Showing posts with label O365. Show all posts
Showing posts with label O365. Show all posts

Tuesday 12 November 2019

Microsoft Information Protection


Check out my earlier Post on AIP (feb 2019)

End-to-end life-cycle for encrypting files using Azure Information Protection (AIP)


Use "Unified Labeling" to create labels



Note: Encrypting stops SharePoint being able to look into the content of the file.  The labels and name are still search but not the content of the file.  eDiscovery, Search, co-authoring don't work on AIP encrypted documents.

Cloud App Security (MCAS) Screen Shot


Posted by Paul Beck at 11:27 0 comments
Labels: , , , , , ,

Friday 21 June 2019

O365 and AAD using InTune

Overview:  Our company has gone away from traditional on-prem. networking and we use Azure.  We use AAD, Azure Domain Services, Intune and O365 with all laptops and PC's using Windows 10 Pro.  It is so easy and removes so much administration.

Intune: If your users have O365 or E365 licences Intune is included, with E3 accounts you can add on for £7.50 per month.  Intune allows me to deploy a setup that historically would have used GPO to manage the individual machines referred to as "Configuration".  I can verify all my users are compliant with my policies such as Windows 10, ensure they are patched to a certain level.  Defender works brilliantly thru Intune.  I've pulled off our old anti-virus/malware on end-user devices because with Intune it's better with Defender.  I ensure all our PC's and laptops have BitLocker.  Checking all devices my users are using is done thru Intune using "Compliance".

  • I can wipe any PC or device remotely.
  • With the user logins, I can see activity and it provides a great end to end management solution.
  • I haven't used team viewer as we still us LogMeIn for remote support but I'd personally lean to TeamViewer as it's fully integrated with Intune.
  • BYOD devices are also controllable using Intune.
Summary:  Intune is easy to use and roll out and provides good control of end user devices.

Example Policy for Windows 10 devices:

Health Service Setting
  1. Require BitLocker
 Required
  1. Require Secure Boot to be enabled on the device
 Disabled
Device Properties Setting
  1. Min OS Version
 1809
System Security  Setting
  1. Require a password to unlock mobile devices
 Required
  1. Simple passwords
 Block
  1. Password Type
AlphaNumeric
  1. Min password length
 8
  1. Max time of inactivity before password is required
 10
  1. Password expiration (days)
 45
  1. Number of previous passwords to prevent reuse
 12
  1. Require password when device returns from idle state
 Required
  1. Encryption of Data storage on device
 Required
  1. Device Security - Firewall
 Required
  1. Device Security – Antivirus
 Required
  1. Device Security – Antispyware
 Required
  1. Defender – Windows Defender Antimalware
 Required
  1. Defender – Min version
 1.295.933.0
  1. Defender – Antimalware intelligent up-to-date
 Required
  1. Defender – Real-time protection
 Required
Windows defender ATP  Setting
  1. Require the device to be at or under the machine risk score
 Medium

Update: 2022-June-20

"BigFix automates discovery, management, and remediation of all endpoints whether on-premises, mobile, virtual, or in the cloud" - product by HCL.  

Competitor is Microsoft Endpoint Manager (MEM).  MEM is useful for patching and monitoring Windows 10/11 devices.  Can setup policy to ensure different notification for the end user to install and cn force if the end user does not install the patch.


Posted by Paul Beck at 18:56 0 comments
Labels: , , , , ,

Wednesday 3 April 2019

PowerBI Pro for Licencing

Problem:  Requirement to provide reporting and dashboards quickly and securely at a reasonable price.

Hypothesis: There are great reporting solutions and a couple of enterprise leading products are TableauQlik.  These can get pretty expensive installing and paying for licencing.

Proposed Resolution: PowerBI Pro (PowerBI Premium is for larger enterprise solutions) is a cloud based solution that can connect to multiple data source and on-prem using the Gateway.  E5 licences include the PowerBI Pro licence for creating and publishing reports.  E3 licence can get a add-on for about £7.50 per month.  This is only needed by the people creating the reports.
 
To paraphrase "You can embed the report (not dashboard) on a SharePoint web page and share it with company users. You will then only be needing one licence to publish the report. The downside of this option is there is no builtin security for the report. Anyone who has access to the web page can access the report."

Disclaimer: These are my thoughts and understanding, pls check your licencing with Microsoft and a licencing professional.

