Montag, 4. Mai 2020

Microsoft Teams -The Day After


The main aspect in the context of the current challenge with the COVID-19 situation is that ad hoc solutions are needed to keep companies operational. This includes solutions for homeoffice as well as for meetings with customers and partners.
Regardless of which technical solution is used, at the end of the day the common organizational governance topics come up during the technical planning.

If users can decide individually and independently to create new Teams and channels, invite external users and share content, chaos results.

Who is supposed to organize this again afterwards, and especially, who is supposed to decide which data and which guestuser is still needed?

The fear of this often prevents that Microsoft Teams is used. But in the current situation, solutions and platforms like Microsoft Teams are needed to keep companies and business running.

The Solution

Automated solutions to resolve governance topics such as data chaos, duplicates and orphaned guest accesses are the Azure features around the topics of Identity Governance and Lifecycle Management.

Entitlement Management

Azure AD Entitlement Management is an identity management feature-set that enables organizations to manage identity and access cycles by automating access request workflows, access assignments, reviews and expiration. The following graphic shows an example of the different elements of Azure AD Entitlement Management.
Access Package 1 includes a single Group as a resource. Access is defined with a policy that allows users from a specific Azure AD group to request access.
Access Package 2 includes a Group, an Application and a SharePoint page as resources. Access is defined by two different policies. The first policy allows a group of users in the directory to request access. The second policy allows users from another / external Azure AD to request access.

When an access package is created, we can defines how long the access remains active before it is deactivated again:
An individual access URL is generated for each package. Users then use this to activate the package for themselves:

Access Reviews & Groups Expiration Policies

Azure AD Access Reviews automate the regular review of group memberships, access to enterprise applications and role assignments. This ensures that only those people who need it continue to have access.
Overview:
When an Access Review is created, a user is assigned who must perform the review. This can also be done dynamically based on the Groups / Teams Owner. The reviewer then receives an e-mail that directs him to his upcoming reviews:
The example shows that the first two groups each have only one member and were probably created for test purposes only. The third group has 16 members. Clicking the Begin review button will show the details and the automatically generated recommendations:
Groups Expiration Policies are not shown in the Identity Governance section and must be accessed via Azure AD -> Groups -> Expiration:
Again, the group owner receives a mail in which he must confirm that the Group is still needed. If he does not do it, the Group is automatically deleted. If a Group is deleted, it is "soft-deleted". This means that it can be restored by an administrator for up to 30 days.

Further options

If all this is not sufficient to implement necessary requirements, there are extended possibilities with the features Azure AD Conditional Access and the feature App Management.
Conditional Access controls access to applications based on specific conditions. Conditional access policies are used to implement access control based on the specific context.
Example:
  • Microsoft teams can only be accessed from a company device.
  • E-Mail can be accessed from any device. However, if access is from outside the corporate network, multi-factor authentication is enforced.

App Management (MAM) focuses on compliance with data security policies and data protection requirements as well as actions in case of data loss.
Example:
  • Data from Microsoft Teams is not allowed to be included in the iOS or Android backup.
  • Access with a "jailbroken device" is blocked.

MAM without device registration or MAM-WE (WE=without enrollment) allows IT administrators to manage apps on devices that are not registered in Intune MDM.

Best Practis

At the end, it is not a question of what Azure features and functions are available, but rather what is to be achieved and what exactly the business case looks like. Therefore, start with your scenarios. The second step is then the mapping to the Azure features in order to implement the necessary governance aspects.