Sonntag, 10. November 2019

Microsoft Ignite 2019 recap

Here you can find my Microsoft Ignite 2019 recap


  • Keynote
  • Book of News
  • SharePoint
  • Microsoft Teams
  • Microsoft Security
  • Office 365 Groups
  • Microsoft Search
  • Project Cortex
  • Microsoft Planner
  • Interesting sessions I plan to watch afterword

Montag, 14. Oktober 2019

Azure specific Security Tooling

Azure specific Security Tooling Overview

Mittwoch, 9. Oktober 2019

Interview about Kaizala and Teams

Interview with Patrick Guimonet and me talking about Microsoft Kaizala and Teams.

More Details About Kaizala & Teams:

Samstag, 5. Oktober 2019

Microsoft Security Stack - When to use what

When to use what – Azure Sentinel, CASB, Azure Security Center, Security & Compliance Center in Office 365, etc.

Many customers using Microsoft Cloud Services in the context of collaboration und communication often asked the “When to use what” question. Meanwhile we had several really good methods and tools to answer this question like the Periodic Table of Office 365. At the end it is not about when to use what, it is about “what do you want to do” or “what is your business case”? And this is the same with the Microsoft Security Features & Services.

Features & Services

Microsoft Azure Sentinel is a cloud-native SIEM solution with advanced AI and security analysis capabilities.

Microsoft Cloud App Security is a multimode Cloud Access Security Broker (CASB). It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your cloud services. Further infos about CASB

Azure Security Center provides unified security management and advanced threat protection across hybrid cloud workloads.

Office 365 Security & Compliance Center is designed to manage security & compliance features across Office 365. Links to existing SharePoint and Exchange compliance features bring together compliance capabilities across Office 365.

Microsoft Intune is a management solution that provides mobile device, endpoint and operating system management. It aims to provide Unified Endpoint Management for corporate devices and BYOD.

Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service. It covers resources, such as Microsoft Office 365, the Azure portal, and thousands of other SaaS applications along with any cloud apps developed by your own organization.

Microsoft Information Protection helps an organization to classify and protect its documents and emails by applying labels. It helps you discover, classify, label and protect your sensitive information – wherever it lives or travels. Further infos about Information Protection

Protect your enterprise from threats in the cloud and on-premises with Azure Advanced Threat Protection. ATP is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.

Microsoft Defender Advanced Threat Protection (ATP) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Microsoft Defender ATP is built into Windows 10.

Typic discussions with customers

Azure Sentinel vs. Azure Security Center

Azure Security Center is focusing on Azure workloads. Azure Sentinel is used to for real-time event and detecting attacks covering your hole architecture.
Quote by Microsoft: To reduce confusion and simplify the user experience, two of the early SIEM-like features in Security Center, namely investigation flow in security alerts and custom alerts will be removed in the near future. Individual alerts remain in Security center, and there are equivalents for both security alerts and custom alerts in Azure Sentinel. Going forward, Microsoft will continue to invest in both Azure Security Center and Azure Sentinel. Azure Security Center will continue to be the unified infrastructure security management system for cloud security posture management and cloud workload protection. Azure Sentinel will continue to focus on SIEM. Source: Securing the hybrid cloud with Azure Security Center and Azure Sentinel

Azure Security Center vs. Security and Compliance Center in Office 365

The Office 365 Security & Compliance Center is designed to help you manage security & compliance features across Office 365. Links to existing SharePoint and Exchange compliance features bring together compliance capabilities across Office 365. Azure Security Center analyzes data from a variety of Microsoft and also partner solutions. To take advantage of this data, machine learning for threat prevention, detection, and eventually investigation. Both services are part of the Microsoft Service Trust Platform

Azure Sentinel vs. CASB

Azure Sentinel is a SIEM solution with advanced AI and security analysis capabilities. It integrates with third-party security platforms from vendors such as Fortinet, Symantec and Check Point, as well as Microsoft's Graph Security API. By connecting with Microsoft Cloud App Security, you will gain visibility into your cloud apps, get sophisticated analytics to identify and combat cyberthreats, and control how your data travels.

