Secure your environment by Conditional Access & App Controls

With the Azure AD Conditional Access feature, rules for access to Microsoft Cloud Services and other apps registered in Azure AD can be bound to conditions.

An example is the rule: When accessing with an unmanaged device, the user is prompted to use multi-factor authentication.

With the feature "Use Conditional Access App Control" as an option in the Session Controls area within Azure AD Conditional Access, advanced scenarios can be setup.

Options:

• Prevent data exfiltration
• Protect on download
• Prevent upload of unlabeled files
• Block potential malware
• Monitor user sessions for compliance
• Block access
• Block custom activities

Example:

• Automatically assign a sensitivity label when a file is downloaded.
• Filter based on regular expressions: “Include Files that match a custom expression”
• Block Upload if Maleware is detected.
• This is can be done because the Cloud App Security service then acts as a proxy for accessing the application:

Setup Conditional Access App Control

The options listed above affect all resisted apps under https://portal.cloudappsecurity.com/#/connected-apps?tab=proxy.  By default, this list is empty:

To register an app, the wizard can be used in Cloud App Security via Investigate -> Connected Apps -> Conditional Access App Control Apps. Another and much simpler way is to use a conditional access policy as an easy start:

• Azure AD Security -> Conditional Access

• New Policy

• Section „Access controls“ -> „Session“

• Use „Use Conditional Access App Control“

• Use „Use custom policy to set an advanced policy in Cloud App Security“

Configure the policy in the menus "Users and Groups" etc. that it will be applied the next time the app to be registered is started. This then results in apps that are authenticated via Azure AD being automatically registered in Cloud App Security under „Conditional Access App Control“:

The above method works for the so called featured apps. In order to make this option work for the Office 365 Featured Apps, Office 365 must be registered under "Connected Apps" in Cloud App Security:

Once an app is registered, session policies can be created that will take effect when the app is used.

Example: If the user Oliver Hardy tries to download a document from Microsoft Teams (SharePoint) that contains the term "confidential", the download is blocked.

Further scenarios

• Monitor / block activities based on file conditions like Classification Label, File Name, Files Size or File Extension
• Monitor / block activities like Cut/Copy Item, Paste Item, Print Item, Send Item
• Block downloads based on conditions
• Apply classification label to downloads
• Apply rules based on Maleware detection

Impact from the user's perspective

When opening the app, the user is notified that access is monitored by Cloud App Security. The fact that a proxy is involved can also be recognized by the URL. This now has the addition access-control.cas.ms:

If the user Oliver Hardy now tries to download a document he gets the following message:

Microsoft Teams -The Day After

The main aspect in the context of the current challenge with the COVID-19 situation is that ad hoc solutions are needed to keep companies operational. This includes solutions for homeoffice as well as for meetings with customers and partners.

Regardless of which technical solution is used, at the end of the day the common organizational governance topics come up during the technical planning.

If users can decide individually and independently to create new Teams and channels, invite external users and share content, chaos results.

Who is supposed to organize this again afterwards, and especially, who is supposed to decide which data and which guestuser is still needed?

The fear of this often prevents that Microsoft Teams is used. But in the current situation, solutions and platforms like Microsoft Teams are needed to keep companies and business running.

The Solution

Automated solutions to resolve governance topics such as data chaos, duplicates and orphaned guest accesses are the Azure features around the topics of Identity Governance and Lifecycle Management.

Entitlement Management

Azure AD Entitlement Management is an identity management feature-set that enables organizations to manage identity and access cycles by automating access request workflows, access assignments, reviews and expiration. The following graphic shows an example of the different elements of Azure AD Entitlement Management.

Access Package 1 includes a single Group as a resource. Access is defined with a policy that allows users from a specific Azure AD group to request access.

Access Package 2 includes a Group, an Application and a SharePoint page as resources. Access is defined by two different policies. The first policy allows a group of users in the directory to request access. The second policy allows users from another / external Azure AD to request access.

When an access package is created, we can defines how long the access remains active before it is deactivated again:

An individual access URL is generated for each package. Users then use this to activate the package for themselves:

Access Reviews & Groups Expiration Policies

Azure AD Access Reviews automate the regular review of group memberships, access to enterprise applications and role assignments. This ensures that only those people who need it continue to have access.

