Mittwoch, 27. Juni 2018

What is the Microsoft 365 license package?

From Office 365 to Microsoft 365

As if the topic of licensing in the Microsoft environment is not complex enough, we will now have a license package called Microsoft 365. Microsoft 365 was announced last year at the partner conference in July 2017. The first two versions (Business and Enterprise) were available from the beginning of August 2017.
" A complete, intelligent solution, including Office 365, Windows 10, and Enterprise Mobility + Security, that empowers everyone to be creative and work together, securely." With this claim Microsoft advertises the license package. But what exactly is behind it and why is it interesting for customers?
Microsoft 365 is the logical continuation of the license package SPE (Secure Productive Enterprise). SPE includes Office 365, Windows 10, Enterprise Mobility + Security and on-prem licenses for SharePoint, Exchange and Skype for Business Server. This provides customers in a transition phase or hybrid model with an optimized license package for security and compliance, Office 365 licensing, Windows licensing and on-prem Office Server licenses. Microsoft 365 now offers this combination for customers who already work completely in the cloud with their processes and solutions.

Okay, and why should I care as a customer?

Not only because of GDPR, the topic of data protection and data security is very interesting in these days. Many Office 365 projects have seen the light of day, focusing on functionality, IT and architectural aspects. In the course of the project, the works council, the data protection officer or IT security usually came to the conclusion that a building block was still missing. Since everyone can now access company data from anywhere and with any end device, compliance and security aspects must also be addressed. The functions & features to implement such requirements are of course available with Microsoft services such as Intune, Cloud App Security or the Azure AD Premium Features. However, it quickly becomes clear that these features are not included in a standard Office 365 E1 or F1 license.
The "Wannacry" attack is still in all our memories. This attack on Windows operating systems has not least sharpened the awareness of how important it is to install current Windows patches and to have an up-to-date virus scanner. To address scenarios like this Windows Defender Advanced Threat Protection as part of Windows 10 Enterprise or for example Microsoft Advanced Threat Analytics are also included in Microsoft 365, depending on the license package.
From a business perspective, Microsoft 365 covers the following scenarios (depending on licensing details):
  • Identity and access control
  • Manage mobile devices and apps
  • Protect and encrypt data
  • Protection against cyber attacks
  • Office 365 licensing (SharePoint, Exchange, Skype for Business, Microsoft Teams, Yammer, etc.)
  • Windows 10 Licensing

From a technical point of view, the following products and functions (depending on licensing details) are part of M365:
  • Azure Active Directory (AD) Premium
  • Cloud App Security
  • Microsoft Intune
  • Azure Information Protection
  • Microsoft Advanced Threat Analytics
  • Windows Defender Advanced Threat Protection
  • Windows 10
  • Office 365 Licensing

What do I need to know to use Microsoft 365?

The license package Microsoft 365 is available in different versions. The functions listed above depend in detail on the respective license level. The following table gives an overview:

  • Microsoft 365 Enterprise is suitable for companies with approximately 300 employees or more. This version is available in E3 or E5 and includes Office 365, Windows 10 Enterprise and the EMS features.
  • Microsoft 365 Business is suitable for small and medium-sized businesses. Windows 10 Pro, Office 365 and the EMS functions are included.
  • Microsoft 365 F1 focuses on firstline workers. This version includes Windows 10 Enterprise, Office 365 F1 and EMS.
  • Microsoft 365 Education is intended for schools and universities and is available in A1, AE and A5 versions.
More details can be found on the official Microsoft 365 page, and all products that are part of Microsoft 365 can still be licensed separately.

What will change with the use of Microsoft 365?

Traditionally, even in medium-sized companies a split into Exchange Team, AD Team, SharePoint Team, Client & Server Team, etc. is normal. With Office 365 all departments have to work much more closely. If the extended functions of Microsoft 365 are now added, close coordination with the IT security department, the data protection officer and the works council must be supplemented.
In addition, as part of the IT strategy, this new Microsoft 365-Team, as part of company IT department, must now have knowledge of all the products involved. Microsoft 365-Team needs to know about Intune, Cloud App Security, Windows Defender etc. and their dependencies, interfaces and interaction options. Education and training are a must.

And what do I need to know as a developer?

At first glance, Microsoft 365 seems to be only for the license manager and the IT administrator. That would have been a little too short. Microsoft gave an outlook on the Graph API roadmap at the Build Conference in May 2018. It can be deduced from this that the services involved in Microsoft 365 are also integrated in this API in the future. Already today, the common API for online services such as Exchange, SharePoint, Office 365 Groups and Teams etc. play an important role for developers. The Microsoft Graph API will become the central endpoint for all cloud services.

