium – Application Proxy
  41. 41.  Password protection (custom banned password)  Password protection for Windows Server Active Directory (global & custom banned password)  Group access management  Microsoft Cloud App Discovery  Azure AD Join: MDM auto-enrolment & local admin policy customization  Azure AD Join: self-service bitlocker recovery, enterprise state roaming  Advanced security and usage reports Azure AD Premium (P1 - Now Included!!!)
  42. 42.  Monitor and assess usage of Cloud Applications your workforce uses.  Detect shadow IT, risky usage and suspicious activities.  Apply governance for sanctioned/unsanctioned apps.  It analyzes traffic logs and can report on over 16k known apps.  Integration with major proxy/firewall (Zcaler, Juniper, etc.) and Microsoft Defender ATP  Can enforce access to applications using Conditional Access Policies Azure AD Premium – Cloud App Discovery
  43. 43.  Password protection (custom banned password)  Password protection for Windows Server Active Directory (global & custom banned password)  Group access management  Microsoft Cloud App Discovery  Azure AD Join: MDM auto-enrolment & local admin policy customization  Azure AD Join: self-service bitlocker recovery, enterprise state roaming  Advanced security and usage reports Azure AD Premium (P1 - Now Included!!!)
  44. 44.  MDM auto-enrolment & local admin policy customization  Enforce enrolment to your MDM (Intune) to manage device and set up policies  Configure local admins to support Help Desk and IT personnel to access devices  Self-service bitlocker recovery  Users can retrieve their bitlocker key without requiring help desk/IT Support  Enterprise state roaming  Ability to take settings (apps/themes/etc.) across devices Azure AD Premium – Azure AD Join
  45. 45.  Password protection (custom banned password)  Password protection for Windows Server Active Directory (global & custom banned password)  Group access management  Microsoft Cloud App Discovery  Azure AD Join: MDM auto-enrolment & local admin policy customization  Azure AD Join: self-service bitlocker recovery, enterprise state roaming  Advanced security and usage reports Azure AD Premium (P1 - Now Included!!!)
  46. 46.  Security Reports  Users flagged for risk  user accounts that might be compromised  Risky sign-ins  Sign-in attempts by others than the owner of account Advanced security and usage reports All types of Azure AD licenses provide some level of reporting. Premium licenses allow for additional details and/or control.
  47. 47.  Activity Reports  Audit logs  History of every task performed in your tenant.  Sign-ins  Correlate tasks with who has executed them Advanced security and usage reports
  48. 48.  Dynamic groups  Group creation permission delegation  Group naming policy  Group expiration  Usage guidelines  Default classification Azure AD Premium - Advanced Group access management
  49. 49.  Dynamic groups  Group creation permission delegation  Group naming policy  Group expiration  Usage guidelines  Default classification Azure AD Premium - Advanced Group access management
  50. 50.  Allow users in the organization to create and manage groups.  This is usually on for everyone by default.  To prevent group sprawl, can be restricted to a few members.  Users allowed to create groups require Premium licenses. Group creation permission delegation
  51. 51.  Dynamic groups  Group creation permission delegation  Group naming policy  Group expiration  Usage guidelines  Default classification Azure AD Premium - Advanced Group access management
  52. 52.  Prefix-suffix naming policies  Fixed  group_[GroupName]  User attributes  I.E. O365G [Department] [GroupName]  Supported: [Department], [Company], [Office], [StateOrProvince], [CountryOrRegion], [Title].  Blocked words  List of phrases to be blocked in group names and aliases  I.E: CEO, projectX. Group Naming Policy
  53. 53.  Groups can be set to expire after a certain period of inactivity  Active groups are automatically renews based on activities in:  SharePoint (view, edit, move, share or upload)  Outlook (Join, read/write group message from group space, Like message in OWA)  Teams: Visit a Teams Channel  Owners of groups near expiration receive email notifications 30/15/1 day prior to expiry and can renew group by just clicking on the email. Group Expiration
  54. 54.  Dynamic groups  Group creation permission delegation  Group naming policy  Group expiration  Usage guidelines  Default classification Azure AD Premium - Advanced Group access management
  55. 55.  Provide guidelines for using groups on group creation.  Can be defined for Guests and internal users.  Link is shown on any area where groups can be created. Usage Guidelines
