Securing and maintaining a trustworthy Office 365 and Microsoft Azure deployment is not an easy task. In this session we'll take a look into how you can secure and control your cloud-based servers and services, data and users using Azure Active Directory, Azure Security Center, Privileged Identity Management and Advanced Security Management. In addition we’ll also take a look at how Operations Management Suite and Microsoft Advanced Threat Analytics can be used to provide better overall security for on-premises and hybrid deployments.
5. Agenda and
takeaways
Security building blocks
External threats
Internal threats
Licenses
The Big Picture
How to protect Azure and
Office 365
How to protect On-
Premises services
Super-exciting!
13. A traditional approach to embracing the cloud
This is the common, kind-of hybrid architecture model.
Microsoft Azure
Office 365
Site-to Site
VPN
Azure AD Connect
ADFS
Proxy
On-premises
14. The heart of security: Azure Active Directory
The core of each Azure subscription
You can have multiple AAD tenants
within the same Azure subscription
Users, groups, licenses, permissions,
apps, app proxies, domains.. all
here!
Managed through Azure Portal,
some tiny things are still only
available in the Classic Portal
It’s important to understand the
difference between AAD, AD and
AAD Connect (and AAD DS)
Identities, management and security
20. Securing authentication for users with Multi-Factor Authentication
Enforces security beyond username and password
User must possess something – typically a mobile device
Strong authentication occurs over text message, pin, fingerprint, mobile app approval or voice call
Users must enroll through https://aka.ms/mfauserhowto
Available as Office 365 MFA, Azure MFA for Admins and Azure MFA
Certain non-browser apps do not support MFA -- users have to provision separate App
Passwords (one or more) through the MyApps portal
This tends to be challenging for non-technical users
Multi-Factor Authentication for on-premises with Azure MFA Server
Enables easy securing of VPNs, IIS web apps & Remote Desktop
Maybe not the most logical to set up..
Supports RADIUS so fairly easy to integrate with legacy systems ;-)
Strong and secure authentication for on-premises, hybrid & the cloud
21. Baseline your security in Office 365 with Secure Score
Free service at https://securescore.office.com
After initial scoring you can select a new
baseline
Provides a list of actions for things to fix, in order
to achieve a new baseline
Max score is 432..452
Office 365 average is 29 I have 71!
You get to >100 just by enabling MFA for global
admins
Automated scan of your Office 365 subscription settings and general security
22. A dashboard for Azure security with Security Center
A simple way to view what’s secured and what’s not in Azure
Includes behavioral analytics and incident reporting
Standard license gives advanced threat detection & intelligence
Provides an overview on security for cloud resources
23. Securing and monitoring Azure AD Connect, ADFS and on-
premises AD configuration with Azure AD Connect Health
Monitors your AD FS, AD FS Proxy, AAD Domain Services
and AAD Connect status
Can alert you when things break down – useful for many
directory-related services, and especially for Azure AD
Connect issues
Deploying is easy:
Install agents for AD FS, AAD Connect and AD DS servers
Verify configuration on AAD CH blade in Azure Portal
Somewhat sadly this feature requires AAD Premium license
– all users must be licensed in the scope of AAD CH
Agent-based service to monitor your AD domain controllers and ADFS infrastructure
24. Safeguarding for users who log in from weird countries with
Azure AD Identity Protection
Watchdog for user sign-ins, can associate
individual logins with risk factors
Automatically flags suspicious events, such as
users who perform impossible travel times
(typically with VPN connectivity)
Enforces additional policies based on low/high risk
factors
Enforce MFA for the duration of the login
Enforce self-service password reset (which subsequently
enforces MFA)
Weekly email digest of findings and things to lose
your sleep over
Monitoring for risk events, vulnerabilities and automatic policy changes
25. Getting rid of static admin roles with Azure AD
Privileged Identity Management (PIM)
Instead of granting permanent admin privileges, PIM
allows ad-hoc & just-in-time admin roles
Users can request for new privileges for predefined duration
Scans for fixed admin roles and changes them to temporary
roles
Admin roles become non-permanent
Duration can be set from 1 hour to 72 hours
Can enforce MFA during role grant