Freitag, 15. Juni 2018

Azure Information Protection Part III – AIP Scanner

The AIP Scanner is part of the AIP Client download. After you have downloaded and installed the AIP Client you can start the installation and configuration. But bevor we start the installation let’s have a look at some requirements:
  • A Windows Server 2012 R2 or 2016 Server to run the service (For test and demo you can install it on a Win10 machine)
  • A SQL Server 2012+ local or remote instance (Any version from Express or better is supported)
  • Sysadmin role needed to install scanner service
  • Service requires Log on locally right and Log on as a service right
  • AIP Scanner is an AIP Premium P2/EMS E5 feature for more details review this article: https://azure.microsoft.com/en-us/pricing/details/information-protection/ 

A really good steep-by-steep description about install and configure AIP Scanner is done by Kevin McKinnerney and can be found here: https://blogs.technet.microsoft.com/kemckinn/2018/03/23/easy-configuration-of-the-azure-information-protection-scanner/

As you see in Kevins steep-by-steep guide the scanner runs as a service and uses App Authentifiction to connect with the AIP Service. So we do not need to authenticate to use the scanner.
The scanner has two main configurations which we need to configure using PowerShell:
  • Add-AIPScannerRepository or Set-AIPScannerRepository -> it is about the locations and the conditions for this location
  • Set-AIPScannerConfiguration -> it is about what the scanner should do during the scan

Add-AIPScannerRepository

This cmdlet adds a so called data repository to be scanned and creates a profile of settings. For example, you can specify a default label for unlabeled files, and whether to override an existing label or not. We can specify local folders, UNC paths, and SharePoint Server URLs for SharePoint sites and libraries. The scanner can handle more than one data repository. So you can configure a mix of local folders, UNC paths and SharePoint Server URLs with different setting covered by one AIP Scanner installation.
To change this settings we can use: Set-AIPScannerRepository cmdlet. To remove a data repository use: Remove-AIPScannerRepository cmdlet.
Example:
Set-AIPScannerRepository -Path C:\Temp2 -SetDefaultLabel UsePolicyDefault -MatchPolicy On

To review the settings, we can use Get-AIPScannerRepository. As you can see in my example I have configured two repositories with different settings:


Set-AIPScannerConfiguration

Set-AIPScannerConfiguration cmdlet is used to configure settings for the AIP Scanner. These settings include:
  • Discovery mode or applies labels
  • File will be relabeled YES or NO
  • File attributes are changed YES or NO
  • What is logged in the reports
  • Scanner runs once or continuously
  • Justification message used when required
  • Rights Management owner for protected files

Example:
Set-AIPScannerConfiguration -Enforce On -Schedule Manual -DiscoverInformationTypes All

Set-AIPScannerScannedFileTypes


This cmdlet is used to let the scanner know which files types should be scanned.

The cmdlet sets a list of file types to scan or exclude from scanning. To scan all file types, use *. To scan only specific file types use *.<file name extension>. To exclude specific file types from being scanned use -*.<file name extension>. And to reset the list back to default use @().



If no data repository is specified the setup applies to all data repositories that do not have their own list specified.
To get more examples and details review the official documentation: https://docs.microsoft.com/en-us/powershell/module/azureinformationprotection/set-aipscannerscannedfiletypes?view=azureipps

Scenarios

The scanner can typically be used for the following scenarios. Reports are stored in this location: %localappdata%\Microsoft\MSIP\Scanner\Reports

Scan for sensitive information types
#Configure data repository:
Add-AIPScannerRepository -Path C:\Temp2

#Configure Scan: Scan for all known sensitive types
Set-AIPScannerConfiguration -Enforce Off -Schedule Manual -Type Full -DiscoverInformationTypes All

#Start Scan
Start-Service AIPScanner
Start-AIPScan -reset

Label / Protect files
#Configure data repository:
Add-AIPScannerRepository -Path C:\Temp2 -OverrideLabel On -DefaultLabelId ae7eaeb0-cfdf-4217-a895-32a6b41311d9 -MatchPolicy Off

#Configure Scan: Scan for all knowen sensitive types
Set-AIPScannerConfiguration -Enforce On -Schedule Manual -ReportLevel Debug -Type Full

#Start Scan
Start-Service AIPScanner
Start-AIPScan -reset

Scan for sensitive information types and labels and protect files that match
#Configure data repository:
Add-AIPScannerRepository -Path C:\Temp2 -OverrideLabel On -MatchPolicy On

#Configure Scan: Scan for all knowen sensitive types
Set-AIPScannerConfiguration -Enforce On -Schedule Manual -Type Full -DiscoverInformationTypes All

#Start Scan
Start-Service AIPScanner
Start-AIPScan -reset

Related posts: