Part 1 -How Secure is your Office 365 Ecosystem?

 

1

Note : You can also view my webinar recording on this topic from the link below

So, today’s blog post is going to be focused on the Security and Compliance features in Office 365 so that you folks can understand how secure your Office 365 ecosystem is. It’s a known fact that organizations across the globe are embracing Digital transformation to meet the growing needs and deeds of today’s Cloud first and Mobile first world and Office 365 is playing a vital role in this transformation. Now, if you think about this from a business standpoint, the reason to embrace digital transformation in an organization is wide because it just doesn’t help you to be meet the needs and deeds of your customer, but it also empowers your employees to be more creative and productive. Now, speaking about this I ‘d like to recall a quote from Jeff Bezos (CEO of Amazon) where he says, The biggest threat to successful companies is “…if you won’t or can’t embrace powerful trends quickly. If you fight them, you’re probably fighting the future. Embrace them and you have a tailwind.”  I’m pretty sure this makes a lot of sense.

Alright, now speaking about the Security and Compliance features in Office 365, we all know that Office 365(formerly known as BPOS) was introduced on 2011 and it has come a long way since then. It has received many major updates as well as many new features and services alongside this journey and today it has turned out to become world’s number 1 SaaS solution and Microsoft has worked hard to keep up this place. The below mentioned image should give you an overview of the current momentum of Office 365 in today’s IT market.

2

3

Although, these numbers are great and undoubtfully Office 365 is really a great service. We as customers are always concerned about security because our data is not in our datacenters and instead it’s in Microsoft’s datacenter and there are many other parameters that concerns us. I often hear this from my friends who work as CISO’s in their respective organizations and of course many security folks whom I know in the industry have shared the same vision. So, the burning question in all our minds is …. What about security? How do I ensure that I have not been compromised? How do I make sure that my data is in my control even though Microsoft is the custodian for it? Also in addition to that, today’s security landscape is really scary .

4

5

Moreover, it’s just not that …Earlier when we all had our applications such as Exchange Server, SharePoint Server, Skype for Business server & LOB apps running in on-premises servers in our datacenters we had the concept of firewall which was acting as the security perimeter as shown in the image below.

6

Now, with Cloud we have fewer boundaries but more data and more apps which bring in more complexity as shown in the image below.

7

This of course raises a question in all our minds as decision makers about how can I enable productivity without compromising security? Because all these services which Office 365 offers are really great, but how do I trust the service? How do I ensure that my data is on safe hands?

8

Well, there are a lot of tools out there that can be purchased for this purpose but then all these tools are meant to solve a specific purpose and they can’t solve all the problems related to security in Office 365. So, it’s quite confusing for the Security folks to decide which tool to buy to ensure that their data is secure. We have a wide variety tools but then they don’t solve all the problems and in addition to that you would also end up in managing all these tools individually which requires a lot of manpower and would often lead to management overhead as well. On top of this the license for all these products could cost you a fortune.

9

So, now that I have lined up all the issues that we face in securing data on a Cloud first mobile first world in front of you folks, I’m going to explain about how to get rid of this and ensure that your data is secure by using all the Security and Compliance features in Office 365.

10.png

So, this post is mainly meant to showcase the security and compliance features in Office 365 that organizations can count on to ensure that Office 365 is really a trustworthy service and to also make them understand about how they can benefit from these features without purchasing multiple tools. These features that I’m referring to can be a life saver as you can get everything you want as depicted in the image below.

11

Note: This is going to a series of articles where I’ll be explaining each feature in detail. So initially I’ll begin with giving an overview of all the features and in a later blog post I’ll be getting into the nitty gritty of all the features. Alright, I guess I’ve set the mood now so let’s get started …

Listed below are the areas of focus for Security and Compliance in Office 365 and we have couple of offerings from Microsoft for each of these areas. These services might not really add more value if you use them individually but when it is put together and given to as a service names as EMS (i.e. Enterprise Mobility and Security) it can make wonders.

Note:  All the features that I’ll be mentioning below can either be purchased separately or can be purchased together as package called as Enterprise Mobility and Security. EMS is available to us in two flavors as mentioned below

  1. Enterprise Mobility and Security E3 (aka: EMS E3)
  2. Enterprise Mobility and Security E3 (aka: EMS E5)

Please go through the link below to understand the licensing details for EMS E3 & E5

https://www.microsoft.com/en-in/cloud-platform/enterprise-mobility-security-pricing

12

The image below should give you an overview of all the offering we have under each area.

13

Now, let’s jump in and look into these offering individually.