Office 365 Security Features vs. Intune

Microsoft Intune and built-in security features in Office 365 for MDM both give you the ability to manage security & compliance in your environment. You can manage security & compliance using both Intune and Office 365 in the same Office 365 tenant. If you have both options available, you can choose whether you manage security & compliance in Office 365 or the more feature-rich Intune solution for MDM and MAM scenarios.

Azure AD vs. Intune

Intune manages mobile devices and apps. It integrates closely with other EMS components like Azure Active Directory for identity and access control.

Azure Advanced Threat Protection vs. Microsoft Defender ATP

Azure Advanced Threat Protection enables you to integrate Azure ATP with Windows Defender ATP. While Azure ATP monitors the traffic on your domain controllers, Windows Defender ATP monitors your endpoints, together providing a single interface from which you can protect your environment. By integrating Windows Defender ATP into Azure ATP, you can leverage the full power of both services and secure your environment. Source & Details: Integrate Azure ATP with Windows Defender ATP


As you can see all this features work together like for example Microsoft Defender Advanced Threat Protection integration with Microsoft Cloud App Security or Azure Information Protection integration with Cloud App Security So trying to find the best tool / solution for your enterprise only discussing the detailed features isn’t the best way.

How to get started

To get a solid Security & Compliance strategy based on the Microsoft Security Stack the best way is to start with your scenarios. Dealing with the Microsoft Security Stack a best practices approach is to separate the topics like this:

Next step is to map the scenarios:
  • Protect at the front door
  • Protect your data anywhere
  • Detect & remediate attacks
to those 4 categories / topics:
  • Identity and access management
  • Mobile device & app management
  • Information protection
  • Threat protection

Periodic table & mapping

Microsoft offers a good overview to tweak your scenarios in this article Top 10 Actions to Secure Your Environment. Based on this the following overview offers a blueprint to get started with your security strategy:



From a planning and architecture perspective the features and services must be separated in monitoring solution and solution used to natively setup regulations and policies.
For example: You can use Information Protection to protect you content and E-Mails and in addition you can integrate the Logs and Signals coming from Information Protection to Azure Sentinel. But natively you cannot use Azure Sentinel to protect you content and E-Mails.
So at the end it is all about your scenarios!

Dienstag, 24. September 2019

Microsoft Teams & Kaizala

Here you can download my Deck about Microsoft Teams & Kaizala.
Download LINK
  • Overview
  • Management & Compliance
  • Teams & Kaizala
  • Typical scenarios
  • IT & Users & Management

PS: The deck is in German. But if you are interested in this session for your Conference / Event or Workshop we can do it in English. Pinge me… 😉

Montag, 12. August 2019

Don’t make me think about IT Security

This is what end-users say about IT-Security. If you are an Admin or Data Security Officer, you have to think about IT Security.
Microsoft provides super useful info and material about this topic. In real world scenarios we often had to find out where to start. And also, for this Microsoft offers a walkthrough:

I put all the stuff together in a small Excel workbook and extend it with some further licensing info.
All important information for your IT security strategy is summarized in this Excel. In column 1 you will find the respective scenario, column 2 gives you an overview and column 3 the details on the topic. Columns 4 and 5 contain further information and details on licensing.

DOWNLOAD Excel workbook!

Mittwoch, 7. August 2019

Updates & News around Microsoft Information Protection

In the last couple of weeks Microsoft release a bunch of new features / versions for Information Protection and Unified Labeling:
  • New features & functions with Microsoft Cloud App Security and Azure Information Protection
  • Azure Information Protection unified labeling client
  • Update to Unified labeling

Cloud App Security and Azure Information Protection

Cloud App Security and the integration with Azure Information Protection is not new. If you are already migrated to Office 365 unified sensitivity labels and if you did not migrate your existing classification labels you need to know:  Creating new labels in the Office 365 Security and Compliance Center, Cloud App Security will only use the preexisting labels configured in the Azure Information Protection portal.

Integrating Azure Information Protection into Cloud App Security you get the ability to:
  • apply classification labels as a governance action to files that match specific policies
  • view all classified files in a central location
  • investigate according to classification level, and quantify exposure of sensitive data over your cloud applications
  • create policies to make sure classified files are being handled properly
This integration is focusing to scenarios like:
  • Visibility on sensitive data in managed cloud apps
  • Compliance / Risk Enforcement
    • Apply label to documents in cloud apps repositories
    • Prevent storage of highly sensitive documents in the cloud
  • Sensitive data reporting in AIP analytics space
  • Detect anomalous access
  • Block download of sensitive document from specific locations or non-compliant device
  • Block upload of sensitive documents

You need both a Cloud App Security license and a license for Azure Information Protection. Then Cloud App Security syncs the labels from Azure Information Protection. This action is performed every hour.
Scanning the files:
  • Automatic scan: all new or modified files are added to the scan queue and will be scanned, classified and protected
  • File policy to search for classification labels: these files are added to the scan queue for classification labels

After you enable Azure Information Protection on Cloud App Security, all new files that are added to Office 365 will be scanned and you can create new policies within Cloud App Security that apply classification labels automatically.
More Details: How to integrate Azure Information Protection with Cloud App Security

Azure Information Protection unified labeling client

Highlights of version
  • Support for labels that are configured for user-defined permissions for Word, Excel, PowerPoint, and File Explorer
  • Support for advanced settings with PowerShell for the Security & Compliance Center
  • New cmdlet New-AIPCustomPermissions to create an ad-hoc policy for custom permissions
  • New parameters added to Set-AIPFileClassification:-WhatIf and -DiscoveryInfoTypes so that this cmdlet can run in discovery mode without applying labels

Download and further information: Version

Actually, we have two management portals which are supported by different clients:
  1. Azure Information Protection:
    • Azure Information Protection client (classic)
    • Azure Information Protection scanner
    • Microsoft Cloud App Security

  1. Unified labeling in Office 365 Security & Compliance Center:
    • Azure Information Protection unified labeling client
    • Microsoft Cloud App Security
    • Office apps for MacOS, Android and iOS
    • Information Protection SDK and applications based on it like Adobe Acrobat
    • Coming Soon:
      • SharePoint Online
      • Office Online, Outlook Mobile for iOS and Android
      • Built-in labeling in Office for Windows
      • Azure Information Protection scanner

Update to Unified labeling

Unified labeling is not activated per default and Azure Information Protection labels can be used only by the Azure Information Protection client. To make labels available in the Office 365 Security & Compliance Center and to use the unified labeling client you need to Activate that integration:

Before you activate unified labeling, check in Office 365 that you don't have labels that have the same name or display name as your labels in Azure Information Protection. Note that Azure Information Protection labels will be automatically renamed so that migration can succeed. Once activated you cannot deactivate unified labeling for your tenant. Learn more about the migration process.

Unified labeling: Activated

Depending on how many labels do you have the updated takes some time. After it is done you can manage your labels from either the Azure portal or the Office 365 Security & Compliance Center. The labels can be used by the Azure Information Protection client and by unified labeling clients.

Note: you must use the Publish option after the migration to make the labels available in the unified labeling clients. Otherwise the client is showing an error like this:

Montag, 24. Juni 2019

Objectives, Doings and Limitations with Azure Information Protection and BYOK

·         BYOK pricing and restrictions

Azure Rights Management enables BYOK according to a model that Microsoft calls customer-managed tenant keys. This requires a customer to create an RSA 2048-bit key in their HSM and then export the key to the HSM in Microsoft's data center. This RSA key is then used to encrypt the document encryption keys used by Azure RMS. RSA 2048-bit keys correspond to 112-bit AES keys. This means that the AES 256-bit encryption provided by Azure RMS is really only 112 bits. The US government has advised against the use of AES encryption keys below 256 bits.