Updated: Nov 2022
3 Power BI licence types:
  1. Free (per user)
  2. Pro (per user per month) $
  3. Premium (resource/capacity based)  $$$ - 2 options
Choose depending on usage patter, so Premium is great for enterprises level but out of the range for most SME businesses.  Feature and pricing comparison
Posted by Paul Beck at 16:31 0 comments
Labels: , ,

Saturday 30 March 2019

Azure Security Checklist

Overview:  Constantly improving Security on Azure and Office 365 is essential to a lot of companies.  Microsoft provide outstanding infrastructure and monitoring for companies and it is also the companies responsibility to configure and secure O365 and Azure to ensure security and allow for the appropriate liberalization of services so the business can operate effectively.  This post outlines some basic items to look at to optimize the balance of security and it meeting you business needs.

I generally go through the infrastructure and write up a report for management in the form of:  Finding, Recommendation and Management Comment.

Finding:  The company users login using their Azure AD accounts and the credentials page has not got customized branding to help user know they are logging into the companies secure resources (SharePoint, email etc.)
Recommendation:  Using the "Azure Portal", use the "Azure Active Directory" Service > "Company Branding" to upload the company logo in banner and square format and update the color/theme for match the firms branding.
Management Comment: We accept the finding and wish to mark the changes immediately.

Microsoft Provide Tooling to help identify improvements and below are two tools you can use to help clarify the current environment so improvements can be recommended.

Network Security Groups (NSG's)
NSG's are basically firewall on Azure.  Fantastic and simple.  They can get really complex with multiple policies.  Azure gives you great tooling for Azure networks called "Network Watcher".

Posted by Paul Beck at 10:40 0 comments
Labels: , , , , , ,

Wednesday 27 February 2019

MCAS overview MSIgnite London

Work in progress from MSIgniteTour London
Microsoft Cloud app security brokers (CASB) helps manage Shadow IT, detect high-risk OAuth apps, and control high-risk user sessions in real-time for your Office 365 environment.

Covers:
  1. Azure AD (AAD)
  2. Threat protection
  3. Information protection 
  4. SaaS e.g. box, SPO, ODfB
Shadow IT discovery:
Log collector uses proxy or proxy logs.  Find apps people are using.  
Can write back to block app usage at the proxy.  See people using dodgy saas apps. Supports script generation for most devices.

OAuth e.g. G-suite, attackers faking to get access to user info.  MCAS has risk score for apps used. Show all usage, correct users access.

O365 apps:
Check all apps against score:

MCAS protects for:
  • Malicious employees
  • Malware & ransomware
  • Rogue applications
  • Compromised accounts


Investigate:
Helps investigate abnormal behaviour.  Alert and highlight concerns.  Gain insight into user activity.
Can take action such as lock account, or req re-login.

File security:
Prevent sensitive info in the cloud, uses MIP Framework that uses AIP. Show public internet available info, only show SaaS services business control.  Can also force governance on 3rd party SaaS such as box

Block download of data:
Conditional access, so user using an unmanaged device, route user thru MCAS.  Can calc risk and decide on how they access e.g., an unmanaged device could for MFA.  Lots of controls, boilerplate web access, block, MFA, ...
Posted by Paul Beck at 14:17 0 comments
Labels: , , , , ,

SPO & O365 groups coming March 201

Multi-geo Phase 2 (SPO) : SPO & O365 groups coming March 2019 into GA by 30 March 2019 confirmed.  DLP per satellite geo.  Hub sites can span multi geos.  Search works across geo I.e. all user access across geos is returned.


Today notes:
  • SC can’t be moved between geo locations.  
  • Satellite only in 14 core data regions I.e can’t use China but could use Hong Komg or Singapore.
  • Aimed at 2500 user tenants or bigger, with min 5% users moved.
Posted by Paul Beck at 11:41 0 comments
Labels: , ,

Monday 3 December 2018

SharePoint Online Geo-Replication SPO/O365

Geo-replication/Multi-tenancy

Mid 2018 I outlined the state of Multi-geo on O365, the easier parts of Geo-Replication are already well handled and the changes are discussed in the the link.  This post focuses on SSO options today and the likely road-map.

O365 is moving towards multi-tenancy that will allow multinational companies to store data in compliance with country rules.  For instance EU data may not be allowed to be stored outside the EU but you already have your O365 tenancy based in the US.

Historically, most larger companies have chosen either the US or EU to base their data storage in.  If you wanted data to be stored in another region you had to buy another tenant with Microsoft strongly discouraged.

Microsoft, are working towards supporting O365 in multi geo-locations.  Basically, their are 2 parts: 1) User specific data (email, OneDrive) where we know where a user is based and their data is encrypted and stored in that country. and 2) group/team/country specific data (SharePoint) where the data itself may have residency rules.

This post looks at SharePoint data that is required to be stored in a specific country.