1.Threat Protection:

Listed below are the offerings we have under Threat Protection category

  1. Exchange Online Protection (aka: EOP)
  2. Office 365 Advanced Threat Protection (aka: ATP)
  3. Office 365 Threat Intelligence

 

  1. Exchange Online Protection (aka: EOP):

14

Microsoft Exchange Online Protection (EOP) is an email filtering solution that’s hosted on the cloud and it takes care of protection against spam and malicious malware attacks in your organization.  In addition to that it also protects your organization from messaging-policy violations. It sits in front all outlook.com and Office 365 mailboxes and scans all the emails. It can be used for both on-premises and cloud mailboxes.

Listed below are the primary ways of using EOP for message protection:

Standalone scenario: In this method Exchange Online Protection is used to provide cloud -based email filtering service for your on-premises Microsoft Exchange Server environment as well as legacy Exchange Server versions such as Exchange server 2007 or for any other on-premises SMTP email service providers.

With Microsoft Exchange Online (Office 365): By default, EOP protects Microsoft Exchange Online cloud-hosted mailboxes.

Hybrid deployment:  EOP can be configured to protect your messaging environment if you have a Hybrid environment configured where you have a mix of mailboxes in on-premises as well as online.

The below mentioned image should give you an overview of how Exchange Online Protection Mail Flow works.

15.png

The below image should give you a high-level overview about how EOP processes incoming email.

16

Explanation:

  1. An incoming email from the internet initially goes through the connection filtering, where it checks the sender’s reputation and scans the message for malware. Most of the spam is stopped at this point and deleted by EOP.
  2. Once done the message continues through policy filtering, where messages are evaluated against custom transport rules that you create or enforce from a template. For instance, you can have a rule configured in such a manner that an email gets triggered to the manager’s mailbox when a mail arrives from a specific sender. (Data loss prevention checks also occurs at this point if you have that feature enabled)
  3. After that, messages pass through content filtering, where content is checked for terminology or properties common to spam. A message determined to be spam by the content filter can be sent to a user’s Junk Email folder or to the quarantine, among other options, based on your settings.
  4. Finally, after an email is scanned thoroughly by all these protection layers, it gets delivered to the recipient.

Now, let’s look into how the mail flow works on an inbound scenario, outbound scenario and on Hybrid mode (i.e. online and on-premises together).

a) How the inbound mail flow works?

  1. EOP routes email to your on-premises environment via outbound connectors
  2. Your on-premises email system receives via one or more anonymous receive connectors
  3. You do not need to configure both inbound and outbound mail flow at the same time

b) How the outbound mail flow works?

  1. On-premises servers route email to EOP for delivery to the internet by utilizing a smart host. In Exchange, that is a send connector for the * address space. Use the same address as the MX record is for the internet as smart host value
  2. Configure an inbound connector in Exchange Online Protection to receive emails from on-premises. Configure connector to accept only from your on-premises TLS certificate or configure to receive from your IP range.
  3. EOP will scan for outbound spam and route to internet via EOP published IP ranges for email or the unpublished “high risk pool” of IP addresses for identified spam.

c) How the mail flow works in Hybrid mode?

  1. Hybrid is a likelihood when you have Exchange Online mailboxes and Exchange Server on-premises
  2. All email to an Exchange Online mailbox goes through EOP – no direct delivery even with hybrid

Therefore, configure hybrid properly to ensure internal email is treated as internal

EOP Licensing:

  1. EOP standalone – This service is designed for on-premises Exchange mailboxes.
  2. EOP in Office 365 – This service is designed for Exchange Online mailboxes in the cloud.
  3. Exchange Enterprise CAL – This service is similar to EOP standalone plan, but it also includes data loss prevention and in addition to that it also includes PowerShell remoting administration capabilities.

Also, please go through this link below to know in detail about EOP licensing.

https://products.office.com/en-us/exchange/exchange-email-security-spam-protection

2.Office 365 Advanced Threat Protection (aka: ATP):

Office 365 Advanced Threat protection protects your email, SharePoint & OneDrive for Business files and Office Online files against unknown and highly sophisticated attacks. Initially when ATP was launched it was available only for emails. But today, ATP can take care of SharePoint Online, OneDrive for Business, Microsoft Teams and also Office Online.

17.png

Listed below are the four pillars of Office 365 Advanced Threat Protection:

  1. Secure your mailboxes against advanced threats
  2. Protect against unsafe attachments
  3. Protect your environment when users click malicious links
  4. Get rich reporting and track links in messages.