Overview:

When an Access Review is created, a user is assigned who must perform the review. This can also be done dynamically based on the Groups / Teams Owner. The reviewer then receives an e-mail that directs him to his upcoming reviews:

The example shows that the first two groups each have only one member and were probably created for test purposes only. The third group has 16 members. Clicking the Begin review button will show the details and the automatically generated recommendations:

Groups Expiration Policies are not shown in the Identity Governance section and must be accessed via Azure AD -> Groups -> Expiration:

Again, the group owner receives a mail in which he must confirm that the Group is still needed. If he does not do it, the Group is automatically deleted. If a Group is deleted, it is "soft-deleted". This means that it can be restored by an administrator for up to 30 days.

Further options

If all this is not sufficient to implement necessary requirements, there are extended possibilities with the features Azure AD Conditional Access and the feature App Management.

Conditional Access controls access to applications based on specific conditions. Conditional access policies are used to implement access control based on the specific context.

Example:

• Microsoft teams can only be accessed from a company device.
• E-Mail can be accessed from any device. However, if access is from outside the corporate network, multi-factor authentication is enforced.

App Management (MAM) focuses on compliance with data security policies and data protection requirements as well as actions in case of data loss.

Example:

• Data from Microsoft Teams is not allowed to be included in the iOS or Android backup.
• Access with a "jailbroken device" is blocked.

MAM without device registration or MAM-WE (WE=without enrollment) allows IT administrators to manage apps on devices that are not registered in Intune MDM.

Best Practis

At the end, it is not a question of what Azure features and functions are available, but rather what is to be achieved and what exactly the business case looks like. Therefore, start with your scenarios. The second step is then the mapping to the Azure features in order to implement the necessary governance aspects.

Don’t make me think about security in Microsoft Teams

Microsoft Teams is a part of Office 365 and must be licensed along that way. Due to the current situation with the COVID-19 virus, Microsoft has made the Office 365 Feature Teams available free of charge for everyone until 01.2021. The details can be found in this article: https://news.microsoft.com/en-my/2020/03/17/our-commitment-to-customers-during-covid-19/

Many companies and schools around the world have now taken advantage of this offer. The topics Data Security, Data Protection and IT Security often fades into the background behind urgent business needs.

13 steeps to quickly secure you Microsoft Teams environment

Security and also Compliance aspects in Microsoft Teams are configured in the Teams Admin Center. Multiple policy packages can be created for different scenarios, users and groups. A policy package combines settings that relate to typical work processes of these users and groups.

Teams Settings

1. E-mail integration - Security impact: low

E-mail integration allows mail to be sent directly to a Team channel. The content of the e-mail is displayed in the chat in the channel and is visible to all members.

2. Files - Security impact: medium

Enable or disable file sharing and cloud file storage options for the Files tab in teams.

3. Devices - Security Impact: low

Settings for devices in the meeting room.

Meetings & Messaging Policies

Meeting policies are used to control what features are available to users when they attend Teams meetings.

4. Audio & Video - Security impact: medium

The audio and video settings can be used to turn on or off specific functions used in Teams.

5. Content Sharing - Security impact: high

Content Sharing" controls which functions are available in a Teams meeting in this context.

6. Participant & Guest - Security impact: high

The settings for participants and guests control access to Teams meetings.

7. Meeting Settings - Security Impact: high

Meeting settings are used to control whether anonymous users can attend Teams meetings.

8 Live Events Policies - Security Impact: high

Live event policies are used to configure, for example, whether participants can transcribe or whether live events can be recorded.

9. Messaging Policies - security impact: high

Messaging policies are used to control which chat and channel messaging features are available to users in Teams.

Teams Apps

10 Org-wide App Settings - Security Impact: high

This function controls which applications are available to users in Teams. Furthermore, it can be configured which 3rd party apps can be used.

11 App Permission Policies - Security Impact: high

The App Permission Policies control which apps users can use, depending on the settings in the previous step.

Org-Wide Settings

12 External Access - Security Impact: high

External access allows users to communicate with other users outside your organization. By default, users can communicate with all external domains.

