Secure your environment by Conditional Access & App Controls

With the Azure AD Conditional Access feature, rules for access to Microsoft Cloud Services and other apps registered in Azure AD can be bound to conditions.

An example is the rule: When accessing with an unmanaged device, the user is prompted to use multi-factor authentication.

With the feature "Use Conditional Access App Control" as an option in the Session Controls area within Azure AD Conditional Access, advanced scenarios can be setup.

Options:

• Prevent data exfiltration
• Protect on download
• Prevent upload of unlabeled files
• Block potential malware
• Monitor user sessions for compliance
• Block access
• Block custom activities

Example:

• Automatically assign a sensitivity label when a file is downloaded.
• Filter based on regular expressions: “Include Files that match a custom expression”
• Block Upload if Maleware is detected.
• This is can be done because the Cloud App Security service then acts as a proxy for accessing the application:

Setup Conditional Access App Control

The options listed above affect all resisted apps under https://portal.cloudappsecurity.com/#/connected-apps?tab=proxy.  By default, this list is empty:

To register an app, the wizard can be used in Cloud App Security via Investigate -> Connected Apps -> Conditional Access App Control Apps. Another and much simpler way is to use a conditional access policy as an easy start:

• Azure AD Security -> Conditional Access

• New Policy

• Section „Access controls“ -> „Session“

• Use „Use Conditional Access App Control“

• Use „Use custom policy to set an advanced policy in Cloud App Security“

Configure the policy in the menus "Users and Groups" etc. that it will be applied the next time the app to be registered is started. This then results in apps that are authenticated via Azure AD being automatically registered in Cloud App Security under „Conditional Access App Control“:

The above method works for the so called featured apps. In order to make this option work for the Office 365 Featured Apps, Office 365 must be registered under "Connected Apps" in Cloud App Security:

Once an app is registered, session policies can be created that will take effect when the app is used.

Example: If the user Oliver Hardy tries to download a document from Microsoft Teams (SharePoint) that contains the term "confidential", the download is blocked.

Further scenarios

• Monitor / block activities based on file conditions like Classification Label, File Name, Files Size or File Extension
• Monitor / block activities like Cut/Copy Item, Paste Item, Print Item, Send Item
• Block downloads based on conditions
• Apply classification label to downloads
• Apply rules based on Maleware detection

Impact from the user's perspective

When opening the app, the user is notified that access is monitored by Cloud App Security. The fact that a proxy is involved can also be recognized by the URL. This now has the addition access-control.cas.ms:

If the user Oliver Hardy now tries to download a document he gets the following message:

Microsoft Cloud Services, GDPR and all the rest

The topic GDPR is still very important. Meanwhile there are also further laws like the law for the protection of company secrets in Germany (Gesetzt zum Schutz von Geschäftsgeheimnissen).

Microsoft offers customers and partners support for topics related to specifications, audits or, as in the case of the GDPR, to laws.

In fact, it can be a challenge to find your way around all the websites and portals that Microsoft provides.

Here is a current overview:

• Compliance Manager:
• Classic: The focus here is more on the legal perspective.
• New: Much more comprehensive and brings the topic of compliance score into play. The topics in the new version of the Compliance Manager can also be found in the Microsoft 365 Compliance Portal.
• Microsoft 365 GDPR Action plan: Top priorities for your first 30 days, 90 days, and beyond
• Accountability Readiness Checklist for Microsoft 365: Similar focus as the Compliance Manager Classic but provided as a website.
• Microsoft Compliance Score: Like the new Compliance Manager Portal. The focus is on compliance in general. Of course, the topic GDPR is also included here.

The Compliance Manager Classic and the Accountability Readiness Checklist focus more on the legal perspective of the topic while the new Compliance Manager Portal and the Microsoft Compliance Score use IT topics as a starting point.

Examples:

Compliance Manager Classic:

Microsoft Compliance Score:

It is not important whether the legal requirements or the IT security scenarios are started. Both perspectives, IT security and the legal aspects, show many parallels when it comes to the implementation.

Microsoft Teams -The Day After

The main aspect in the context of the current challenge with the COVID-19 situation is that ad hoc solutions are needed to keep companies operational. This includes solutions for homeoffice as well as for meetings with customers and partners.

Regardless of which technical solution is used, at the end of the day the common organizational governance topics come up during the technical planning.

If users can decide individually and independently to create new Teams and channels, invite external users and share content, chaos results.

Who is supposed to organize this again afterwards, and especially, who is supposed to decide which data and which guestuser is still needed?

The fear of this often prevents that Microsoft Teams is used. But in the current situation, solutions and platforms like Microsoft Teams are needed to keep companies and business running.

The Solution

Automated solutions to resolve governance topics such as data chaos, duplicates and orphaned guest accesses are the Azure features around the topics of Identity Governance and Lifecycle Management.

Entitlement Management

Azure AD Entitlement Management is an identity management feature-set that enables organizations to manage identity and access cycles by automating access request workflows, access assignments, reviews and expiration. The following graphic shows an example of the different elements of Azure AD Entitlement Management.

Access Package 1 includes a single Group as a resource. Access is defined with a policy that allows users from a specific Azure AD group to request access.