 

  1. Secure your mailboxes against advanced threats:

18.png

New malware campaigns are being launched every day by attackers, and Office 365 has a solution to help protect your email, files, and online storage against them. Office 365 Advanced Threat Protection can help to protect user’s mailboxes, SharePoint and OneDrive files, online storage, and applications against new, sophisticated attacks in real time. It offers holistic protection in Microsoft Teams, Word, Excel, PowerPoint, Visio, SharePoint Online, and OneDrive for Business. By providing protection against unsafe attachments and expanding the protection capabilities against malicious links, it leverages the security features of Exchange Online Protection to provide better zero-day protection.

2. Protect against unsafe attachments:

19

With Safe Attachments, you can prevent malicious attachments from impacting your messaging environment, even if their signatures are not known. Any content that looks suspicious goes through a real-time behavioral malware analysis that uses machine learning techniques to validate the content for suspicious activities. Unsafe attachments gets thoroughly scanned in a sandboxed environment before being sent to recipients. The advantage is a malware free and cleaner inbox with better zero-day attack protection. So what basically happens behind the scenes here is , every email gets scanned in the Safe attachment sandboxed environment which is built by Microsoft and the recipient would initially just receive the email body without the attachment stating that his attachment is being scanned and would be delivered in a minute .If the Safe attachment sandboxed environment doesn’t find any malicious content the recipient will receive the attachment in next few minutes , if not the attachment would be quarantined and the Office 365 admin as well as the user would be notified . Also, for any given reason if the attachment which has malicious content in it gets delivered and later MS figures out that it has malicious files in it, even at that point of time ATP can pull back that email despite of it reaching the user’s mailbox.

3.Protect your environment when users click malicious links:

20.png

Exchange Online Protection which we discussed above provides protection against harmful links by scanning the content in the link. Safe Links expands on this by protecting your environment when an end user clicks on link which is shared to him via an email. While the content is being scanned, the URLs are rewritten to go through Office 365. The URLs are examined in real time, at the time a user clicks them. If a link is unsafe, the user is warned not to visit the site or informed that the site has been blocked as shown in the screenshot above. Reporting is available, so administrators can track which users clicked a link and when they clicked it. In this case, the URL’s gets scanned in the Safe Link virtual environment by Microsoft which is similar to the Safe attachment sandboxed environment that I explained above.

4. Get rich reporting and track links in messages:

21

Gain critical insights into who is being targeted in your organization and the category of attacks you are facing. Reporting and message trace allows us to check the messages that have been blocked due to unknown viruses or harmful malwares. In addition to that URL trace allows us to track individual malicious links in the messages that have been clicked.

The below mentioned image should give you a complete overview about the architecture of Advanced Threat Protection in Office 365.

22.png

 

Purchasing Office 365 Advanced Threat Protection:

You can add Advanced Threat Protection to the following Exchange and Office 365 subscription plans:

  1. Exchange Online Plan 1 & Exchange Online Plan 2
  2. Office 365 F1
  3. Exchange Online Protection
  4. Office 365 Business Essentials
  5. Office 365 Business Premium
  6. Office 365 Enterprise E1
  7. Office 365 Enterprise E2
  8. Office 365 Enterprise E3
  9. Office 365 Enterprise E4
  10. Office 365 Enterprise E5
  11. Office 365 Enterprise K1
  12. Office 365 Enterprise K2
  13. Office 365 Education

5.Office 365 Threat Intelligence:

23

Threat Intelligence makes use of the Microsoft Intelligent Security Graph, which analyzes billions of data points from Microsoft global data centers, Office clients, email, user authentications, signals and much more from the Windows and Azure ecosystems and other incidents that impact the Office 365 ecosystem.

So, in a nutshell what’s Office 365 Threat Intelligence? Well, Office 365 Threat Intelligence helps Office 365 administrators and  Security folks protect their organization’s Office 365 users by doing the below mentioned three things ….

  1. Making it easy to identify, monitor and understand attacks
  2. Helping to quickly address threats in Exchange Online and SharePoint Online
  3. Providing insights and knowledge to help prevent attacks against their organization

Now, if you’re wondering about what’s a Microsoft Intelligent Security Graph which I’ve explained above, let me try to explain that below.

The Microsoft Intelligent Security graph is a service built by Microsoft to collect telemetry data generated by all users using Office 365, devices that are connected to Office 365, IP addresses from which you login to Office 365 etc. and they have built an intelligent security graph. Now this basically has Machine Learning and Artificial intelligence built into it so that it studies every user’s behavior in Office 365 (meaning, from where a user logs in often, from which IP address does he/she login, from which country does he login, from which mobile device does he often connects to Office 365 etc.) and for any given reason if it finds an abnormal or anomaly activity from the normal behavior it marks that activity as malicious and takes appropriate security measures. The best part is, all this is done on its own without any human intervention. The below image should help you understand the amount of telemetry data Microsoft collects every month.