  56. 56.  Dynamic groups  Group creation permission delegation  Group naming policy  Group expiration  Usage guidelines  Default classification Azure AD Premium - Advanced Group access management
  57. 57.  Define your Information classification for groups  For example:  Top Secret  Confidential  Operational  Public  Set a Default Classification for new groups Default Group Classification
  58. 58.  Conditional Access based on group, location and device status  Azure Information Protection integration  SharePoint limited access  Terms of Use (set up terms of use for specific access)  Multi-factor authentication with conditional access  Third-party identity governance partners integration Azure AD Premium - Conditional Access
  59. 59.  Conditional Access based on group, location and device status  Azure Information Protection integration  SharePoint limited access  Terms of Use (set up terms of use for specific access)  Multi-factor authentication with conditional access  Third-party identity governance partners integration Azure AD Premium - Conditional Access
  60. 60. Azure AD Premium - Conditional Access
  61. 61.  Conditional Access based on group, location and device status  Azure Information Protection integration  SharePoint limited access  Terms of Use (set up terms of use for specific access)  Multi-factor authentication with conditional access  Third-party identity governance partners integration Azure AD Premium - Conditional Access
  62. 62.  Classify and secure information based on labels.  Enforce certain rules such as forwarding, printing, etc.  Integrates with Conditional Access to ensure content of a specific label is accessed based on specific conditions. Azure Information Protection
  63. 63.  Conditional Access based on group, location and device status  Azure Information Protection integration  SharePoint limited access  Terms of Use (set up terms of use for specific access)  Multi-factor authentication with conditional access  Third-party identity governance partners integration Azure AD Premium - Conditional Access
  64. 64.  Using Conditional Access, you can set up rules that prevent access to SharePoint sites and OneDrive from users in certain groups, or conditions.  The access can be limited globally, or per-site basis.  Advanced scenarios for types of actions such as restricting editing, browse only view of files, limit file previews, etc. SharePoint limited access
  65. 65.  Conditional Access based on group, location and device status  Azure Information Protection integration  SharePoint limited access  Terms of Use (set up terms of use for specific access)  Multi-factor authentication with conditional access  Third-party identity governance partners integration Azure AD Premium - Conditional Access
  66. 66.  Present legal disclaimers or terms of use for legal or compliance.  Track who has accepted/declined Terms of use  Associate by group or conditional access policy Terms of use
  67. 67. Free Office 365 Apps Premium P1 Premium P2 Four “flavors” of Azure AD.
  68. 68.  Identity protection  Vulnerabilities and risky accounts detection  Risk events investigation  Risk-based Conditional Access policies  Identity Governance  Privileged Identity Management (PIM)  Access reviews  Entitlement management Azure AD Premium (P2 – need to buy)
  69. 69. Free Office 365 Apps Premium P1 Premium P2 Four “flavors” of Azure AD.
  70. 70.  Ensure you have M365 Business.  Leverage key resources to get started:  Microsoft Tech Community  Microsoft Docs  Partners  Have a plan, no need to light everything up on day one.  Consider change management/adoption Key next steps
  71. 71. MICROSOFT 365 Virtual MARATHON May 27 & 28, 2020 36 hours / 2 days THANK YOU FOR JOINING US! DO YOU HAVE ANY QUESTIONS? Let’s Connect! @mikeware_tena Broughtto youby: TheGlobalMicrosoft Community M365VirtualMarathon.com| #M365VM
  72. 72. ICON STORE SLIDE #1
  73. 73. ICON STORE SLIDE #2

Editor's Notes

  • AKA Free tier
  • AKA Free tier
  • AKA Free tier
  • Bulk add using CSV
  • AKA Free tier
  • Device write-back (device objects two-way synchronization between on-premises directories and Azure)
  • Device write-back (device objects two-way synchronization between on-premises directories and Azure)
  • Device write-back (device objects two-way synchronization between on-premises directories and Azure)
  • Device write-back (device objects two-way synchronization between on-premises directories and Azure)
  • Device write-back (device objects two-way synchronization between on-premises directories and Azure)
  • Global: pass@word1
    Custom: CompanyName123, Product@Company!
