2. 2
Slide
2
What’s New in Office 365 Security | Vasil Michev | 22 June 2017 10:45 – 11:30
Follow us:
#O365ENGAGE17
About me
2
Vasil Michev
vasil@michev.info
https://www.linkedin.com/in/michev/
www.michev.info/blog
MS Cloud strategist @ QUADROtech
Office Servers and Services MVP
3. 3
Slide
3
Governance & Security Policy
Administrative Privilege
Management
Identity Systems and Identity
Management
Threat Awareness
Data Protection
Security: Keys to success
4. 4
Slide
4
What’s New in Office 365 Security | Vasil Michev | 22 June 2017 10:45 – 11:30
Follow us:
#O365ENGAGE17
Microsoft’s role
• Microsoft’s responsibility is to:
• Keep the platform up and running
• Keep the platform secure
• Keep the platform compliant
• Respect data privacy
• Data residency and sovereignty
• German cloud (intro)
• Transparent operations
• Customer controls
+ France
+ South Africa
Learn more here
4
5. 5
Slide
5
Transparency via the Trust Center
The core tenets of our approach to earning and
maintaining your trust are:
Built-in security
• Service-level security through defense-in-depth
• Customer controls within the service
• Security hardening and operational best practices
Privacy by design
• Your data is not used for advertising
• You have extensive privacy controls
• You can take your data with you when you want
Continuous compliance
• Proactive processes to meet your compliance needs
• Customer controls for organizational compliance
• Independently verified to meet evolving standards
Transparent operations
• You know where your data resides and who has access
• Visibility into availability and changes to the service
• Financially backed guarantee of 99.9% uptime
With Office 365, it’s your data. You own it. You control it.
And it is yours to take with you if you decide to leave the
service.
Office 365 Trust Center
Cloud Service Trust Portal
Compliance reports across all Microsoft Cloud services
Security reports and FAQ documents
Cloud Service assurance portal
6. 6
Slide
6
What’s New in Office 365 Security | Vasil Michev | 22 June 2017 10:45 – 11:30
Follow us:
#O365ENGAGE17
New in Exchange Online
• Modern authentication support for ExO PowerShell!
• Tricky to automate, more in the MA session
• Modern authentication support for the HCW
• eDisovery moved to SCC
• Search-Mailbox still available
• Events from email (and how to disable them)
• Connectors and actionable messages:
• Disable org-wide: Set-OrganizationConfig -ConnectorsEnabled:$false
• Disable per-group: Set-UnifiedGroup group@contoso.com -
ConnectorsEnabled:$false
• Disable per mailbox: not possible
• Disable actionable messages:
Set-OrganizationConfig -ConnectorsActionableMessagesEnabled:$false
6
7. 7
Slide
7
What’s New in Office 365 Security | Vasil Michev | 22 June 2017 10:45 – 11:30
Follow us:
#O365ENGAGE17
New in Exchange Online - CBA
• Azure AD doesn’t natively support CBA
• Federation enables CBA as primary or secondary factor
• ADAL enables “non-browser” applications to support it
• EAS-based bypass now supported (Dec 2016)
• No need for Modern Auth or federation!
• EAS server terminates the TLS channel
• EAS server sends the certificate to Azure AD
• Azure AD verifies cert chain, CRL, UPN, and issues token
• Configure Azure AD trusted certificate authority
• Upload certificate chain
• Configure CRL URLs (externally accessible!)