Access Package 2 includes a Group, an Application and a SharePoint page as resources. Access is defined by two different policies. The first policy allows a group of users in the directory to request access. The second policy allows users from another / external Azure AD to request access.

When an access package is created, we can defines how long the access remains active before it is deactivated again:

An individual access URL is generated for each package. Users then use this to activate the package for themselves:

Access Reviews & Groups Expiration Policies

Azure AD Access Reviews automate the regular review of group memberships, access to enterprise applications and role assignments. This ensures that only those people who need it continue to have access.

Overview:

When an Access Review is created, a user is assigned who must perform the review. This can also be done dynamically based on the Groups / Teams Owner. The reviewer then receives an e-mail that directs him to his upcoming reviews:

The example shows that the first two groups each have only one member and were probably created for test purposes only. The third group has 16 members. Clicking the Begin review button will show the details and the automatically generated recommendations:

Groups Expiration Policies are not shown in the Identity Governance section and must be accessed via Azure AD -> Groups -> Expiration:

Again, the group owner receives a mail in which he must confirm that the Group is still needed. If he does not do it, the Group is automatically deleted. If a Group is deleted, it is "soft-deleted". This means that it can be restored by an administrator for up to 30 days.

Further options

If all this is not sufficient to implement necessary requirements, there are extended possibilities with the features Azure AD Conditional Access and the feature App Management.

Conditional Access controls access to applications based on specific conditions. Conditional access policies are used to implement access control based on the specific context.

Example:

• Microsoft teams can only be accessed from a company device.
• E-Mail can be accessed from any device. However, if access is from outside the corporate network, multi-factor authentication is enforced.

App Management (MAM) focuses on compliance with data security policies and data protection requirements as well as actions in case of data loss.

Example:

• Data from Microsoft Teams is not allowed to be included in the iOS or Android backup.
• Access with a "jailbroken device" is blocked.

MAM without device registration or MAM-WE (WE=without enrollment) allows IT administrators to manage apps on devices that are not registered in Intune MDM.

Best Practis

At the end, it is not a question of what Azure features and functions are available, but rather what is to be achieved and what exactly the business case looks like. Therefore, start with your scenarios. The second step is then the mapping to the Azure features in order to implement the necessary governance aspects.

Microsoft Teams - technology is one thing, but...

Meanwhile, it is well known that the solution Microsoft Teams for remote and home office is very suitable. In the context of COVID-19, Microsoft has made teams available free of charge until February 2021. How you can use this offer is described in this article: Welcome to Microsoft Teams free.

This means that we now have the prerequisite that we already know from other case studies and from other industries, namely: "People are creative and help themselves". The example of a toy store was in the press in the last weeks - the shop is currently closed; however, customers can phone the owner and order toys. The owner then places the order with the butcher across the street because the butcher is still open.

The depositing of the goods at the butcher across the street and the option to pay by bank transfer is only one aspect of the whole thing. Toys can also be ordered at Amazon and are delivered to your home by the postman. The key point is the individual advice to the customer on the phone before the purchase. And it's the same with online meetings. Whether or not a Teams meeting is successful or not is not dependent on the fact that a free version of the product is now available. Preparation is the key.

Successful online meetings with Microsoft Teams

(Some features not available in the free version)

Before the meeting: Successful meetings require preparation. This is more important in an online meeting because we usually lack feedback channels such as body language etc. or have only limited access to them. Here are a few useful tips:

• What do you want to achieve in the meeting and what does your customer / partner get out of it?
• If necessary, prepare alternative options.
• As you prepare for the meeting, ask yourself: Is what I am offering relevant to my partner / customer? And if not, why not?! And if so, how do I have to communicate it so that my counterpart understands it?
• Provide information about the attendees, their roles and responsibilities etc. for all participants.
• Share the agenda and context before people get together. This allows participants to chat and share content before the meeting. This information can then be brought directly into the meeting.

After the meeting: After the meeting, all meeting content is retained for 30 days so that participants can review the meeting, continue the discussion and move forward with their work. You can return to the meeting to use the chat, meeting notes, digital whiteboard, and shared files. Nothing gets lost.

Summary

The technique is one thing. Your preparation for a meeting is the other that makes the difference in the success of an online meeting. This includes knowing the features of Microsoft Teams from the attendee perspective. Of course, the topic Security & Compliance also has an administrative perspective. The following Microsoft article summarizes these aspects: Security and Compliance in Microsoft Teams

3 more topics in the context of Microsoft Teams

In the current situation almost no day goes by without new possibilities and options to deal with the challenges around COVID-19.

Here 3 more topics in the context of Microsoft Teams:

• Microsoft Teams Interactive Demo for end users and users who have not worked with teams until now: http://teamsdemo.office.com/. In this interactive demo, you’ll get a guided tour of Teams to understand the app and learn about key features.

• Remote collaboration with Microsoft teams: https://docs.microsoft.com/de-de/microsoftteams/support-remote-work-with-teams
• How to quickly optimize Office 365 traffic for remote staff & reduce the load on your infrastructure: https://techcommunity.microsoft.com/t5/office-365-blog/how-to-quickly-optimize-office-365-traffic-for-remote-staff-amp/ba-p/1214571