13 Guest Users - Security Impact: high

Teams allows users to invite external users to join Teams. When external users are added to a team, they receive an invitation that they must accept before they can access it. Microsoft has provided a checklist for Guest Users in Teams: https://docs.microsoft.com/en-us/microsoftteams/guest-access-checklist  

What rights guest users have is set in the Team Admin Center.

Some permissions are configured directly in Teams.

Advanced Features (Office 365 E3 / E5) - Information Protection and Labeling for Teams

Microsoft has consolidated the topic of classification / labeling under the name Unified Labeling, which can be found in the Office 365 Security & Compliance Center. The menu Classification->Sensitivity Labels let you create labels that also affect Microsoft teams.

Encryption:

Who can access files and e-mail messages that are labeled, regardless of the user rights that person has in Teams.

Content labeling:

Add custom headers, footers, and watermarks to email messages or documents that are labeled.

Prevent data loss:

Currently, only endpoint DLP features offered by Windows Information Protection (WIP) are available. DLP settings for Office 365 applications will be available soon.

Site and Group Settings (also affecting Microsoft Teams):

Note that these settings are not applied to files, so they have no effect on downloaded copies of files.

Auto-labeling for Teams:

An auto label policy always includes the location of a file. For example, all files that are stored in a particular Team can automatically get a label. This function can be supplemented by rules that only assign the label if the defined parameters also exist, such as a specific phrase in a document.

Microsoft Teams und die Herausforderungen in Zeiten von COVID-19

Wie Ihnen Microsoft Teams bei den Herausforderungen in Zeiten von COVID-19 hilft

• Was passiert, wenn sich eine Person mit Anmeldedaten eines Arbeitgebers oder einer Schule anmeldet?
• Was beinhaltet die kostenlose Version von Teams?
• Gibt es in der kostenlosen Version eine Beschränkung in der Anzahl der Nutzer?
• Kann ich in der kostenlosen Version Meetings planen?
• Wie können IT-Administratoren auf Teams for Education zugreifen?

Details und Antworten auf diese Fragen sowie weitere Informationen unter: https://news.microsoft.com/de-de/engagement-fuer-kunden-covid-19/

• Kostenfreien Office 365-Tenant für Ihre Schule einrichten
• Benutzerkonten für Lehrende und Lernende manuell einrichten
• Benutzerkonten für Lehrende und Lernende per CSV-Import einrichten
• Bereitstellen von Office 365 für Lehrpersonen und Lernende

Details und weitere Informationen: https://news.microsoft.com/de-de/covid-19-fernunterricht/

Szenarien und Best Practices mit Microsoft Teams

Wie sollen wir mit den Teams beginnen?

• Erstellen Sie einen Chat zum Plaudern / eine virtuelle Kaffeeküche in Teams.
• Erstellen Sie ein Team pro Bereich, wie z.B. Marketing, Finanzen oder im schulischen Umfeld pro Klasse, z.B. Klasse 9a.
• Erstellen Sie Kanäle pro Thema, wie z.B. Marketing -> Newsletter, oder im schulischen Umfeld z.B. Klasse 9a -> Mathematik.
• Laden Sie Mitarbeiter / Schüler dazu ein.
• Beginnen Sie den Austausch zu Themen in Teams, nicht per E-Mail.
• Beenden Sie die Verwendung von WhatsApp. Laden Sie die Team-App herunter.

Was sollen wir tun, um das Management von Teams zu überzeugen?

• Teams ist eine sichere und DSGVO konforme Lösung.
• Sie ermöglicht das virtuelle Arbeiten an Themen und den Austausch der Leute untereinander.
• Alle Daten und Informationen in Microsoft Teams sind und bleiben Ihre Daten. Sie werden nicht durch Microsoft analysiert oder zu Marketing-Zwecken ausgewertet.
• Wenn Daten in Microsoft Teams gelöscht werden, sind sie nach Ablauf der Wiederherstellungsfrist physikalisch gelöscht und werde nicht länger von Microsoft aufbewahrt oder ausgewertet.

Was ist, wenn ich meinen Kopfhörer oder mein Mikrofon nicht zum Laufen bringe?

• Wählen Sie sich per Telefon in Teams ein.