• Provision certificates with UPN or the RFC822 Name value to identify the user
• Revocation is tricky/manual
7
8. 9
Slide
9
What’s New in Office 365 Security | Vasil Michev | 22 June 2017 10:45 – 11:30
Follow us:
#O365ENGAGE17
New in Exchange Online
• DG conversion/migration
• O365 Groups and Teams compliance improvements
• Outlook mobile move to Azure infrastructure
• No more AWS, all data stored in the mailbox
• No more cached passwords, or any data
• Azure component translates Outlook API <-> Rest API
• Auto-expanding archives
• “Archive” folder
• Set-CASMailboxPlan
• Modern attachment handling improvements
9
9. 10
Slide
10
What’s New in Office 365 Security | Vasil Michev | 22 June 2017 10:45 – 11:30
Follow us:
#O365ENGAGE17
New in EOP/ATP
• Safe Links in Office 365 ProPlus DEMO
• Office 2016 Pro Plus client 16.0.7967 and above required
• Safe Links Policy Enhancements
• Org-wide policies vs. custom policies
• Per-tenant Block List
• Increased URL character limit
• Wildcard capability for domains and handles
• URL trace (mail works, Office does not)
• Removal of Safe Links rewrite for Outlook Client(s)
• Malware policy changes
• Quarantine/user notifications
• Common attachment type filtering
• Quarantine breakdown
• View headers or message body
10
10. 11
Slide
11
What’s New in Office 365 Security | Vasil Michev | 22 June 2017 10:45 – 11:30
Follow us:
#O365ENGAGE17
New in EOP/ATP
• Threat intelligence
• Threat protection status with advanced analytics
• Threat explorer
• Incidents
• Spoof intelligence and Spoof Mail report
• Dynamic delivery and URL detonation
• DBEB support for MEPF
• Settings moved to SCC
• New reports in the SCC
• Dashboard, schedule, export
11
Resources:
Threat explorer demo: https://www.youtube.com/watch?v=krFAjIkD66M
Steve’s sessions:
https://office365engage.com/sessions/options-staying-compliant-exchange-online/
https://office365engage.com/sessions/using-exchange-online-classify-secure-mail/
Brian’s sessions:
https://office365engage.com/sessions/protecting-advanced-threats-email/
https://office365engage.com/sessions/protecting-users-email-spoofing-phishing/
11. 12
Slide
12
What’s New in Office 365 Security | Vasil Michev | 22 June 2017 10:45 – 11:30
Follow us:
#O365ENGAGE17
New in SharePoint Online/ODFB
• SPO/ODFB new admin centers DEMO
• Sharing improvements:
• New Share dialog
• Default link type
• Permission level for guest links
• Per-Security group sharing restrictions
• DLP policy tips within the Share dialog
• Conditional access policies for Sites and Apps
• SPO PowerShell MFA support (PnP PowerShell too)
• Revoke session
• IRM improvements coming
• Customer controlled encryption keys for SharePoint Online (gone now…)
12
12. 13
Slide
13
What’s New in Office 365 Security | Vasil Michev | 22 June 2017 10:45 – 11:30
Follow us:
#O365ENGAGE17
New in Skype for Business Online
• Create/modify policies
• PowerShell only
• Limited set of parameters
• Fresh: external policies
• SfBO PowerShell MFA support
• Reports being deprecated Oct 1st:
Get-CsActiveUserReport, Get-CsClientDeviceReport, Get-CsConferenceReport, Get-
CsP2PSessionReport, Get-CsAVConferenceTimeReport, Get-CsP2PAVTimeReport
• Replaced with Get-CsUserSession
• Also available in the new SfBO portal Reports section
• And in UI form via: https://adminportal.services.skypeforbusiness.com/
• Self-service portal (PIN and caller-ID): https://mysettings.lync.com/pstncalling
• Relaxed port requirements (50000-59999)
13
13. 14
Slide
14
What’s New in Office 365 Security | Vasil Michev | 22 June 2017 10:45 – 11:30
Follow us:
#O365ENGAGE17
New in the O365 Admin portal
• New reporting API
• Old webservices and PowerShell cmdlets deprecated
• Links to other admin portals (PowerApps, Flow, CAS)
• New service controls: Teams, Docs.com, StaffHub, ToDo
• Centralized add-in deployment
• Guest user management in the portal
• Setup wizards
https://portal.office.com/adminportal/home#/FindWizards
14
14. 1
5
Ingestion of data outside Office 365 In-Place data creation, retention and archiving In-Place eDiscovery
Auditing
Export
Office 365 Compliance Data Lifecycle
Mastering Office 365
Data Governance
16. 17
Slide
17
What’s New in Office 365 Security | Vasil Michev | 22 June 2017 10:45 – 11:30
Follow us:
#O365ENGAGE17
New in Data governance and compliance
• Unified DLP management
• Simplified policy creation
