Securing Teams with Microsoft 365 Security for remote work

2. Agenda

3. Introduction
Trusted network-based security is no longer an adequate option
when organizations are looking to securely block potential threats.
With a required remote workforce, and the spread of shadow IT,
the rapid rise of cybercrime - companies must find unique ways to
effectively secure their cloud applications portfolio.
Businesses Should I
• Cloud and SaaS Sprawl
• Shadow/Stealth IT
• Rapid Obsolescence of Network-based Security Architecture
• Continued Threat of Cybercrime

4. Zero Trust
Cybersecurity is steadily becoming an arms race.
Improvements in detection, protection, and response are
met with more diverse and effective attack tactics. There is
no impermeable perimeter. It’s not a matter of if, but when,
there will be an incident — you may have already been
hacked but just don’t know it yet.
The Zero Trust framework is the pragmatic model for
today’s hostile reality that includes a mindset, operating
model, and architecture tuned to the threat.
The best way to prep and implement a new security
framework is to start with “no trust but verify” model. The
model has been promoted by Forrester as “Zero Trust”
since 2010.
"Every service request made by a user or machine is
properly authenticated, authorized, and encrypted
end-to-end."

5. Microsoft 365: A Path to Zero Trust and Secure Cloud Services
Microsoft has identified 12 key tasks to help security teams implement the most important security capabilities as quickly
as possible with remote work in mind.
1) Enable Azure multi-factor authentication
(MFA)
2) Protect against threats in Office 365
3) Configure Office 365 advanced threat
protection
4) Configure Azure advanced threat protection
5) Turn on Microsoft Advanced Threat Protection
6) Configure intune mobile app protection for
phones and tablets
7. Configure MFA and conditional access for
guests, including intune mobile app
protection
8. Enroll PCs into Device Management and
require compliant PCs
9. Optimize your network for cloud connectivity
10. Train Users
11. Get started with Microsoft cloud app security
12. Monitor for threats and take action

6. Security Capabilities
& Licensing
Utilizing our enterprise plans, Microsoft recommends
you complete the tasks listed in the following table
that apply to your service plan.
If, instead of purchasing a Microsoft 365 enterprise
plan, you are combining subscriptions, note the
following:
• Microsoft 365 E3 includes Enterprise Mobility +
Security (EMS) E3 and Azure AD P1
• Microsoft 365 E5 includes EMS E5 and Azure AD
P2
Task
All Office 365
Enterprise Plans
Microsoft 365
E3
Microsoft
365 E5
1. Enable Azure Multi-factor Authentication
(MFA)
  
2. Protect Against Threats In Office 365   
3. Configure Office 365 Advanced Threat
Protection

4. Configure Azure Advanced Threat
Protection (ATP)

5. Turn On Microsoft Advanced Threat
Protection

6. Configure Intune Mobile App Protection
For Phones And Tablets
 
7. Configure MFA And Conditional Access
For Guests, Including Intune Mobile App
Protection
 
8. Enroll Pcs Into Device Management And
Require Compliant Pcs
 
9. Optimize Your Network For Cloud
Connectivity
  
10. Train Users   
11. Get Started With Microsoft Cloud App
Security
  
12. Monitor For Threats And Take Action   

7. 1. Enable Azure Multi-Factor
Authentication (MFA)
The single best thing you can do to improve security for employees
working from home is to turn on MFA. If you don't already have
processes in place, treat this as an emergency pilot and make sure you
have support folks ready to help employees who get stuck.
Recommendations:
For organizations without Azure AD P1 or P2
• Enable Security defaults in Azure AD
• Security defaults in Azure AD include MFA for users and
administrators
For organizations with Azure AD P1 (Microsoft 365 E3)
• Require MFA for administrators
• Require MFA for all users
• Block legacy authentication
For organizations with Azure AD P2 (Microsoft 365 E5)
• Require MFA when sign-in risk is medium or high
• Block clients that don't support modern authentication
• High risk users must change password

8. 2. Protect Against Threats In
Office 365
•
•
•

9. 3. Configure Office 365
Advanced Threat Protection
(E5 Only)
•
•
•

10. 4. Configure Azure Advanced
Threat Protection (ATP)
•
•
•
•

11. 5. Turn on Microsoft Threat
Protection (E5 Only)
Now that you have Office 365 ATP and Azure ATP configured, you can
view the combined signals from these capabilities in one dashboard.
Microsoft Threat Protection (MTP) brings together alerts, incidents,
automated investigation and response, and advanced hunting across
workloads (Azure ATP, Office 365 ATP, Microsoft Defender ATP, and
Microsoft Cloud App Security) into a single pane at
security.microsoft.com.

12. 6. Configure Intune Mobile App
Protection For Phones And
Tablets (E3 And E5)
Microsoft Intune Mobile Application Management (MAM), now known as
Endpoint Manager, allows you to manage and protect your organization's
data on phones and tablets without managing these devices (BYOD).
Here's How It Works:
• Create an App Protection Policy (APP) that determines which apps on
a device are managed and what behaviors are allowed (such as
preventing data from a managed app from being copied to an
unmanaged app). Create one policy for each platform (iOS, Android).
• After creating the app protection policies, enforce these by creating a
conditional access rule in Azure AD to require approved apps and APP
data protection.
Start With Common Identity And Device
Management Policies
Use the article located here to get started. It illustrates the
recommended set of policies. It shows which tier of protections
each policy applies to and whether the policies apply to PCs or
phones and tablets, or both categories of devices.