Was, wenn ich mit einem Externen kommunizieren möchte?

• Laden Sie die Person als Gast ein. Es entstehen keine zusätzlichen Kosten.

Wie kann die Zusammenarbeit verbessert werden?

• Tauschen Sie Dateien über Microsoft Teams aus und bearbeiten Sie Dateien gemeinsam in Microsoft Teams (co-authoring).
• Arbeiten Sie virtuell in Teams zusammen, anstatt Daten und Informationen per E-Mail zu verschicken.

Wie bekommen wir das alles zum Laufen? Und wie können wir die Mitarbeiter / Schüler dafür begeistern?

• Benennen Sie einen „Teams Hero“ für jedes Team / für jeden Kanal. Diese Person steht mit Rat und Tat zur Verfügung, wenn Fragen oder Probleme aufkommen.
• Erstellen Sie einen Teams FAQ Kanal für Fragen und Unterstützung.

Microsoft Teams auf privaten Geräten (Laptops, Tablets, Telefon)

Microsoft Teams kann problemlos auf privaten PC´s, Laptops, Smartphones oder Tablets genutzt werden. Die private Hardware kann problemlos in den Firmenkontext oder den Kontext von Schulen eingebunden werden. So können Risiken wie z. B. Malware, Trojaner, rechtliche Fallstricke etc. abgedeckt werden. Mit den Funktionen von Microsoft 365 können Zugriffs-, Speicher- und Freigabefunktionen auf privaten Geräten eingeschränkt werden. Die Microsoft Teams App steht in den jeweiligen App Stores für Windows, iOS- und Android-Geräte kostenlos zur Verfügung. Eine Verifizierung per PIN/Fingerabdruck lässt sich problemlos einrichten und Firmendaten oder schulische Unterlagen können wieder von den privaten Geräten entfernt werden.

Tipps und Empfehlungen für die Netzwerk-Konfiguration

Endpunkte sind für Konnektivität zu jedem Office 365 Dienst erforderlich und machen über 75 % der Bandbreite, Verbindungen und Datenmenge aus. Hier finden Sie eine Liste von IP-Subnetzen, die den wichtigsten Office 365 Workloads wie Exchange Online, SharePoint Online, Skype for Business Online und Microsoft Teams zugeordnet sind. Zusätzlich enthält der Artikel detaillierte Informationen für eine optimal Internetanbindung / Konfiguration beim Einsatz von Microsoft Teams und Office 365 allgemein: https://docs.microsoft.com/de-de/office365/enterprise/office-365-network-connectivity-principles

Move to modern experience in SharePoint and what you need to know about it

Modern experience in SharePoint

Microsoft offers a good overview about all topics in this context on this website: https://docs.microsoft.com/en-us/sharepoint/guide-to-sharepoint-modern-experience This article is structured with the following headlines: Information architecture and hub sites, Navigation, Branding, Publishing, Search, Sharing and permissions.

I already posted about some of these topics:

• Information architecture and hub sites => Summary about Modern Team Sites, Communication Sites & Hub Sites
• Branding => Summary about Modern Team Sites, Communication Sites & Hub Sites
• Sharing and permissions => Coaching your users through the External Sharing Experience

Other topics:

• Navigation: The “inherited” navigation feature in classic SharePoint site is not available in the modern experience. Hub sites provide another way to achieve cross-site navigation previously available in managed navigation and site hierarchies in classic SharePoint. 
• Publishing: In the modern experience, Communication sites replace traditional publishing sites. Communication sites are easier to build and maintain, and include new features such as a modern authoring canvas. Also multilanguage capabilities will be available soon. They allow you to. To sum up: you can quickly create beautiful and responsive pages to share news, reports, statuses, and other information in a visually compelling format - all without heavy developer investment. You can get inspired with some great examples in the SharePoint Lookbook.
• Search: SharePoint has both a classic and a modern search experience, where Microsoft search in SharePoint is the modern experience. Microsoft is actually in the middle of a transition from Classic Search to Microsoft Search. Because of this there are other differences, especially around customization. More details: When to use which search experience. The most visible difference are:
• Microsoft search box is placed in the header bar
• Microsoft search is personal. The results you see are different from what other people see, even when you search for the same words
• Search as you type: And you'll see results before you start typing in the search box, based on your previous activity and trending content in Office 365