In preview: Approval workflows for new privilege requests
Central view & management for all admins roles
throughout Azure and Office 365
”Just-in-time” administration privileges for users on request
26. Tracking botnet and brute force attacks
OMS provides System Center-like capabilities in the cloud
Capable of tracking hybrid deployments, including Office 365 and Azure
Gathers logs (also custom ones), configuration data, update status,
availability, backup info and even Surface Hub data
Operations Management Suite (OMS) is the Swiss Army knife you need
27. Protecting from external threats with Office 365
Provides a 360ᴼ view on external threats against users
Insights and analysis based on evidence, act accordingly
Allows for custom policies and reactions
Threat Intelligence uses evidence-based knowledge on threats
28. Publishing internal services securely
Enforce authentication at Azure AD, before allowing access to internal
resources
Configuration is simple, and support high availability deployments
Internal services do not require changes
Dual-authentication also supports:
First on Azure AD, then in on-premises against local AD/service
Azure AD Application Proxy provides a one-way HTTPS tunnel to on-premises
31. Securing Edge network & cloud app usage with Cloud App Security (used to be
Advanced Security Management)
Similar to OMS, but directly aimed for Office 365 workloads
Records all activities of users, including external users
Supports on-premises edge router log analysis
Discover activity and incidents in Office 365
32. Monitoring what admins and developers are doing with Azure resources
Query against Azure backends to see operations against services
Connect with
Log Analytics (for further analysis)
Power BI (for reports)
Application Insights (for wisdom)
Azure Monitor provides monitoring throughout tenants and resource groups
33. Finding Shadow IT within the organization with Cloud App Discovery
Works by dropping an agent on workstations
Consent can be requested; or just install silently..
Discover apps, amount of data transferred and who uses what
Based on reports, act accordingly
Discover unmanaged (and managed) cloud apps in use
34. Active Directory surveillance & analysis with Advanced Threat Analytics (ATA)
Captures all authentication traffic to-
and-from Domain Controllers
Uses Machine Learning to identify
issues and unauthorized usage
Fully automatic, install & forget!
Almost like SharePoint ;-)
Can connect with OMS to provide
hybrid reporting in the cloud
Aggressive auditing and analytics for on-premises Active Directory requests
35. Compliance Manager
A new service in Office 365
Coming in November
Centralized compliance
view to GDPR, ISO 27001
certifications and other
frameworks
Sign up for preview
https://aka.ms/compliance-
manager-preview
36. Customer Key
Announced at Ignite 2017 last
week
Use customer-managed
encryption keys
Includes protection if you lose your
keys
Uses Azure Key Vault to hold
keys – can be HSM (Hardware
Security Module) backed
39. I’m lost – too many services and options
Active Directory
Advanced Threat Analytics
Firewall, proxy, VLANs etc.
Microsoft Identity Manager
On-premises Office 365
Data Loss Prevention
Threat Intelligence
Secure Score
Compliance Manager
Microsoft Azure
Connect Health
Cloud App Discovery
Network Security Group
Cloud App Security
Identity Protection
Privileged Identity Management
Azure Active Directory
Conditional Access
Operations Management Suite
Security Center
Azure MFA
Azure Information Protection
Intune
42. What about Microsoft 365?
Microsoft 365 Enterprise
Microsoft 365 Business
Office 365 Enterprise
Windows 10 Enterprise
Enterprise Mobility + Security
Intune
Office 365 for Business
Windows10Pro
3001
E5
E3
43. Security-related services and licenses
Advanced Threat
Analytics
Active Directory Azure MFA Server
Advanced Security
Management
Threat Intelligence Secure Score Intune
Azure MFA for
Admins
Azure AD
Azure AD Premium
Security Center
Cloud App
Discovery
Privileged Identity
Management
Identity
Protection
Azure MFAConnect Health
Network Security
Groups
Next-Gen FirewallsInformation
Protection
Operations
Management Suite
No extra license needed
EMS E3/Microsoft 365 E3
EMS E5/Microsoft 365 E5
Additional licensing
44. Recommendations & recap
Follow current practices and patterns: http://bit.ly/azuresecpnp
Get the book!
http://bit.ly/azuresecbook
Get the guidance!
http://bit.ly/perimeterbook
Deploy the free services
Azure Security Center
Office 365 Secure Score
Azure MFA for Admins
OMS Security (AAD+O365)
Go for AAD Premium
Either with EM+S or
separately
Deploy ATA
Enable PIM and Identity
Protection