Options today:
1. On-Prem. : Have a SharePoint farm in each geo location, this requires a fair amount of thought to deal with SSO, Search, MMS, Content Types and UPA.
2. O365: Have multiple tenants (non are connected) in each location and connect your authentication up to each tenant.  The problem with option 2 is that each O365 tenant requires a separate Azure Active Directory.  This means that you will need to hook each O365 tenant up to a single MMS, Search service and poly-fill in the SSO process.  Imaging if you have 8 regional tenants for regulatory purposes.  To achieve SSO, you will need to create a central AAD, then connected each regional AAD to the central AAD.  Azure directory sync is needed, inviting members and guests, other companies AAD becomes and issue.  The image below outlines a possible pattern to solve this complex problem.


Coming Q1 2019 : Multi Geo tenant, that shall be the answer.  A lot of the multi-tenant is still in  preview so I shall be interesting to see mutil-geo tenancy when it goes into General Availability (GA) next year (+-Feb/March 2019).

MSIgnite tour London updates 27-Feb-19:
Brent Alinger

Sovereign geos:
US Gov
China (21Vianet)
Germany

Coming new geos: South Africa, UAE, Norway o365 data regions coming soon.  See office.com/datamaps

UK: Cardiff, London, Durham are 3 data centres in the UK.
Note: some services such as AAD, planner, yammer, Sway are not uk based either Europe or US based.

US has 8 data centres

Can get default region moved, it’s difficult.

Phase 1:  oneDrive and exchange April 2018 delivered
Phase 2: o365groups and SharePoint private preview Oct 2018.  Good feedback so far.  Keen ferry, Cott dimension data.

Multi-geo is not for solving:
GDPR
PERFORMANCE enhancer - rather align with MS Global Network.  
pining data to a specific country

Cost:  $2 per month extra per user in satellite locations, go thru account manager to set it up.  Once approved shows in admin centre and provisioned, take less than 30 days but can be 2 days.

Need a domain name per geo location for OneDrive and SPO e.g. https://emeia-radimaging.sharepoint.com

Preferred Data Location (PDL) - used to specify in AAD to show where a user is stored.  Not for travelling user but long term office assignment.  Users of exchange online are seemlessly moved.  ODfB requires a PS cod to move the user data.  

Phase 2: SPO March into GA by 30 March 2019 confirmed.  DLP per satellite geo.  Hub sites can span multi geos.  

Aka.ms/multi-geo

Update: 2020-06-30.  Multi-geo is available in
Australia, 
Asia Pacific, 
Canada, 
European Union, 
France, 
India, 
Japan, 
Korea, 
United Kingdom, 
United States, 
United Arab Emirates, 
South Africa, and 
Switzerland.





Posted by Paul Beck at 14:26 0 comments
Labels: , , , , ,

Sunday 2 December 2018

O365 AAD - Federation B2B options

Problem: Using O365 as an Extranet.  A basic analysis before starting is a minimal requirement.  The existing Extranet will make a lot of the questions fairly easy to clarify.  You can cover this in tremendous detail but to avoid information paralysis, I recommend a decision maker, and preferably someone that already works on Extranet.  A committee is cool if you have the cash but it's so hard to guess at the future, my preference is to get the broad strokes right and amended once we are in the weeds.  These four points can be answered with the right people in a meeting or may take months for complex organisations especially if there is no clear leader to make decisions.

Consideration Point:
1. Who is using the Extranet?  Clients, partners, vendors, ..., or Client Users
2. How will Client and Company users authenticate? O365 options including ADFS, another federation service e.g. Ping, Passport/Live, Google, Facebook,...
3. Self-registration or known approved Client Users?  Try to figure out what the process for on-boarding your Client User will be.
4. Client User Profile Usage?  Will the client users amend content, have the ability to share permissions or old school, they will read web published pages (read-only).  Will client users have OneDrive, use teams, only SharePoint or other O365 applications.

2.> O365 authentication
The most basic option is to allow O365 to have client users (guests), as long as a user has an O365 account they can be a Client User.  You can also use any Microsoft account for a client user.
Azure has a service that allows for you to connect users as guests, the user shall use their own AAD or ADFS or any federation service including Google and Facebook to authenticate.  Microsoft allows 5 guest accounts on AAD for every 1 member (licence user).

4.> Client Usage Profiles
O365 can share a document anonymously in a link within an email.  Obviously, this means anyone can potentially access the file.  However, to replace attachment in an email and wide distribution this is a great step forward, as you can control versions and retract the access at any point.  Additionally, the link settings can be customised to control who can use the link.  For example, you can set the specific people who get the link or you could specify only internal people get the link.  Once it is set to "Anyone" the email or link can be forwarded and literally anyone can get access.