  • Device write-back (device objects two-way synchronization between on-premises directories and Azure)
  • Device write-back (device objects two-way synchronization between on-premises directories and Azure)
  • Device write-back (device objects two-way synchronization between on-premises directories and Azure)
  • Setting up Cloud Discovery: https://docs.microsoft.com/en-us/cloud-app-security/set-up-cloud-discovery
    https://docs.microsoft.com/en-us/cloud-app-security/editions-cloud-app-security-o365#office-365-cloud-app-security
  • Device write-back (device objects two-way synchronization between on-premises directories and Azure)
  • https://docs.microsoft.com/en-us/azure/active-directory/devices/enterprise-state-roaming-enable
  • Device write-back (device objects two-way synchronization between on-premises directories and Azure)
  • What Azure AD license do you need to access a security report?
    All editions of Azure AD provide you with users flagged for risk and risky sign-ins reports. However, the level of report granularity varies between the editions:
    In the Azure Active Directory Free and Basic editions, you get a list of users flagged for risk and risky sign-ins.
    The Azure Active Directory Premium 1 edition extends this model by also enabling you to examine some of the underlying risk detections that have been detected for each report.
    The Azure Active Directory Premium 2 edition provides you with the most detailed information about the underlying risk detections and it also enables you to configure security policies that automatically respond to configured risk levels.
  • What Azure AD license do you need to access a security report?
    All editions of Azure AD provide you with users flagged for risk and risky sign-ins reports. However, the level of report granularity varies between the editions:
    In the Azure Active Directory Free and Basic editions, you get a list of users flagged for risk and risky sign-ins.
    The Azure Active Directory Premium 1 edition extends this model by also enabling you to examine some of the underlying risk detections that have been detected for each report.
    The Azure Active Directory Premium 2 edition provides you with the most detailed information about the underlying risk detections and it also enables you to configure security policies that automatically respond to configured risk levels.
  • Device write-back (device objects two-way synchronization between on-premises directories and Azure)
  • Device write-back (device objects two-way synchronization between on-premises directories and Azure)
  • Device write-back (device objects two-way synchronization between on-premises directories and Azure)
  • Device write-back (device objects two-way synchronization between on-premises directories and Azure)
  • https://docs.microsoft.com/en-us/sharepoint/control-access-from-unmanaged-devices?redirectSourcePath=%252fen-us%252farticle%252fControl-access-from-unmanaged-devices-5ae550c4-bd20-4257-847b-5c20fb053622#block-or-limit-access-to-a-specific-sharepoint-site-or-onedrive
  • https://techcommunity.microsoft.com/t5/small-and-medium-business-blog/practical-guide-to-securing-remote-work-using-microsoft-365/ba-p/1354772
    https://techcommunity.microsoft.com/t5/small-and-medium-business-blog/using-microsoft-365-business-premium-to-secure-your-remote/ba-p/1298623
  • Description

    In this session I reflect on what Azure AD brings to the table for small businesses an do an introduction of key services in each tier of the identity platform to improve your security posture, improve onboarding/offboarding and enhance productivity through governance.

    Transcript

    1. 1. MICROSOFT 365 Virtual MARATHON May 27 & 28, 2020 36 hours / 2 days What small businesses need to know about Azure AD premium Miguel A. Tena Office 365 Consultant, 2toLead @mikeware_tena Broughtto youby: TheGlobalMicrosoft Community M365VirtualMarathon.com| #M365VM
    2. 2. MICROSOFT 365 Virtual MARATHON May 27 & 28, 2020 36 hours / 2 days Mark Your Calendars: March 23-25, 2021 MGM Grand Resort Las Vegas, Nevada, USA M365Conf.com #M365CONF TheSharePoint Conferenceis nowTheMicrosoft 365 CollaborationConference Broughtto youby: TheGlobalMicrosoft Community M365VirtualMarathon.com| #M365VM
    3. 3. Thank you to all our generous sponsors
    4. 4.  Miguel A. Tena  Office 365 Consultant, 2toLead / Digital Workplace Crusader  Participated in TAP for Office 12, immigrated to Canada in 2010.  Focused on M365, Identity, and SharePoint/Teams.  Born in Mexico City, “se habla Español” LET ME INTRODUCE MYSELF… Broughtto youby: TheGlobalMicrosoft Community M365VirtualMarathon.com| #M365VM
    5. 5.  Visit the Vendors Booth, Sessions and Watch the Videos  Submit Your Answers to Enter the Raffle  You need at least 5 correct answers then submit for a chance to win one of 3 (One in each Americas, APAC, EMEA) ARE YOU READY FOR A RAFFLE? We are giving away 3 Oculus Quest All In One! https://bit.ly/m365raffle
    6. 6. CONSIDER DONATING TO THE FOLLOWING CHARITY RELIEF FUNDS: UNITED WAY OR INTERNATIONAL MEDICAL CORPS THANK YOU FOR JOINING US! 10% OF FUNDS FROM SPONSORS GO TO SUPPORT COMMUNITY RELIEF United Way: https://give.uwkc.org/M365VM International Medical Corps: https://bit.ly/MedicalCorpsFund
    7. 7. Broughtto youby: TheGlobalMicrosoft Community M365VirtualMarathon.com| #M365VM https://www.microsoft.com/en-ca/microsoft-365/blog/2020/03/30/new-microsoft-365- offerings-small-and-medium-sized-businesses/
    8. 8. In April 2020, nothing changed. Broughtto youby: TheGlobalMicrosoft Community M365VirtualMarathon.com| #M365VM
    9. 9. Or did it… Broughtto youby: TheGlobalMicrosoft Community M365VirtualMarathon.com| #M365VM
    10. 10. Or did it… Broughtto youby: TheGlobalMicrosoft Community M365VirtualMarathon.com| #M365VM
    11. 11. May 27 & 28, 2020 Miguel Tena | EN #M365VM LET’S CHAT ABOUT…  What is Microsoft 365 Business? Is it right for my business?  What is Azure AD (Premium)?  Pain points of the “new normal”  Where can Azure AD Premium help my business?  Key next steps Broughtto youby: TheGlobalMicrosoft Community M365VirtualMarathon.com| #M365VM
    12. 12.  M365 = Productivity + Device Management + Security  Productivity = Office 365  Device Management = Intune  Azure Active Directory = Security  Business suite for < 300 seats (licenses) What is Microsoft 365 Business? Is it right for my business?
    13. 13.  Azure AD is your cloud-based identity and access management service.  If you have Office 365 or M365, you already have one.  Can help you secure:  External Resources: Azure, Office 365, 1000s of other SaaS Applications  Internal Resources: apps in your organization What is Azure AD?
    14. 14. Free Office 365 Apps Premium P1 Premium P2 Four “flavors” of Azure AD.
    15. 15.  Remote work is exploding, but the pandemic only accelerated an existing trend of the “gig” economy.  Global Talent Pool  Onboarding/Offboarding  Just enough access  Work from anywhere Opportunities and Pain Points of the “new normal”
    16. 16.  Safeguard corporate assets and information in a geo-dispersed organization  Monitoring for information, security and device management  Auditing, compliance and security Opportunities and Pain Points of the “new normal”
    17. 17.  Reduce your time to productivity  Provision assets (corporate/BYOD)  Provision access (guest/Internal) Opportunities and Pain Points of the “new normal”
    18. 18.  Ensuring the right people have the right access to apps and information  Standardize for creation, naming and use of groups for improving productivity and governance.  Support a remote workforce by simplifying tasks such as password resets, access to company resources, etc. Where can Azure AD Premium help my business?