13. 7. Configure MFA &
Conditional Access for Guests,
Including Intune App
Protection (E3 And E5)
Next, ensure you can continue to collaborate and work with guests. If you're
using the Microsoft 365 E3 plan and implemented MFA for all users, you're
set.
If you're using the Microsoft 365 E5 plan and you're taking advantage of
Azure Identity Protection for risk-based MFA, you need to make a couple of
adjustments (because Azure AD Identity protection doesn't extend to guests):
• Create a new conditional access rule to always require MFA for guests
and external users.
• Update the risk-based MFA conditional access rule to exclude guests and
external users.
Use guidance from Updating the common policies to allow and protect guest
and external access to understand how guest access works with Azure AD
and to update the affected policies.
The Intune mobile app protection policies you created, together with the
conditional access rule to require approved apps and APP protection, apply
to guests accounts and will help protect your organization data.

14. 8. Enroll PCs Into Device Management
& Require Compliant PCs (E3 And E5)
There are several methods to enroll your workforce's devices. Each
method depends on the device's ownership (personal or corporate), device
type (iOS, Windows, Android), and management requirements (resets,
affinity, locking).
After enrolling devices, use the guidance in Common identity and device
access policies to create these policies:
• Define device-compliance policies - The
recommended settings for Windows 10 include requiring antivirus
protection. If you have Microsoft 365 E5, use Microsoft Defender
Advanced Threat Protection to monitor the health of employee devices.
Be sure compliance policies for other operating systems include
antivirus protection and end-point protection software.
• Require compliant PCs - This is the conditional access rule in Azure
AD that enforces the device compliance policies.
Only one organization can manage a device, so be sure to exclude guest
accounts from the conditional access rule in Azure AD. If you don't exclude
guest and external users from policies that require device compliance,
these policies will block these users. For more information, see updating
the Common Policies” to allow and protect guest and external access

15. 9. Optimize Your Network For
Cloud Connectivity
If you are rapidly enabling the bulk of employees to work from home, this
sudden switch of connectivity patterns can have a significant impact on
corporate network infrastructure, here is why:
• Many networks were scaled and designed before cloud services were
adopted.
• In many cases, networks were not designed to be used remotely by all users
simultaneously.
• Central internet bandwidth and network security stack are strained under
additional user load from additional “hairpin” network usage.
This results in poor performance and productivity, and a poor user experience.
Some protections are provided by the cloud apps your users are accessing. If
you've implemented cloud security controls for M365 services and data you
have controls in place and may be ready to route remote users' traffic directly to
O365. If you still require a VPN link for access to other apps, you can improve
performance and user experience by implementing split tunneling.
Most organizations are running lots of business-critical apps on-premises, many
of which may not be accessible from outside the corporate network. Azure AD
Application Proxy is a ligh
go here.

16. 10. Train Users
When users don't know about threat protection features at work in your
organization, they can get frustrated by protection features that are perceived
as slowing them down or preventing them from getting their work done. In
addition, if they know ahead of time what to watch for with respect to
suspicious email messages or URLs, they'll be far less likely to open
questionable artifacts. Training users can save your users and security
operations team a lot of time and frustration.
Microsoft 365 Resources:
Concept Resources
Microsoft 365
Learning Pathways Site These resources can help you
put together training for end users in your organization
Microsoft 365
Security
Learning module: Secure your organization with built-in,
intelligent security from Microsoft 365 This module
enables you to describe how Microsoft 365 security
features work together and to articulate the benefits of
these security features.
Multi-factor
Authentication
Two-step verification: What is the additional verification
page? This article helps end users understand what
multi-factor authentication is and why it's being used at
your organization.

17. 11. Get Started With Microsoft
Cloud App Security
(E5 Uses Full MCAS)
Microsoft Cloud App Security provides rich visibility, control over
data travel, and sophisticated analytics to identify and combat
cyberthreats across all your cloud services.
Once you get started with Cloud App Security, anomaly detection
policies are automatically enabled, but Cloud App Security has an
initial learning period of 7 days during which not all anomaly
detection alerts are raised.
Get Started With Cloud App Security Now:
• QuickStart: Get started with Cloud App Security
• Get instantaneous behavioral analytics and anomaly
detection
• Learn more about Microsoft Cloud App Security
• Review new features and capabilities
• See basic setup instructions

18. 12. Monitor For Threats & Take
Action
Microsoft 365 includes several ways to monitor status and take
appropriate actions.
Your best starting point is the Microsoft 365 Security Center, where you
can view your organization's Microsoft Secure Score, and any alerts or
entities that require your attention.
Get Started:
• Get Started With The Microsoft 365 Security Center
• Monitor And View Reports
• See The Security Portals In Microsoft 365

19. Q&A
.
Mark Dobberstein
Practice Architect, Modern Workplace
Microsoft National Business Unit
Email: Mark.Dobberstein@Perficient.com
Connect: LinkedIn.com/in/mark-
dobberstein-6103a1/