24

25.png

Although, this is jaw dropping and sounds bit crazy, there’s a method to this madness. Now, let me try to explain that, the attacks that you see today in a cloud first mobile first world are very sophisticated and you need to respond to that in minutes and not in hours or days and if your failing to do so the amount damage caused could be really unbearable as attackers out there are getting smarter day by day. So, I’m glad that Microsoft has built the Microsoft Intelligent Security graph for their Cloud services which helps us to be protected. Now based on the signal it gets from a user’s activity the below mentioned actions would be prompted for the user as shown in the image below. Microsoft says that they analyze 10 TB of data every day and this is expected to increase eventually.

26So, based on the conditions given to it such as (privileged user, unmanaged device etc.) it will grant access to the user. This is called as Conditional Access in Office 365 and I’ll discuss about this in later blog post.

If you’re interested in knowing more about Microsoft Intelligent Security graph, I’d urge you all to go through the below mentioned two links.

https://blogs.technet.microsoft.com/iftekhar/2018/02/25/artificial-intelligence-and-machine-learning-for-nextgen-threat-protection/

http://cloud-platform-assets.azurewebsites.net/intelligent-security-graph/

https://www.youtube.com/watch?v=-Q_G3yF9ZL4

So, what else do we have under Threat Intelligence? Well, we have three important components as a part of Threat intelligence which I want you folks to pay attention to.

  1. Threat dashboard:

You can use the Threat dashboard (this is also referred to as the Security dashboard) to quickly see what threats have been addressed, and this can also be used as a visual way to report to business decision makers how Office 365 services are securing your business.

27

To access this dashboard, navigate to Security & Compliance Center in the Office 365 admin center –>go to Threat management –>Dashboard.

Threat Explorer:

Threat explorer helps you to analyze threats, see the volume of attacks periodically, and analyze data by threat families, attacker infrastructure, and much more. The Threat explorer is the starting place for any security analyst’s investigation workflow.

28

To access this report, navigate to Security & Compliance Center in the Office 365 admin center –>  go to Threat management–> Explorer.

Incidents:

You can use the Incidents list section to see a list of current security incidents. These Incidents can be used to track threats such as suspicious email messages and to conduct detailed investigation on those emails and drive them to remediation.

29.png

To access the list of current incidents for your organization, navigate to Security & Compliance Center in the Office 365 admin center –> go to Threat management –>Review –> Incidents.

Purchasing Office 365 Threat Intelligence:

Office 365 Threat Intelligence is available by default in Office 365 E5 and if you’re using a different plan such as Office 365 Enterprise E3 or Office 365 Enterprise E1, then you can add Office 365 Threat Intelligence as an addon to your existing plan

Alright folks, that’s all I have for Part 1 and I’ll see you folks on Part 2 …. Good luck in keeping your Office 365 ecosystem secure by utilizing all the features that I’ve described above!!!

 

Advertisements

User guide to enroll your iOS Device with Microsoft Intune and to configure your Outlook mobile app

31.png

If your company or school uses Microsoft Intune for Mobile Device Management and Mobile application management, you can enroll your iOS device to get access to company email, files, and other resources. When you enroll your devices, your IT department can manage the resources, keep them secure, and give you the freedom to use your preferred device to get your work done.

The steps mentioned below should be followed by all users who hold an Apple device to enroll their iPhone/iPad with Microsoft Intune so that your device can be managed by Microsoft Intune.

Note:

  • Please make sure that your device has a good Wi-Fi connectivity or a good 3G/4G connection before doing the below mentioned steps.
  • Please ensure that your iOS version is not less than 8.0

Detailed steps:

  1. Open the App Store and search for Microsoft Intune company portal app as shown in the image below.

1

  1. Download and install the Microsoft Intune Company Portal app. Once done you should be able to see it in your Apple device home screen as shown in the image below.

2.jpg

3. Open the Intune company portal app and sign in with your Office 365 UPN address as shown in the image below.

3

  1. Enter your Office 365 UPN password as well as shown in the image below.

4

5. Once done you would be redirected to the Company Access setup page as shown in the image below.

5

6. Click on Begin on the top right corner of the screen and this will start preparing your portal as shown in the image below.

6

7. You would be taken to a screen which describes why you need to enroll your device , you can go through the guidelines if required and click on continue as shown in the image below.