    19. 19.  Single Sign on (SSO)  User (and group) management  Device Registration  Cloud Authentication  Azure AD Connect Sync  Self Service Password change for cloud accounts  Password Protection (Global banned password)  Azure AD Join for desktop SSO  Multi Factor Authentication  Basic reporting  Azure AD B2B Core Services in Azure AD
    20. 20.  Single Sign on (SSO)  User (and group) management  Device Registration  Cloud Authentication  Azure AD Connect Sync  Self Service Password change for cloud accounts  Password Protection (Global banned password)  Azure AD Join for desktop SSO  Multi Factor Authentication  Basic reporting  Azure AD B2B Core Services in Azure AD
    21. 21. AZURE AD REGISTERED VS JOINED DEVICES Join Model Ownership Org sign in to device required? Applies to: SSO Device Management Azure AD Registered User/Org No BYOD, Mobile Win 10, iOS, Android, MacOS Cloud Only Resources MDM (Intune) Azure AD Joined Org Yes Windows 10 Devices Cloud + On-Premises Resources MDM, Co-managed with Intune + Endpoint Config Manager Hybrid Azure AD Joined Org Yes Win 7-10, Win Server 2008 R2 - 2019 Cloud + On-Premises Resources GPO, SCCM and/or Intune
    22. 22.  Single Sign on (SSO)  User (and group) management  Device Registration  Cloud Authentication  Azure AD Connect Sync  Self Service Password change for cloud accounts  Password Protection (Global banned password)  Azure AD Join for desktop SSO  Multi Factor Authentication  Basic reporting  Azure AD B2B Core Services in Azure AD
    23. 23.  AD Connect Sync  Synchronize identities (users/groups) from your on-premises Active Directory  Sign-in methods:  Password Hash sync (auth on cloud using sync)  Passthrough Auth (auth happens on-prem using agent)  Federated auth (ADFS)  AD Connect Health  Monitor Federation service health Azure AD Connect
    24. 24. What auth method to use?
    25. 25.  Single Sign on (SSO)  User (and group) management  Device Registration  Cloud Authentication  Azure AD Connect Sync  Self Service Password change for cloud accounts  Password Protection (Global banned password)  Azure AD Join for desktop SSO  Multi Factor Authentication  Basic reporting  Azure AD B2B Core Services in Azure AD
    26. 26. Free Office 365 Apps Premium P1 Premium P2 Four “flavors” of Azure AD.
    27. 27.  Branding (login/logout)  Self Service Password reset for cloud accounts  Backed by SLA  Device write-back I & AM for Office 365 apps - Azure AD
    28. 28.  Branding (login/logout)  Self Service Password reset for cloud accounts  Backed by SLA  Device write-back I & AM for Office 365 apps - Azure AD
    29. 29.  Provide a personalized experience  Hint for avoiding being “phished”  Culture starts at the door. In remote work environments, sign-in page is the doormat. Apply your brand to your sign-in experience
    30. 30.  Branding (login/logout)  Self-service password reset for cloud accounts  Backed by SLA  Device write-back I & AM for Office 365 apps - Azure AD
    31. 31.  Branding (login/logout)  Self Service Password reset for cloud accounts  Backed by SLA  Device write-back I & AM for Office 365 apps - Azure AD
    32. 32.  Branding (login/logout)  Self Service Password reset for cloud accounts  Backed by SLA  Device write-back (two-way) I & AM for Office 365 apps - Azure AD
    33. 33. Free Office 365 Apps Premium P1 Premium P2 Four “flavors” of Azure AD.
    34. 34.  Password protection (custom banned password)  Password protection for Windows Server Active Directory (global & custom banned password)  Self-service password reset/change/unlock with on- premises write-back  Group access management  Microsoft Cloud App Discovery  Azure AD Join: MDM auto-enrolment & local admin policy customization  Azure AD Join: self-service bitlocker recovery, enterprise state roaming  Advanced security and usage reports Azure AD Premium (P1 - Now Included!!!)
    35. 35.  Password protection (custom banned password)  Password protection for Windows Server Active Directory (global & custom banned password) Azure AD Premium – Password Protection
    36. 36. • Users reset their expired or non-expired password without admin or helpdesk for support. • Writeback allows management of on-premises passwords and lockout though the cloud. • Activity reports for • SSPR Registration • Password Resets Azure AD Premium – Self Service Password Management
    37. 37.  Password protection (custom banned password)  Password protection for Windows Server Active Directory (global & custom banned password)  Group access management  Microsoft Cloud App Discovery  Azure AD Join: MDM auto-enrolment & local admin policy customization  Azure AD Join: self-service bitlocker recovery, enterprise state roaming  Advanced security and usage reports Azure AD Premium (P1 - Now Included!!!)
    38. 38.  Provide access to:  Cloud Apps  On-premises apps (requires App Proxy)  Resources: role assignments in Azure, Office 365, other SaaS apps, etc.  Groups synced from on-prem are managed there.  Distribution lists and email enabled groups are managed in Exchange admin center or M365 Admin portal. Azure AD Premium - Group access management
    39. 39.  Direct assignment  Group assignment  Rule-based assignment  (aka Dynamic groups)  External authority  On-premises AD or other SaaS apps manage group membership Azure AD Premium – Types of Rights Assignment
    40. 40.  Enable remote users to (SSO) access on-premises (internal network) resources from a remote client.  Instead of VPN, uses a Proxy Service in Azure and a connector on premises.  Can be used with:  Web Applications that use Integrated Windows Auth, form based or header-based access  Web APIs  Applications hosted behind a Remote Desktop Gateway  Rich client apps using ADAL. Azure AD Premium – Application Proxy
    41. 41.  Password protection (custom banned password)  Password protection for Windows Server Active Directory (global & custom banned password)  Group access management  Microsoft Cloud App Discovery  Azure AD Join: MDM auto-enrolment & local admin policy customization  Azure AD Join: self-service bitlocker recovery, enterprise state roaming  Advanced security and usage reports Azure AD Premium (P1 - Now Included!!!)
    42. 42.  Monitor and assess usage of Cloud Applications your workforce uses.  Detect shadow IT, risky usage and suspicious activities.  Apply governance for sanctioned/unsanctioned apps.  It analyzes traffic logs and can report on over 16k known apps.  Integration with major proxy/firewall (Zcaler, Juniper, etc.) and Microsoft Defender ATP  Can enforce access to applications using Conditional Access Policies Azure AD Premium – Cloud App Discovery
    43. 43.  Password protection (custom banned password)  Password protection for Windows Server Active Directory (global & custom banned password)  Group access management  Microsoft Cloud App Discovery  Azure AD Join: MDM auto-enrolment & local admin policy customization  Azure AD Join: self-service bitlocker recovery, enterprise state roaming  Advanced security and usage reports Azure AD Premium (P1 - Now Included!!!)
    44. 44.  MDM auto-enrolment & local admin policy customization  Enforce enrolment to your MDM (Intune) to manage device and set up policies  Configure local admins to support Help Desk and IT personnel to access devices  Self-service bitlocker recovery  Users can retrieve their bitlocker key without requiring help desk/IT Support  Enterprise state roaming  Ability to take settings (apps/themes/etc.) across devices Azure AD Premium – Azure AD Join
    45. 45.  Password protection (custom banned password)  Password protection for Windows Server Active Directory (global & custom banned password)  Group access management  Microsoft Cloud App Discovery  Azure AD Join: MDM auto-enrolment & local admin policy customization  Azure AD Join: self-service bitlocker recovery, enterprise state roaming  Advanced security and usage reports Azure AD Premium (P1 - Now Included!!!)
    46. 46.  Security Reports  Users flagged for risk  user accounts that might be compromised  Risky sign-ins  Sign-in attempts by others than the owner of account Advanced security and usage reports All types of Azure AD licenses provide some level of reporting. Premium licenses allow for additional details and/or control.