• Policy deployment delay (1h SLA)
• Delay in processing new content (SPO indexing)
• DLP events in the Audit log
• Policy tips in Office, SPO, ODFB
• Email notifications and Reports
• Custom sensitive types
• Coming soon:
• DLP Policy Recommendations
• DLP on by default
• Real-time policy tips in SPO/ODFB Sharing dialog
• DLP availability in China/Germany clouds
17
17. 18
Slide
18
What’s New in Office 365 Security | Vasil Michev | 22 June 2017 10:45 – 11:30
Follow us:
#O365ENGAGE17
New in Data governance and compliance
• Unified eDiscovery
• Content searches and eDiscovery cases
• Search for externally shared content DEMO
• Search specific folder only DEMO
• Search permissions filters DEMO
• Compliance boundaries
• Search all case content
• No “copy to Discovery mailbox” functionality
• Exporting results
• Max concurency: 8x processor cores – 512
• PST size: max 10GB
• RMS decrypt (email only)
• Export mail to single folder
• OCR in advanced eDiscovery
18
18. 19
Slide
19
What’s New in Office 365 Security | Vasil Michev | 22 June 2017 10:45 – 11:30
Follow us:
#O365ENGAGE17
New in O365 – SCC
• Recently added in the SCC
• Search for users/user summary
• Alert policies (see Alan’s session for demos)
• Classify, label, retain
• New Audit events
• Supervisory review V2 DEMO
• Supervisory report
• Accessing supervisory mailboxes in Outlook
• Still no ADAL support for PowerShell
• Coming soon:
• Manual disposition
• Events based retention
19
19. 20
Slide
20
What’s New in Office 365 Security | Vasil Michev | 22 June 2017 10:45 – 11:30
Follow us:
#O365ENGAGE17
New in ASM and CAS
• User Groups and Accounts
• External Users group
• Productivity app discovery
• App permissions
• SIEM connector
• Potential ransomware activity template
• CAS PowerShell module*
• AIP integration (filter by label, apply RMS as action)*
• File actions (+admin quarantine)*
with data anonymization*
Coming soon:
Role Based Access Control
Teams event support*
SfBO event support
PowerBI event support
Yammer event support
More Azure AD events
EU datacenter expansion
Reset AAD password/revoke tokens as action
App Permission Alerts
Roadmap and Release notes
20
20. 21
Slide
21
What’s New in Office 365 Security | Vasil Michev | 22 June 2017 10:45 – 11:30
Follow us:
#O365ENGAGE17
New in Azure AD
• Azure AD blade in the ARM portal
• User restrictions
• Azure AD PowerShell module
• Office 365 Group settings
• Administrative units
• Tenant restrictions
Report available here
• Reporting role announced
• Security questions as SSPR method
• Pass-trough authentication and SSO (Brian’s session)
• AD FS is still a viable choice
21
21. 22
Slide
22
What’s New in Office 365 Security | Vasil Michev | 22 June 2017 10:45 – 11:30
Follow us:
#O365ENGAGE17
Modern authentication
• Set of standards-based, open-source APIs
• OAuth 2.0 (authorization) + OpenID Connect (authentication)
• Support for 3rd party (STSes + directories + 2FAs + …)
• Enables tenant restrictions, Conditional access, PTA, …
• Access/refresh token model
• Client side uses ADAL (with MSAL now in preview)
• MSOIDCRL => ADAL (OAuth based auth stack)
• Unified experience across apps and devices
• Proper support for 2FA
• Support for user consent (with admin control!)
• No more basic auth in Outlook, no more app passwords!
• Office apps share the token
22
22. 23
Slide
23
What’s New in Office 365 Security | Vasil Michev | 22 June 2017 10:45 – 11:30
Follow us:
#O365ENGAGE17
Azure AD + Modern authentication
• Configurable token lifetimes
• Access token: 10 mins to 1 day
• Refresh token: 10 mins to 90 days*
• Revoke refresh tokens
• Token is invalidated by
• Conditional access
• Password changes, pwdLastSet attribute
• Account disabled or deleted (for federated)
• Downgrade of device state (Compliant => Managed => Registered)
• Modern authentication support for PowerShell
• Azure AD Privileged Identity Management
• Approval workflows DEMO
• Azure AD Identity Protection
23
23. 24
Slide
24
What’s New in Office 365 Security | Vasil Michev | 22 June 2017 10:45 – 11:30
Follow us:
#O365ENGAGE17
Conditional access
• Claims rules for EvoSTS
• Conditions include:
• User, Device, App, Location claims
• “Premium” risk claims
• Actions include:
• Block
• Allow with MFA
• Apply session restrictions
• SaaS apps also supported
• Requires modern authentication
• Block legacy auth and disable app passwords!