Modernize your root site

A root site, f.e. https://contoso.sharepoint.com, which is set up before April 2019 was created as a classic team site. Now, a communication site is set up as the root site for new organizations. If your Office 365 Tenant was created before April 2019, you can modernize your root site with one of these scenarios:

• Replace the root site with a new site: If you already have a site that you want to use as your root site, or if you want to use a modern team site, replace (swap) the root site with it. This scenario is very useful if you plan to create a new site and let the old one live until you are ready. We can use the new SharePoint admin center to replace the root site. Select your root site (f.e. https://contoso.sharepoint.com) in the Active Sites menu in SharePoint Online Admin Center. Doing this you get the “Replace site” button in the menu:

Selecting this you get the following dialog:

And we can also use PowerShell to do the swap. Powershell offers the capability to manually set the url for the archive url and some further parameter:

Invoke-SPOSiteSwap

         -SourceUrl <string>

         -TargetUrl <string>

         -ArchiveUrl <string>

         [-DisableRedirection]  

      [<CommonParameters>]

 Details & Examples: https://docs.microsoft.com/en-us/powershell/module/sharepoint-online/invoke-spositeswap

• Use the root site as it is but with a modern experience: If you want the content on your classic root site as it is but want to have the layout of a communication site, apply the communication site experience to the root site. This feature isn't available yet but is coming soon.
• Continue using the classic team site but with modern pages library and a modern home page: If you want to continue using the classic team site, enable the modern site pages library experience and set a modern page as the home page of the root site. This gives users a modern team site experience with the left navigation.

Things to think about

Before you begin, make sure that…:

• If you have "Featured links" on the SharePoint start page. You'll need to add them again after you replace the root site.
• Review your source site about policies, permissions, and external sharing settings

Limitations:

You can use the following as a new root site:

• Communication site (SITEPAGEPUBLISHING#0)
• Modern team site that isn't connected to an Office 365 group (STS#3) | The root site can't be connected to an Office 365 group.
• Classic team site (STS#0).

When plan to do a site swap the root site and the new site can't be hub sites or associated with a hub. You need to unregister it as a hub site, replace the root site, and then register it as a hub site again.

Interview about Kaizala and Teams

Interview with Patrick Guimonet and me talking about Microsoft Kaizala and Teams.

More Details About Kaizala & Teams: http://www.sharepointtalk.net/search/label/Kaizala

Microsoft Security Stack - When to use what

When to use what – Azure Sentinel, CASB, Azure Security Center, Security & Compliance Center in Office 365, etc.

Many customers using Microsoft Cloud Services in the context of collaboration und communication often asked the “When to use what” question. Meanwhile we had several really good methods and tools to answer this question like the Periodic Table of Office 365. At the end it is not about when to use what, it is about “what do you want to do” or “what is your business case”? And this is the same with the Microsoft Security Features & Services.

Features & Services

Azure Sentinel

Microsoft Azure Sentinel is a cloud-native SIEM solution with advanced AI and security analysis capabilities.

Cloud App Security

Microsoft Cloud App Security is a multimode Cloud Access Security Broker (CASB). It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your cloud services. Further infos about CASB

Azure Security Center

Azure Security Center provides unified security management and advanced threat protection across hybrid cloud workloads.

Security & Compliance Center in Office 365

Office 365 Security & Compliance Center is designed to manage security & compliance features across Office 365. Links to existing SharePoint and Exchange compliance features bring together compliance capabilities across Office 365.

Intune

Microsoft Intune is a management solution that provides mobile device, endpoint and operating system management. It aims to provide Unified Endpoint Management for corporate devices and BYOD.

Azure AD

Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service. It covers resources, such as Microsoft Office 365, the Azure portal, and thousands of other SaaS applications along with any cloud apps developed by your own organization.

Microsoft Information Protection

Microsoft Information Protection helps an organization to classify and protect its documents and emails by applying labels. It helps you discover, classify, label and protect your sensitive information – wherever it lives or travels. Further infos about Information Protection

Azure Advanced Threat Protection

Protect your enterprise from threats in the cloud and on-premises with Azure Advanced Threat Protection. ATP is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.

Microsoft Defender ATP

Microsoft Defender Advanced Threat Protection (ATP) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Microsoft Defender ATP is built into Windows 10.

Typic discussions with customers

Azure Sentinel vs. Azure Security Center

Azure Security Center is focusing on Azure workloads. Azure Sentinel is used to for real-time event and detecting attacks covering your hole architecture.

Quote by Microsoft: To reduce confusion and simplify the user experience, two of the early SIEM-like features in Security Center, namely investigation flow in security alerts and custom alerts will be removed in the near future. Individual alerts remain in Security center, and there are equivalents for both security alerts and custom alerts in Azure Sentinel. Going forward, Microsoft will continue to invest in both Azure Security Center and Azure Sentinel. Azure Security Center will continue to be the unified infrastructure security management system for cloud security posture management and cloud workload protection. Azure Sentinel will continue to focus on SIEM. Source: Securing the hybrid cloud with Azure Security Center and Azure Sentinel

Azure Security Center vs. Security and Compliance Center in Office 365

The Office 365 Security & Compliance Center is designed to help you manage security & compliance features across Office 365. Links to existing SharePoint and Exchange compliance features bring together compliance capabilities across Office 365. Azure Security Center analyzes data from a variety of Microsoft and also partner solutions. To take advantage of this data, machine learning for threat prevention, detection, and eventually investigation. Both services are part of the Microsoft Service Trust Platform

Azure Sentinel vs. CASB

Azure Sentinel is a SIEM solution with advanced AI and security analysis capabilities. It integrates with third-party security platforms from vendors such as Fortinet, Symantec and Check Point, as well as Microsoft's Graph Security API. By connecting with Microsoft Cloud App Security, you will gain visibility into your cloud apps, get sophisticated analytics to identify and combat cyberthreats, and control how your data travels.

Office 365 Security Features vs. Intune

Microsoft Intune and built-in security features in Office 365 for MDM both give you the ability to manage security & compliance in your environment. You can manage security & compliance using both Intune and Office 365 in the same Office 365 tenant. If you have both options available, you can choose whether you manage security & compliance in Office 365 or the more feature-rich Intune solution for MDM and MAM scenarios.

Azure AD vs. Intune

Intune manages mobile devices and apps. It integrates closely with other EMS components like Azure Active Directory for identity and access control.

Azure Advanced Threat Protection vs. Microsoft Defender ATP

Azure Advanced Threat Protection enables you to integrate Azure ATP with Windows Defender ATP. While Azure ATP monitors the traffic on your domain controllers, Windows Defender ATP monitors your endpoints, together providing a single interface from which you can protect your environment. By integrating Windows Defender ATP into Azure ATP, you can leverage the full power of both services and secure your environment. Source & Details: Integrate Azure ATP with Windows Defender ATP

Roundup

As you can see all this features work together like for example Microsoft Defender Advanced Threat Protection integration with Microsoft Cloud App Security or Azure Information Protection integration with Cloud App Security So trying to find the best tool / solution for your enterprise only discussing the detailed features isn’t the best way.

How to get started

To get a solid Security & Compliance strategy based on the Microsoft Security Stack the best way is to start with your scenarios. Dealing with the Microsoft Security Stack a best practices approach is to separate the topics like this:

Next step is to map the scenarios:

• Protect at the front door
• Protect your data anywhere
• Detect & remediate attacks

to those 4 categories / topics:

• Identity and access management
• Mobile device & app management
• Information protection
• Threat protection

Periodic table & mapping

Microsoft offers a good overview to tweak your scenarios in this article Top 10 Actions to Secure Your Environment. Based on this the following overview offers a blueprint to get started with your security strategy:

Architecture

Source: https://gallery.technet.microsoft.com/Cybersecurity-Reference-883fb54c

Roundup

From a planning and architecture perspective the features and services must be separated in monitoring solution and solution used to natively setup regulations and policies.

For example: You can use Information Protection to protect you content and E-Mails and in addition you can integrate the Logs and Signals coming from Information Protection to Azure Sentinel. But natively you cannot use Azure Sentinel to protect you content and E-Mails.

So at the end it is all about your scenarios!