7

8.The next screen will tell you what can be viewed by your IT Admin once the device has been enrolled with Intune and what cannot be viewed by the IT Admin. You can go through all the details if you’re concerned about your privacy and click on continue.

8

9. Now the next screen will ask you to click on “Enroll” to enroll your device with Intune, please go ahead and click on Enroll.

9.jpg

  1. Once done the next screen will prompt your for Multi-Factor Authentication which is nothing but an extra layer of security just to ensure that your connection is legitimate.

10.jpg

11. Based on which option you chose above you would either get a text message or a phone call with a passcode, please go ahead and enter the code correctly and click on next as shown in the image below.

11.jpg

12. Once done the device enrollment process will start and you would see the below mentioned screen.

12.jpg

13. After that would get the below mentioned screen asking you to install the profile for Mobile Device management, please go ahead and click on install as shown in the image below .

13.jpg

14. You would also get the installation prompt in the next few screens, please go ahead and click on install on the next screens. Once done if you already have a passcode for your device it would prompt for that, please key-in that passcode as shown in the image below .

30.jpg

15. On the next screen you would be asked if you trust this profile for Mobile device management, please go ahead and click on Trust as shown in the image below.

14

16. You would be taken to the certificate enrollment process in the next screen as shown in the image below.

15.jpg

17. Once done you would be taken to the below mentioned screen asking you to open the Company portal app as shown in the image below. Please go ahead and click on open.

16

18. After that’s completed you would get the below screen where you can notice that the portal is getting prepared.

17

19. You would get the below mentioned screen post that, please go ahead and click on install as shown in the image below.

18.jpg

20. The next screen will ask you to choose your device category, please go ahead and choose the correct option. In my case I’ve chosen “personal-owned device “ as I’m enrolling my personal iPhone with Intune .

19

21. Once done you would be prompted to change your passcode as shown in the image below, please go ahead and change it and confirm it once again as shown in the image below.

 

Note: Please make sure that you don’t forgot your passcode

20.jpg

22. After confirming the passcode, you would be taken to the below mentioned screen which confirms that your device has been successfully enrolled with Intune.

21.jpg

22.jpg

23.  Now go back to home screen in your iPhone and open the Intune company portal app .You can check the list of apps which are available for download from company portal app as shown in the image below.

23

24. Now you can search for the “Outlook” mobile app in the portal and install it as shown in the image below.

Note: If you’re IT admin has configured a policy in Intune such that you should only be using the Outlook mobile app that’s available in the Intune Company portal to configure your emails, then you won’t be able to download and use the Outlook mobile app that’s available in the App store. This is part of Mobile application management in Intune. In addition to that you won’t be able to do the below mentioned things based on the policies which your IT admin has enforced.

  1. A user tries to copy the content from his Office 365 mailbox and tries to paste it in his personal email account (i.e. Gmail, Hotmail etc..) and Intune restricts it.
  2. ii) A user tries to download an attachment from his Office 365 mailbox and tries to save it to his Drop box or personal OneDrive and Intune restricts it.

Please go through the link below to know more about the MAM policies in Intune :_ https://docs.microsoft.com/en-us/intune-classic/deploy-use/configure-and-deploy-mobile-application-management-policies-in-the-microsoft-intune-console

24.jpg

25. Once you’re done installing the “Outlook” mobile app from the Intune company portal, please go back to the home screen and open the “Outlook” app as shown in the image below.

25.jpg

26. Open the Outlook mobile app, you would be prompted to choose the email account which you want to setup. In my case it prompts to either add both my Office 365 email account as well as my Hotmail account. I’ve chosen to configure Office 365 email account only as shown in the image below. In your case you might only see your Office 365 email account.

Note: Even if you have added your Hotmail account , Intune will take care of only your Office 365 mail address and not your Hotmail account .

26.jpg

  1. Once you’ve chosen your Office 365 email account, please give it some time and your mailbox will start downloading all the emails, contacts and meetings etc. as shown in the image below.

28.jpg

28. You can also use some cool features like @mentions and focused inbox in Office 365 as shown in the image below.

29.jpg

29. In addition to this you can also remotely manage your mobile device from your laptop or PC once it’s enrolled with Intune by accessing the Intune Company portal site. In order to do that, please login to the below mentioned URL using your Office 365 UPN address and password.

https://portal.manage.microsoft.com/

30 .Once done you should be able to see your Apple device which has been enrolled with Intune as shown in the image below.

30.png

31. You can rename, remove, reset the passcode as well as remotely lock your device from your laptop/PC from here. So if you ever encounter a scenario where your device has been lost/stolen you can remotely wipe if from here.

Thanks for reading this post!!!  Good luck with Intune.