24
24. 25
Slide
25
Session Title (Keep title BOLD) | Presenter Name (normal) | Time and Date of Session (normal) [CHANGE THIS IN THE MASTER]
Follow us:
#O365ENGAGE17
Conditional access Demos
25
25. 26
Slide
26
What’s New in Office 365 Security | Vasil Michev | 22 June 2017 10:45 – 11:30
Follow us:
#O365ENGAGE17
New in AD FS 2016
• SHA256 support for the Office 365 RPT
• Simplified conditional access (Claims rules => Access control policies)
• New/improved options for Passwordless login
• Azure MFA as primary
• CBA as primary
• Device auth as primary
• Windows Hello as primary (Hybrid only)
• Configurable token lifetime based on device or KMSI
• Better handling of token revocation (Password changes/account disabled
or deleted/downgrade of device state)
• Support for OAuth 2.0 (including OBO flow), OIDC 2.0, generic LDAP v3
26
26. 27
Slide
27
What’s New in Office 365 Security | Vasil Michev | 22 June 2017 10:45 – 11:30
Follow us:
#O365ENGAGE17
Azure Information Protection
• Classify, Label, Protect
• GA’d Oct 4th
• Azure RM portal blade GA’d just recently
• Not related to the labels in the SCC, yet
• BRK2127, BRK2128 and BRK3095
• Scoped policies
• Scoped protection templates
• Collaborate with other tenants
• Auto-apply
• Coming soon:
• SPO/ODFB IRM improvements
• New email encryption model
27
27. 28
Slide
28
What’s New in Office 365 Security | Vasil Michev | 22 June 2017 10:45 – 11:30
Follow us:
#O365ENGAGE17
Azure Information Protection
• AIP client and Office add-in
• Replaces the RMS Sharing tool
• Still some rough edges
• Azure RMS usage logs
• Document tracking Portal DEMO
• Real-time statistics
• Real-time email notifications
• Admin mode
• Revoke access
• RMS protection cmdlets
• MFA support across all RMS clients
28
28. 29
Slide
29
What’s New in Office 365 Security | Vasil Michev | 22 June 2017 10:45 – 11:30
Follow us:
#O365ENGAGE17
Office 365 Secure score
• Started as PowerShell module end of 2015
• Public Preview August 2016 (announcement)
• 77 controls audited initially
• Reached GA February 2017 (announcement)
• Accessed via https://securescore.office.com/
• Recommendations, resources and workflows
• Not integrated within the O365/SCC portal
• Secure Score API
• Coming soon
• Ability to tag a control as met by a 3rd party solution
• Ability to ignore a control
https://office365engage.com/sessions/black-belting-office-365-security-secure-score/
29
29. 30
Slide
30
What’s New in Office 365 Security | Vasil Michev | 22 June 2017 10:45 – 11:30
Follow us:
#O365ENGAGE17
Other audit tools
• Self-service tools
• Advanced Privacy Options for Administrators
• Office 365 Customer Security Considerations User Guide
• Office 365 Customer Security Considerations Workbook
• Service Assurance portal
• Independent parties audit
• Breakdown to individual controls
• FAQs and Whitepapers
• Risk Management Reports
• Enterprise mobility assessment
30
30. 31
Slide
31
What’s New in Office 365 Security | Vasil Michev | 22 June 2017 10:45 – 11:30
Follow us:
#O365ENGAGE17
General Data Protection Regulation
• Users gain control over their personal data
• Right to be forgotten
• Right to data portability
• Right to restrict or object to processing of personal data
• Right to be informed of data breaches
• Companies must
• Identify and secure personal data
• Meet new transparency requirements
• Detect and report personal data breaches
• Train privacy personnel and employees
• Due in less than a year (May 25, 2018)
• Whitepaper: https://aka.ms/emsgdprwhitepaper
31
32. 33
Slide
33
What’s New in Office 365 Security | Vasil Michev | 22 June 2017 10:45 – 11:30
Follow us:
#O365ENGAGE17
General Data Protection Regulation
• Azure Information Protection
• Data classification, labeling and protection. In-place!
• Monitor usage and revoke access
• SCC will follow the same model?
• Security and Compliance built-in within the O365 workloads
• eDiscovery, retention, DLP, supervision, etc
• Azure AD Premium
• MFA, Conditional access, auditing and alerts
• Privileged Identity Management
• Intune
• Device and app management
• ASM, CSA and ATA
• Gain visibility of data and protect against breaches
How Microsoft EMS can
support you in your journey
to EU GDPR compliance
Protecting Office 365 Data
in a Modern World
33
33. 34
Slide
34
What’s New in Office 365 Security | Vasil Michev | 22 June 2017 10:45 – 11:30
Follow us:
#O365ENGAGE17
Questions? | Thank You!
Vasil Michev
vasil@michev.info
We’d like to know what you think!
Please fill out the evaluation form you
received at the registration desk for this
session
Session recordings and materials:
Materials will be available on
Office365Engage.com soon
34