Overview about the necessary steps:

  • Create an HSM-based Azure Key Vault for a specific Azure region.
  • Generate your own key according to your IT policies. This requires e.g. Thales HSM, smartcards and support software.
  • Transfer the key from an HSM in your possession to HSMs owned and managed by Microsoft as provided by Azure Key Vault for your vault. This process ensures that your key never leaves the hardware protection boundary.
  • When you transfer your key to Microsoft, it remains protected by Thales HSMs. Microsoft has worked with Thales to ensure that the key cannot be recovered from Microsoft HSMs, and certificates are provided to ensure this.
  • Configuring Azure Information Protection to use the HSM-based key
  • Azure Key Vault's real-time usage protocols are available as an option. These can also be applied to BYOK to see exactly how and when the key is used with Azure Key Vault. Blob storage is required to store the logs.


The two scenarios and implementation differ fundamentally. HYOK is a kind of Azure RMS hybrid scenario. More details:

Prerequisites, Restrictions & Limitations

Support and SLA

  • Support for billing and subscription management is provided free of charge.
  • Technical support is available through various Azure support models from €24.456/month for Developer and €84.33/month in the Standard version.
  • SLA: Microsoft guarantees that in at least 99.9% of cases, Key Vault transaction requests will be processed within 5 seconds.

Call to Action

  • Evaluate the actual advantages and disadvantages of BYOK in the context of your requirements and specifications in detail with the data protection officer and the involved departments.
  • Calculate the costs for the implementation, the required services and hardware as well as the operating costs. Based on this, you create a cost-benefit analysis.
  • Do you have other services that are already using BYOK with Azure?Did you use your own key for other scenarios and therefore want to implement AIP BYOK as well?
  • Does HYOK meet your requirements better?

Montag, 27. Mai 2019

Security Features Matrix in Office 365 and Azure

UPDATED VERSION 1.1. availible

  • The matrix gives you an overview about security feature in Microsoft cloud stack including info about:
  • focus-area of the feature
  • a overview description plus hyperlink for further information
  • info about how to license the feature.

Download the complete Matrix: LINK

  • added Azure Sentinel PREVIEW

Further interesting and helpful links:

Freitag, 15. März 2019

Focusing Cloud App Security Policies to dedicated Objects

In CAS we can focus policies to dedicated object. For example, you have a SharePoint Online Site with sensitive content, and you will get informed if a user is doing a mass download.
We can use the “Mass download by a single user” template to set up a policy:

In the filter section if the policy select “edit and preview results”:

In the shown activities list search for the location or event ion which you will filter. In my demo I take

Selecting “Activity Objects” opens a report with all objects and its ID´s. To filter on the SharePoint SiteCollection URL we need the second one:

Now we can use this ID as a filter:

Dienstag, 29. Januar 2019

Coaching your users through the External Sharing Experience

If your organization is sharing documents or collaborating directly with vendors, clients, or customers, then you can use the external sharing features and guest access in Office 365 to support this. Or, if this is not the case, you may want to limit the use of external collaboration in your organization.
Note that external sharing is turned on by default for your entire Office 365 environment. Every user can invite external people to Groups, Teams and SharePoint sites and can share content using OneDrive for Business. You may want to turn it off globally until you know exactly how you want to use the feature.
Poorly there is no mater switch to turn external sharing and inviting external user ON or OFF globally. We need to configure it per service and there are also cross sites effects between the services.

Settings overview

External sharing overview

Content Level

When sharing a SharePoint site with an authenticated external user, an invitation is sent to them via email which contains a link to the site. During the login process they are asked to log in using the username and password of their Microsoft account or their work or school account. If the login is successful, the account is added to the Azure AD associated to the Office 365 subscription. The account is added with #EXT# in the user name.
An external user did not need to have a license. To discontinue sharing with an authenticated external user, remove the permissions from the site or delete the user in the Azure AD.
If you share a file or folder with an external user, this user gets an email with a link to the file or folder. The user gets a time-sensitive code via email that he can use to verify his identity. Once he proved his identity by using the code the user is added as a external user in the Azure AD and he can access the file using his account. Sharing a file or folder with a user that did not have a Microsoft account or work or school account this user needs to use the code every time to access the shared content.
To discontinue sharing with an authenticated external user you can delete the sharing link that was sent to him.
To share with anonymous users, you can set several options:
  • Edit, view or upload to a folder
  • Set link to expire at a specified time
  • Block download

The (external) user will receive a E-Mail with the link to the file or folder.
Anonymous users are not added to the Azure AD. To discontinue sharing you need to delete the anonymous link.