    47. 47.  Activity Reports  Audit logs  History of every task performed in your tenant.  Sign-ins  Correlate tasks with who has executed them Advanced security and usage reports
    48. 48.  Dynamic groups  Group creation permission delegation  Group naming policy  Group expiration  Usage guidelines  Default classification Azure AD Premium - Advanced Group access management
    49. 49.  Dynamic groups  Group creation permission delegation  Group naming policy  Group expiration  Usage guidelines  Default classification Azure AD Premium - Advanced Group access management
    50. 50.  Allow users in the organization to create and manage groups.  This is usually on for everyone by default.  To prevent group sprawl, can be restricted to a few members.  Users allowed to create groups require Premium licenses. Group creation permission delegation
    51. 51.  Dynamic groups  Group creation permission delegation  Group naming policy  Group expiration  Usage guidelines  Default classification Azure AD Premium - Advanced Group access management
    52. 52.  Prefix-suffix naming policies  Fixed  group_[GroupName]  User attributes  I.E. O365G [Department] [GroupName]  Supported: [Department], [Company], [Office], [StateOrProvince], [CountryOrRegion], [Title].  Blocked words  List of phrases to be blocked in group names and aliases  I.E: CEO, projectX. Group Naming Policy
    53. 53.  Groups can be set to expire after a certain period of inactivity  Active groups are automatically renews based on activities in:  SharePoint (view, edit, move, share or upload)  Outlook (Join, read/write group message from group space, Like message in OWA)  Teams: Visit a Teams Channel  Owners of groups near expiration receive email notifications 30/15/1 day prior to expiry and can renew group by just clicking on the email. Group Expiration
    54. 54.  Dynamic groups  Group creation permission delegation  Group naming policy  Group expiration  Usage guidelines  Default classification Azure AD Premium - Advanced Group access management
    55. 55.  Provide guidelines for using groups on group creation.  Can be defined for Guests and internal users.  Link is shown on any area where groups can be created. Usage Guidelines
    56. 56.  Dynamic groups  Group creation permission delegation  Group naming policy  Group expiration  Usage guidelines  Default classification Azure AD Premium - Advanced Group access management
    57. 57.  Define your Information classification for groups  For example:  Top Secret  Confidential  Operational  Public  Set a Default Classification for new groups Default Group Classification
    58. 58.  Conditional Access based on group, location and device status  Azure Information Protection integration  SharePoint limited access  Terms of Use (set up terms of use for specific access)  Multi-factor authentication with conditional access  Third-party identity governance partners integration Azure AD Premium - Conditional Access
    59. 59.  Conditional Access based on group, location and device status  Azure Information Protection integration  SharePoint limited access  Terms of Use (set up terms of use for specific access)  Multi-factor authentication with conditional access  Third-party identity governance partners integration Azure AD Premium - Conditional Access
    60. 60. Azure AD Premium - Conditional Access
    61. 61.  Conditional Access based on group, location and device status  Azure Information Protection integration  SharePoint limited access  Terms of Use (set up terms of use for specific access)  Multi-factor authentication with conditional access  Third-party identity governance partners integration Azure AD Premium - Conditional Access
    62. 62.  Classify and secure information based on labels.  Enforce certain rules such as forwarding, printing, etc.  Integrates with Conditional Access to ensure content of a specific label is accessed based on specific conditions. Azure Information Protection
    63. 63.  Conditional Access based on group, location and device status  Azure Information Protection integration  SharePoint limited access  Terms of Use (set up terms of use for specific access)  Multi-factor authentication with conditional access  Third-party identity governance partners integration Azure AD Premium - Conditional Access
    64. 64.  Using Conditional Access, you can set up rules that prevent access to SharePoint sites and OneDrive from users in certain groups, or conditions.  The access can be limited globally, or per-site basis.  Advanced scenarios for types of actions such as restricting editing, browse only view of files, limit file previews, etc. SharePoint limited access
    65. 65.  Conditional Access based on group, location and device status  Azure Information Protection integration  SharePoint limited access  Terms of Use (set up terms of use for specific access)  Multi-factor authentication with conditional access  Third-party identity governance partners integration Azure AD Premium - Conditional Access
    66. 66.  Present legal disclaimers or terms of use for legal or compliance.  Track who has accepted/declined Terms of use  Associate by group or conditional access policy Terms of use
    67. 67. Free Office 365 Apps Premium P1 Premium P2 Four “flavors” of Azure AD.
    68. 68.  Identity protection  Vulnerabilities and risky accounts detection  Risk events investigation  Risk-based Conditional Access policies  Identity Governance  Privileged Identity Management (PIM)  Access reviews  Entitlement management Azure AD Premium (P2 – need to buy)
    69. 69. Free Office 365 Apps Premium P1 Premium P2 Four “flavors” of Azure AD.
    70. 70.  Ensure you have M365 Business.  Leverage key resources to get started:  Microsoft Tech Community  Microsoft Docs  Partners  Have a plan, no need to light everything up on day one.  Consider change management/adoption Key next steps
    71. 71. MICROSOFT 365 Virtual MARATHON May 27 & 28, 2020 36 hours / 2 days THANK YOU FOR JOINING US! DO YOU HAVE ANY QUESTIONS? Let’s Connect! @mikeware_tena Broughtto youby: TheGlobalMicrosoft Community M365VirtualMarathon.com| #M365VM
    72. 72. ICON STORE SLIDE #1
    73. 73. ICON STORE SLIDE #2

    Editor's Notes

  • AKA Free tier
  • AKA Free tier
  • AKA Free tier
  • Bulk add using CSV
  • AKA Free tier
  • Device write-back (device objects two-way synchronization between on-premises directories and Azure)
  • Device write-back (device objects two-way synchronization between on-premises directories and Azure)
  • Device write-back (device objects two-way synchronization between on-premises directories and Azure)
  • Device write-back (device objects two-way synchronization between on-premises directories and Azure)
  • Device write-back (device objects two-way synchronization between on-premises directories and Azure)
  • Global: pass@word1
    Custom: CompanyName123, Product@Company!
  • Device write-back (device objects two-way synchronization between on-premises directories and Azure)
  • Device write-back (device objects two-way synchronization between on-premises directories and Azure)
  • Device write-back (device objects two-way synchronization between on-premises directories and Azure)
  • Setting up Cloud Discovery: https://docs.microsoft.com/en-us/cloud-app-security/set-up-cloud-discovery
    https://docs.microsoft.com/en-us/cloud-app-security/editions-cloud-app-security-o365#office-365-cloud-app-security
  • Device write-back (device objects two-way synchronization between on-premises directories and Azure)
  • https://docs.microsoft.com/en-us/azure/active-directory/devices/enterprise-state-roaming-enable
  • Device write-back (device objects two-way synchronization between on-premises directories and Azure)
  • What Azure AD license do you need to access a security report?
    All editions of Azure AD provide you with users flagged for risk and risky sign-ins reports. However, the level of report granularity varies between the editions:
    In the Azure Active Directory Free and Basic editions, you get a list of users flagged for risk and risky sign-ins.
    The Azure Active Directory Premium 1 edition extends this model by also enabling you to examine some of the underlying risk detections that have been detected for each report.
    The Azure Active Directory Premium 2 edition provides you with the most detailed information about the underlying risk detections and it also enables you to configure security policies that automatically respond to configured risk levels.
  • What Azure AD license do you need to access a security report?
    All editions of Azure AD provide you with users flagged for risk and risky sign-ins reports. However, the level of report granularity varies between the editions:
    In the Azure Active Directory Free and Basic editions, you get a list of users flagged for risk and risky sign-ins.
    The Azure Active Directory Premium 1 edition extends this model by also enabling you to examine some of the underlying risk detections that have been detected for each report.
    The Azure Active Directory Premium 2 edition provides you with the most detailed information about the underlying risk detections and it also enables you to configure security policies that automatically respond to configured risk levels.
  • Device write-back (device objects two-way synchronization between on-premises directories and Azure)
  • Device write-back (device objects two-way synchronization between on-premises directories and Azure)
  • Device write-back (device objects two-way synchronization between on-premises directories and Azure)
  • Device write-back (device objects two-way synchronization between on-premises directories and Azure)
  • https://docs.microsoft.com/en-us/sharepoint/control-access-from-unmanaged-devices?redirectSourcePath=%252fen-us%252farticle%252fControl-access-from-unmanaged-devices-5ae550c4-bd20-4257-847b-5c20fb053622#block-or-limit-access-to-a-specific-sharepoint-site-or-onedrive
  • https://techcommunity.microsoft.com/t5/small-and-medium-business-blog/practical-guide-to-securing-remote-work-using-microsoft-365/ba-p/1354772
    https://techcommunity.microsoft.com/t5/small-and-medium-business-blog/using-microsoft-365-business-premium-to-secure-your-remote/ba-p/1298623
  • More Related Content

    Related Books

    Free with a 30 day trial from Scribd

    See all

    ×