Governance:  Manage O365 to apply the businesses rules so users comply with governance.  O365 has an easy straight forward configuration to make this happen.  When configuring sharing governance you need to ensure it is done at the O365, SharePoint Admin and Site Admin levels.  If 1 of these says no external sharing you can't share so it is a fairly granular approach.  This allows Extranet and Intranet to live on the same O365 tenant.

Licensing: As a general rule, there tends to be no cost for External users, as 5 client Users for every internal O365 user is allowed for the O365 extranet scenario.  Check with Microsoft as business scenarios play out differently.

Thoughts:

  • O365 uses Azure Active Directory (B2C), there is a 1-to-1 relationship between your tenant AAD and you O365 instance.
  • External accounts can be connect as guests e.g. Another AAD tenant, Micsrosoft accounts (passport), ADFS or any auth provider (SAML), Facebook, Google+, AAD B2C (separate service from AAD).  There is also a One Time Passcode option.
Posted by Paul Beck at 11:01 0 comments
Labels: , , , , , , ,

Sunday 18 November 2018

Securing SharePoint O365

Microsoft outline how they treat access to your company data, how your data is kept secure and audit and availability, read this post.  The information below notes possible settings and configuration to secure 0365.

 Azure AD is the key, ensure auth is 100%.  e.g. MFA for some or all accounts.  Use the "Identity Secure Score" to check possible problems.  Consider Microsoft Authenticator for MFA.

O365 Settings use:
  1. Secure Score - Overview of my tenant settings and how they should be set.  Check my tenant again set MS best practices for O365. 
  2. Validate setting meet governance and are not merely defaults.
  3. Review SPO audit logs - ensure it is turned on (default is to have it turned off).
  4. Security and Compliance Dashboard - Good email checker/analysis.  Low value for SPO.
Cloud App Security (CAS) - service looks for security on O365 tenants, improving constantly.  CAS Overview.  Add-on or included in E5 plans.

Office 365 Advanced Threat Protection (ATP) - service to identify threats.  "ATP analyzes content that's shared and applies threat intelligence and analysis to identify sophisticated threats.", Microsoft.

To manage document use IRM on SPO and AIP on documents.

"Azure Active Directory Identity Protection is a feature of the Azure AD Premium P2 edition that enables you to 1) Detect potential vulnerabilities affecting your organization’s identities 2)
Configure automated responses to detected suspicious actions that are related to your organization’s identities 3) Investigate suspicious incidents and take appropriate action to resolve them".  More info.


Posted by Paul Beck at 14:59 0 comments
Labels: , , , , , ,

Wednesday 6 June 2018

Geo-replication in SharePoint and SPO to the rescue

Geo-Replication on SharePoint (Not covering email or OneDrive)

Problem: Over the past 7 years, I have worked on a few clients that require some form of Geo-Replication of share SharePoint farms.  Geo-replication is normally needed for compliance.  This post assumes you need to geo-replicate and not why you need to geo-replicate

Tip: Geo-replication can be used for performance but the complexity that it brings I feel is an added bonus and should not be undertaken for performance gains, there are easier better pragmatic answers to performance such as Riverbed devices, caching and CDN's to name a few.

Initial Hypothesis:  Large organisations existing in multiple geographic regions and need to abide by country regulations and often other industry standards bring the need to geo-replication capability.  I recently completed several high profile projects for a big four consultancy that needed to ensure SharePoint data does not leave its jurisdiction depending on its metadata.  Building on-prem SharePoint farms were extremely complex and the 3 big services that needed to be centralized or copied are Search, MMS and the Content Type Hub.  There are more like AAD but for my situation, I needed to be able to have multiple SharePoint farms in specific regions that connected to centralised services.

Thoughts: MS has OneDrive and the email piece working in local geographies.
SharePoint is coming with multi-tenancy and users will get unified search results across geographic regions.
  1. Search each tenant holds their own index, not a central index for search - "good news for data location compliance".  Somehow MS are intermingling all the search results using federation - so they appear as an ordered result set from multiple different Geo indexes.  
  2. Profile Services (use to be UPS) gets core fields from central AAD and local fields are stored at a tenancy level (good news).  
  3. Taxonomy (MMS) is replicated downwards from the central MMS.
  4. Each tenant has it's own content type hub (I never liked this), the CTH uses a star topology to push the CTHub from the central tenant to the regional tenants so the copies including GUIDs are identical.
SPO to the Geo-Rescue (coming soon, in pre-beta/private preview as of 6 June 2018):
  • SPO is implementing multiple tenants across O365 like O365 previously did for OneDrive, you can specify where sites get created i.e. region/country.  Each region as it's data centres specified and the URL of the Sites clearly indicates where the site is hosted.
  • The search index is kept in-country and federated up to the central tenant for a seamless search experience across multiple region tenants.
  • Central taxonomy is automatically replicated to the regional tenant.  MMS us a star topology to distribute and keeps GUIDs in sync.
  • UPA holds only key data centrally and each region holds additional properties (good for GDPR and other DPA regulations).
  • AAD shall be controlled centrally and I believe AAD's have regional copies.  * Each O365 has it's own AAD today, this will be the big change to facilitate SSO.
RoadMap:
OneDrive is multi-geo now. Offered to large enterprises only, must have certain number of users.
Circa Q1 2019 SharePoint will offer multi-geo.

http://blog.sharepointsite.co.uk/2013/08/stretched-farms-geo-replication-and.html

Posted by Paul Beck at 17:42 0 comments
Labels: , , ,

Sunday 17 December 2017

Office 365 Technical Governance Thoughts


Hierarchy of Governance of IT
  • Business Governance
  • IT Governance
  • SharePoint Governance
The items to look at for a security breach apply at all 3 governance levels and planing to deal with a Security Breach must cover:

  • Legal Compliance
  • Litigation & Insurance
  • Security
  • Business continuity and Disaster recovery
  • PR
There are a lot of technical pieces involved in Governance of SharePoint such as authentication, security, O365 labels, Microsoft Information Protection (O365 labels) and Azure Information Protection (AIP/AIP Labels), CAS, IRM, .....  there are third party products like skysync, Semantec,.... and a lot of SharePoint Governance is part of other products that also cover SharePoint.



Posted by Paul Beck at 16:59 0 comments
Labels: ,

Wednesday 18 May 2016

Microsoft Graph Simplified

Overview: Microsoft Graph provides an API to allow search to bring back data stored in Office 365 (email/Exchange Online, SharePoint, and others).  The centralized search provides the data source to query and adds a ranking engine on top to allow for easy access to data.

Overview of Office Graph
A more formal description: "The Office Graph is a collection of content and activity and links the relationships between people and this active content.  Any activity in the entire Office suite online is pushed into Office Graph such as e-mail including attachments, conversations, to documents in SharePoint and OneDrive.  The Office Graph maps the relationships among people and information, and acts as the foundation for Office experiences that are more relevant and personalized to each individual."

The Microsoft Graph is a single queryable API endpoint for accessing data, intelligence and insights coming from the Microsoft Cloud. 

 More Info:
A great article on Graph is here.  NB!

Screenshot from my iPhone 6 using the Microsoft's Delve iOS app with my own Office 365 E3 tenant.


Update Mar 2023 - Video (2 min) where MS Graph helped my find a value I needed for a DevOps pieline

Posted by Paul Beck at 06:48 0 comments
Labels: , , , ,

Sunday 14 February 2016

Notes on Compliance in Office365 & SharePoint

Also see: Data Protection Using SharePoint

Data Loss Prevention (DLP)
Historically used for email to identify, monitor and protect data.  This is the next step on from email policies/IT Policies where sent around and signed with the hope users would behave and only send appropriate information along.   DLP ensure that sensitive information such as patents, financial information, Payment Card Industry Data Security Standard (PCI DSS) , personally identifiable information (PII), or intellectual property (IP) are accidentally shared with external parties.  DLP can inform users before they send email or open access to OneDrive or SharePoint document libraries that the information being shared violates company policy (as configured in the DLP template).
https://blogs.office.com/2013/10/28/office-365-compliance-controls-data-loss-prevention/
https://blogs.office.com/2014/08/27/search-sensitive-content-sharepoint-onedrive-documents/

Information Rights Management (IRM)
IRM-Protect document libraries prevents sensitive information being copied, forwarded, printed

eDiscovery
Find related content with SharePoint, Exchange & files shares to assit with litigation and determining info on a topic ata point in time.

Records Management
Manage a documents life-cycle, stop key docs being amended or edited.

 Information management policies
Enforce compliance such as expired content, usage auditing & retention policies

Office 365
All data is encrypted on the servers (encryption at rest) and TLS/SSL on all communications.

Other
DocAve can enhance IRM and archieving & they have a SharePoint Monitoring and Policy Enforcement module.

Reference:
https://support.office.com/en-us/article/Use-Office-365-to-help-comply-with-legal-regulatory-and-organizational-compliance-requirements-ce773cec-2151-4d06-9a4e-2818613bd7e0

Posted by Paul Beck at 18:12 0 comments
Labels: , , , ,
Subscribe to: Posts (Atom)