Collaboration Level

Guest access on the collaboration level is included with all Office 365 Business Premium, Office 365 Enterprise, and Office 365 Education subscriptions. No additional licensing for the guest users is requirement. You can have up to 5 guests per licensed user on your tenant. For more information about licensing, see Azure Active Directory B2B collaboration licensing guidance.

Office 365 Groups

To collaborate with external users in your Office 365 Group this feature must be activated as showed in the table above. By default, guest access is turned on in Office 365. That means, that everyone in your organization can add external users to an Office 365 Group. When an external user is invited to join a group, he receives an invitation email. The external user will have access to the following Office 365 Group features:
  • Conversations: Externals did not get access to the conversation history, but they will become part of the Office 365 Group distribution list.
  • Notebook: Externals get access to OneNote
  • Calendar: No access, but they receive calendar invitations
  • SharePoint Team Site: Externals get access to the SharePoint Team Site
  • Planner: To access a plan, guests either need to use a specific plan URL or go to

Microsoft Teams

Because of Microsoft Teams is using services like SharePoint Online etc. the external access configuration belongs on the settings in you tenant.
Each level controls the guest access as shown:
  • Azure Active Directory: External access in Microsoft Teams relies on Azure AD.
  • Microsoft Teams: Controls external access in Microsoft Teams.
  • Office 365 Groups: Controls external access in Office 365 Groups and Microsoft Teams.
  • SharePoint Online and OneDrive for Business: Controls external access in SharePoint Online and OneDrive for Business.


Office 365 inter-tenant collaboration

We have several options to collaborate between two Office 365 tenants. Based on Azure Active Directory B2B we can set up collaboration for nearly all Office 365 services. Details are described in this Microsoft article: Office 365 inter-tenant collaboration

Tenant restrictions

Tenant restrictions enables you to control access to other Office 365 tenants. Tenant restrictions gives organizations the ability to specify the list of tenants that their users are permitted to access. Details, pre-requirements and limitations are described in this Microsoft article: Use Tenant Restrictions to manage access to SaaS cloud applications

Office 365 user vs. Windows Live ID

Anyone with a Microsoft work or school account or a consumer email account, such as Outlook, Gmail, or others, can participate as a guest in Office 365.

If a user has an Office 365 hosted E-Mail address, he will automatically have a work or school account created by his IT department. This account original exists in an Azure AD.
If a user does not have a work or school account, he can use a LiveID. To get one the user needs to go to the Microsoft account sign-in page: In the upper right corner select “Login” and then select “No account”. He needs to fill out the form and create a password. Details see below in “Coaching your (guest) users through the External Sharing Experience” The LiveID is original hosted by Microsoft.

Coaching your (guest) users through the External Sharing Experience

Content Level

IF you are inviting an external user to a SharePoint site or added him to a SharePoint group, he will receive an invitation E-Mail:
The link in the email will point the user to a website asking him what type of account he has:
If the user enters his email but did not have a Microsoft account, he will see the following dialog:
Click “Create One!” to register a new Microsoft account:
Set a password:
Provide your details:

Microsoft will send a code to verify the email address:
If a file or folder in SharePoint or OneDrive for Business is shared to an external user and the user did not already exists in the Azure AD, he will also need to verify his E-Mail address:
Sharing a file or folder with a user that did not have a Microsoft work or school account this user needs to use the code every time to access the shared content.

Collaboration Level

When an external user is invited to a group, he receives an E-Mail:
External member's can join conversations through their inbox and receive calendar invitations.
When an external user is invited to a group, he also receives an E-Mail with the details: