Scan file servers, network shares, and SharePoint with Azure Information Protection Scanner

 

With GDPR just around the corner (May 2018), organizations are heads down identifying data, creating compliance processes, and hiring additional resources to lead the compliance and reporting required by GDPR.

In a previous post I reviewed GDPR as well as the technologies and services Microsoft offers to assist with discovery, managing, protecting, and reporting on data.

For this post I’ll expand on the topic of scanning file servers and SharePoint servers using a the Azure Information Protection Scanner or AIP Scanner.

 

Scanning SharePoint Server and File Shares

Azure Information Protection includes a scanning tool called the Azure Information Protection scanner or AIP scanner.  The AIP scanner is used to comb through file shares and SharePoint and identity and/or classify + protect data.

 

The scanner runs as a service on Windows Server and lets you discover, classify, and protect files on the following data stores:

  • Local folders on the Windows Server computer that runs the scanner.

  • UNC paths for network shares that use the Common Internet File System (CIFS) protocol.

  • Sites and libraries for SharePoint Server 2016 and SharePoint Server 2013.

Source: https://docs.microsoft.com/en-us/information-protection/deploy-use/deploy-aip-scanner 

 

Once the AIP scanner is deployed, use it to report on information you’re looking for and when discovery is complete, run the AIP scanner and apply classification with or without protection across those files.

The classification labels and encryption policies come from the Azure Information Protection service in Azure.  Labels may be defined with or without encryption.  At a minimum I recommend all information at least be classified.  To learn more about creating classification labels using Azure Information Protection please visit: https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-information-protection

 

I won’t go through the details of installation process as it’s clearly documented in the link I provide below.  However, the output below is from a scan I completed using the AIP scanner against a few sample files.  The AIP scanner will look for specific information based on the AIP policies that are configured (e.g. credit card info, passport numbers, etc.).

clip_image001

For more information about the Azure Information Protection scanner please visit: https://docs.microsoft.com/en-us/information-protection/deploy-use/deploy-aip-scanner

 

Automation

To help with automating the AIP Scanner process I created a script to walk through each option.  Feel free to utilize, however keep in mind when new AIP scanner versions are released you may need to update the script to accommodate new features. I also make no guarantees so use at your own risk.

 

#AIP Scanner Script

#Created by Courtenay Bernier

 

 

$AIPScannerLogFiles = $env:LOCALAPPDATA + ‘MicrosoftMSIPScannerReports’

 

#AIP scanner config

Write-Host “”

Write-Host ‘AIP scanner configuration’

Write-Host “”

$ScanMode = Read-Host -Prompt ‘ScanMode: Enforce | Discover’

$Type = Read-Host -Prompt ‘ScanType: Incremental | Full’

$ReportLevel = Read-Host -Prompt ‘ReportLevel: Off | Debug | Info | Error’

$Schedule = Read-Host -Prompt ‘Scanner Runtime Schedule: OneTime | Continuous | Never’     

$JustificationMessage  = Read-Host -Prompt ‘JustificationMessage: Free Text or leave blank’

 

Write-Host “The AIPScannerConfiguration options selected are: ‘$ScanMode‘, ‘$Type‘, $ReportLevel, $Schedule, $JustificationMessage

 

Set-AIPScannerConfiguration -ScanMode $ScanMode -Type $Type -ReportLevel $ReportLevel -Schedule $Schedule -JustificationMessage $JustificationMessage

 

Write-Host “”

Write-Host ‘This is the AIP Scanner Configuration set:’

Get-AIPScannerConfiguration

 

 

 

#AIP scanner repository

Write-Host “”

Write-Host ‘AIP scanner repository’

Write-Host “”

$OverrideLabel = Read-Host -Prompt ‘OverrideLabel: On | Off’

$SetDefaultlabel = Read-Host -Prompt ‘SetDefaultLabel: UsePolicyDefault | On | Off’

$PreserveFileDetails = Read-Host -Prompt ‘PreserveFileDetails: On | Off’

$DefaultOwner = Read-Host -Prompt ‘Specify the default owner by: email address or leave blank’

 

do {$DLID = Read-Host -Prompt ‘Add a default label ID by GUID? Yes or No’ }

until (‘yes’,‘no’ -contains $DLID)

 

if ($DLID -eq ‘yes’)

    {

        $DefaultLabelID = Read-Host -Prompt ‘specify the label GUID found in the AIP label policy’

 

    }

elseif ($DLID -eq ‘no’)

    {

       Write-Host “”

       write-host “No default label ID was added”

       Write-Host “”

    }

 

 

#add file location

$Path = Read-Host -Prompt ‘Fileshare or SPS Path: e.g. F:SharesFileShare or \networkpath or http://sp2013/Shared Documents’

Add-AIPScannerRepository $Path

Write-Host “”

 

 

#ask to add for more file locations

do {$answer = Read-Host -Prompt ‘Would you like to add another file location? Yes or No’

 

if ($answer -eq ‘yes’)

    {

       $Path = Read-Host -Prompt ‘Fileshare or SPS Path: e.g. F:SharesFileShare or \networkpath or http://sp2013/Shared Documents’  

  

       #add file location

       Add-AIPScannerRepository $Path

       Write-Host “”

 

    }

 

else

    {

       Write-Host “”

       write-host “No additional paths were added”

       Write-Host “”

       Write-Host “To remove repositories: use Remove-AIPScannerRepository share/sps path”

       Write-Host “”

       Get-AIPScannerRepository

       Write-Host “”

  

    }

}

Until ($answer -eq ‘no’)

 

 

#set AIP scanner repository

Write-Host “”

Write-Host ‘Setting scanner repository config:’

Set-AIPScannerRepository -OverrideLabel $OverrideLabel -PreserveFileDetails $PreserveFileDetails -DefaultOwner $DefaultOwner -Path $Path -DefaultLabelId $DefaultLabelID -SetDefaultLabel $SetDefaultLabel

 

 

#show file location(s)

Get-AIPScannerRepository

Write-Host “”

 

 

#start AIP scanner service or abort

do {$answer = Read-Host -Prompt ‘Are you ready to start the AIP Scanner Service? Yes or No’ }

until (‘yes’,‘no’ -contains $answer)

 

if ($answer -eq ‘yes’)

    {

       write-host “Starting AIP Scanner Service for ($ScanMode)”

       start-Service ‘Azure Information Protection Scanner’

       Write-Host “”

  

       #Show last AIP events

       Write-Host “waiting for eventlogs to populate”

       Start-Sleep -s 15

       Get-EventLog -Newest 4 -LogName ‘Azure Information Protection’ | Format-List -Property *

       Write-Host “”

  

       #Open Scanner Report Folder

       explorer $AIPScannerLogFiles

       Write-Host “”

    }

elseif ($answer -eq ‘no’)

 

    {

       Write-Host “”

       write-host “Canceling AIP Scan”

       Write-Host “”

       Write-Host “To remove repositories: use Remove-AIPScannerRepository share/sps path”

       Write-Host “”

    }

 

 

Microsoft Flow and Azure AD – let’s automate!

 

When I speak with organizations we often discuss scenarios such as having an onboarding process that is in need of a front-end utility and automation.  Many organizations have cloud services and on premises applications where the user onboarding process in some cases is still a manual procedure.  To assist with these processes and many others, Microsoft offers as service called Microsoft Flow.  I’m always looking for creative uses of applications and Microsoft Flow offers just what we need to help automate processes such as account management across applications and services.  In addition, Microsoft Flow goes well beyond just automating a user management processes (e.g. onboarding) as discussed below.

 

What is Microsoft Flow?

“Microsoft Flow is a service that helps you create automated workflows between your favorite apps and services to synchronize files, get notifications, collect data, and more.”

Source: https://docs.microsoft.com/en-us/flow/getting-started

Microsoft Flow allows you to create workflows to automate tasks, for example, when files are added to a folder in a cloud storage environment such as OneDrive or Box, notify a user. Or create an approval workflow process to manage tweets before they’re posted to Twitter.

 

Microsoft Flow offers connectors to connect to either cloud applications or on premises environments.

To view a list of Microsoft Flow connectors, please visit: https://us.flow.microsoft.com/en-us/connectors/

 

In addition, there are many pre-defined templates that may be utilized such as starting an approval process when a new item is added to SharePoint or save tweets to an Excel file or sync files between cloud drives or a file server via FTP.  The list goes on and on…

To view a list of Microsoft Flow templates, please visit: https://us.flow.microsoft.com/en-us/templates/

 

Microsoft Flow Licensing

Some features are free and require premium Flow sku.  For more details about Microsoft Flow licensing please visit: https://flow.microsoft.com/en-us/pricing/

Microsoft Flow FAQ: https://docs.microsoft.com/en-us/flow/frequently-asked-questions

 

For this post, I will utilize Microsoft Flow to create users in Azure AD as well as provide custom bonus flows! so let’s get started…

As an administrator, the first thing we need to do is access Microsoft Flow and create a new workflow.

Navigate to https://flow.microsoft.com and sign-in.

Search for Azure AD in the search box provided as shown below:

image

 

From the results page, locate and select “Create Azure AD User From Button”

image

 

From there select “Continue” to add the template:

image

 

For more details about the Microsoft Flow Azure AD connector and templates, please visit: https://us.flow.microsoft.com/en-us/connectors/shared_azuread/azure-ad/

 

From here you can use the template as is and select Create flow, or you change the name and edit the steps in the template provided:

image

 

I chose to edit the “Send an email” step in the flow as I wanted a little more detail, I began the editing process by selecting “Send an email”:

image

 

The default template only offers a one-line sentence of info, however I changed it to add information the manager and the end user would need:

image

 

We can also edit each flow step or add more if necessary by deleting or adding fields (if the field is used downstream in the flow you’ll need to delete the field first downstream):

image

image

 

“Adding an Azure AD User” Flow in action

The great thing about Microsoft Flow is a flow may be run on a schedule, via an event or trigger, or manually from the web or the Mobile app. 

Additionally, Flow templates may be shared out to other users to access as well, so administrators don’t always need to be in the process.  Ultimately a Flow template configuration is up to you and what works best for your processes within your organization

 

Flow Web App

To manually start the newly created Flow template, when in the Flow template select “More” from the top and then select “Run now”

image

 

From there the template with a list of fields will open for a user to manually fill in:

image

 

Once all the fields are filled in properly, select “Run flow” and a new user will be created in Azure AD.  I show more details and results below using the mobile app.

 

Mobile App

I find the Microsoft Flow mobile app very easy to use, especially when on the go.  In fact, flows may be created and edited directly from the Microsoft Flow app.

Download the Microsoft Flow app from your favorite app store, in my case I have the iOS app installed on my device.  The first time Microsoft Flow app is launched you’ll need to sign into your Azure AD tenant (be sure that user has rights to create users, groups, access apps, etc.).

 

Select “Buttons” at the bottom of the app:

SNAGHTML4c3e814e

 

Locate the the button that will create the Azure AD User:

image

 

Fill out the form and submit:

image

 

Here are my inputs from my Flow template process, when finished select “Done” at the top of the app and the Flow will run:

imageimage

 

Once the Flow has completed, we can look at the run history and the details of each flow process (great for troubleshooting as well):

imageimage

 

Expanding the “Send an email” flow we see the following:

image

 

Below is the customized email received by a user or manager after the user is created (including a randomly generated password):

image

 

Lastly, below is the user that was created by the Flow process in the Azure AD admin portal:

image

 

Dynamic groups

Once users are created, dynamic group memberships may be used to automatically assign users to group, for example, any user may be dynamically assigned to Group A. Group A can also be assigned to licenses, SaaS applications or assigned to SharePoint Online/OneDrive, so as soon as a user is assigned to a group they’ll have access to the licenses and apps assigned to it.

Dynamic group membership eases the management process of adding and removing users to applications. Simply assign a group to the application permission and use dynamic group rules to automatically assign and remove users. You can even use attributes such as employeeId, mail, or companyName as attributes to look for, however there are many more attributes to choose from and depending where the users originates from, you may want to get creative.  Finally, for applications that support provisioning, users may be automatically provisioned and provisioned to SaaS applications which provides full user lifecycle management.

For more details about Azure AD Dynamic Groups please visit: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-groups-dynamic-membership-azure-portal

 

BONUS FLOWS 

Need to disable or enable sign-on for a user quickly in Azure AD (i.e. O365, Dynamics365, etc.) from your mobile device?  I created Flows to do that.

 

Current sign-in state of the user shown in Azure AD and O365 Portals (it’s the same setting btw) shown below:

imageSNAGHTML13b5bc02

 

I created a button in Microsoft Flow and filling out the following fields in red:

image

 

When the flow is run, type in the UPN (email address) of the users and flow will disable sign-on for that user.

image

image

 

New sign-in state of the user shown in Azure AD and O365 Portals (it’s the same setting btw) now blocked shown below:

imageimage

 

Enable sign-on for an Azure AD user

Follow the Flow creation process above to create a Flow to enable a user to sign-on, however change the “Account Enabled” setting to “Yes”.  Note: Flows may be copied, to copy a flow select Save As for the flow you’d like to copy in the Flow portal and modify from there.

As a result we’ll end up with two flow as shown below:

image

 

And the flow buttons on my mobile device:

SNAGHTML14328189

 

Delete Azure AD Users

Now a question you may have is “can we delete Azure AD Users using a button?”  You could, however there is nothing built in with Flow or connectors today.  A custom app would need to be developed with the proper permissions to the Microsoft Graph to delete an account then added to flow.  So this would be more of a custom development approach that what I demonstrated in this post.  As a result, using Microsoft Flow we can create a custom connector that will call into the app registered with Azure AD to make calls to delete users using a button flow in Microsoft Flow.  Same holds true for resetting user passwords.

With Microsoft Flow, the possibilities are endless with the predefined templates and built-in connectors to services, you don’t have to be a developer to automate processes and workflows!

Regulations and data management in a hybrid world

 

I speak with a lot of organizations and often they’re interested in locating, tagging, and controlling data for various reasons such as legal, regulatory, or protecting personal and proprietary information.

However, there’s one regulation that keeps popping up and it’s the new EU General Data Protection Regulation or GDPR.  GDPR will be enforced on May 25, 2018, which is just around the corner.  Unfortunately, GDPR is not a one-time process, it’s an ongoing regulation and failure to comply could result in heavy fines.  For most organizations, data may be stored across all types of systems and services including backups so locating and managing data across those environments may be difficult.

For this post, Microsoft provides guidance around GDPR and I’ve utilized some of the terms and guidance provided to simply the overview.

To learn more about how Microsoft is addressing GPDR please visit: https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx

The categories below align with the Microsoft GDPR guidance provided in documentation above, however I’ve attempted to simplify while targeting Office 365 and Enterprise Mobility + Security.  The last topic I’ll discuss is how to identity and classify information across SharePoint Server and file shares.

 

Let’s take a look at the four pillars of addressing data management requirements:

image

clip_image001[4]

 

Tying everything together, we have a process to identify, manage, protect, and report on data:

clip_image002[4]

 

Now that we have a definable process, let’s align the Microsoft services around all four categories, again the area of focus here is EMS and O365:

clip_image003[4]

image

 

 

Let’s take close look at some of the details across the Microsoft offerings:

Azure Active Directory

  • Lay the foundation for your organization by protecting access to sensitive information, which starts with modernizing your identities with Azure Active Directory. Whether a cloud or on premises application, Azure Active Directory will act as a controlled gateway to your data.

Azure Information Protection

  • Automated Classification, Labeling, and Protection + File scanner for file servers and SharePoint.

Office 365 Data Loss Prevention

  • Identify and retain data by applying retention policies to data across O365 services. Discover data through eDiscovery and actions on data via O365 audit logs.

Exchange Online

  • Prevent data from leaking by creating message rules to stop sensitive information from being sent through email. Ties into Data Loss Prevention as described above.

Microsoft Cloud App Security

  • Discover, monitor access, and apply governance to sensitive data across cloud services.

Microsoft Intune Application Protection

  • Protect information from leaking to non-protected applications and accounts across devices such as iOS, Android, and Windows.

Microsoft Power BI

  • Create insightful and visual reports by importing audit data into Power BI.

 

SharePoint Server and File Shares

I understand the previously mentioned services are great for managing data across cloud services, however what about on premises environments?

Azure Information Protection includes a scanning tool called the Azure Information Protection scanner or AIP scanner.  The AIP scanner is used to comb through file shares and SharePoint and identity and/or classify + protect data.

Once the AIP scanner is installed, use it to report on information you’re looking for and when discovery is complete, run the AIP scanner and apply classification and protection across those files.

Below is the output of an AIP scanner scan I ran against a few sample files.  The AIP scanner will look for specific information based on the AIP policies that are configured (e.g. credit card info).

image

For more information about the Azure Information Protection scanner please visit: https://docs.microsoft.com/en-us/information-protection/deploy-use/deploy-aip-scanner

 

All the services described above dovetail nicely with GDPR and other regulations requiring control of data.  If you don’t believe your organization is affected by a regulation such as GDPR I highly encourage further research as you may find out that your organization actually is.  Unfortunately, there are steep penalties with non-compliance so doing some research before May will save organizations time and money.

 

Again, to learn more about how Microsoft is addressing GPDR as well as managing data across other services such as Microsoft Azure, Dynamics 365, SQL Server, etc. please visit: https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx

Azure AD Connect Pass-Through Authentication – tracking sign-on activity with event viewer and Microsoft OMS

 

Quick post today around Active Directory sign-on auditing when using AAD Connect Pass-Through Authentication.

 

Azure AD Connect Pass-Through Authentication (PTA) provides the ability to pass authentication off directly to domain controllers. When passwords are reset or changed they’re reflected in Azure AD immediately via Azure AD Connect sync. Additionally, self-service password reset (SSPR) may be enabled in Azure Active Directory and those resets are written back to the domain controller as well.

To learn more about the available sign-on options please visit: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-user-signin

Many organizations already have extensive auditing set up to track sign-on activities and need to continue to track sign-on activity in across all services and need to maintain tracking no matter what services or applications are in use.  To continue the auditing practice with Azure AD Connect PTA let’s walk through how this is achieved.

 

Requirements

  • Active Directory Auditing is enabled via Group Policy.  Look under Audit Policies –> Logon/Logoff and Account Logon and enable auditing there.
  • Azure AD Connect with Pass-Through Authentication and Password Write Back enabled.
  • Optional: an additional Pass-Through Authentication connector deployed for high availability.

 

Example of my Active Directory audit policies:

image

image

 

Lets take a look at what to look for when using Azure AD Connect PTA.

As a user sign’s on to O365, or a federated SaaS app, or an internal application published to Azure AD, there are three events that are logged, two events to the domain controller: 4768, 4769 and one event to the server where ADD Connect is installed and PTA is enabled: 4624 (if additional PTA connectors are deployed for high availability look on those servers for 4624 as well).

 

On the domain controller look for events 4768 and 4769:

clip_image001

clip_image002

 

On the server where AD Connect is installed (and or additional PTA connector servers) look for event 4624:

clip_image004

 

Additionally, we can roll up these events to a SIEM for further aggregation of sign-on events and auditing. In my case I chose to use Log Analytics within the Microsoft Operations Management Suite:

clip_image006

 

To learn more about Azure AD Connect Pass-Through Authentication please visit the following links:

AAD Connect PTA: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication

AAD Connect PTA w/Desktop SSO: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso

AAD Connect PTA TS Guide: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-troubleshoot-sso

Azure AD Geolocation by sign-in activity using Power BI

 

If you’re an Office 365 customer or even an Azure customer then you’re probably familiar with Azure Active Directory (or Azure AD).  Azure AD is the core identity provider that the majority of Microsoft services rely on for authentication.  For today’s post I thought it would be interesting to pull sign-in activity into Power BI and show how simple it is to display a dashboard of geolocated sign-ins by user and device.

 

Assumptions

The user creating Power BI reports has an Azure AD Premium and Power BI licenses assigned

Note, if a new user account was recently created, I recommend waiting a day for the sign-in data to fully populate otherwise no sign-in data will be present.  Check the Azure AD Premium admin portal for sign-in activity for the user periodically.  Once the sign-in data is present, refresh the Power BI dataset connection to pull it into Power BI.  More details here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-faq

 

First we’ll need to sign into Power BI and pull in the Azure AD Activity Logs Content Pack.  Do this in Power BI by selecting Get Data, Services (Get), then search for Azure.  Select Azure Active Directory Activity Logs (Preview) from the search results and provide your Azure AD domain name and then select next.

Once the Azure Active Directory Activity Logs (Preview) content is added we can begin to create a dashboard.  From the Power BI UI find the “Azure Active Directory Activity Logs” under Dataset and select it.  Under “Visualizations” select Map and under “Fields” expand “Signin Activity” and select City, Country, Name, and Total Signins.  Without any further modifications your map should look similar to the following:

 

image

 

Feel free to play around with the data to get the information you find most interesting or better yet, what your security team will find most interesting.  Hover over the data circles to display additional information about the data point.

 

Now a map of sign-ins may be all that is required, however I went a step further and created two slicers to drill in on certain data points.  To add slicers, select the Slicer image from under Visualizations from under Fields expand “Unique Users” and then select “Details.Name”.

 

image

 

To add another slicer, repeat the process from above, only instead of expanding Unique Users, expand “Signin Activity” and then select “Device Information”

image

 

Adding slicers enables me to check mark interesting information and drill down on that specific data point.  Pulling it all together the final dashboard looks like the following:

image

 

If I want to hone in on a specific data point, all I need to do is select either a data point under one of the slicers as shown in the gif below:

AADSigninPowerBI

 

Update
Add a slicer for date and time to show time based sign-in activity:

2017-03-30

This was just a simple method of creating a Power BI report that show’s a lot of rich data points that may help you understand where your users are logging in across the globe from what browser or device.  In addition, use the Azure AD Premium to create conditional access policies to protect user identities, corporate information, and block malicious devices, apps, and browsers from unsecure locations.

Azure Active Directory + O365 Conditional Access Scenarios Explained

Hi everyone, with all the cross integration between Azure Active Directory and Office 365 it time to explain these conditional access in detail.  While Office 365 offers a level of controls by service, Azure Active Directory and Microsoft Intune can come over the top of those services an provide further controls or leverage conditional access controls configured already in O365. 

Let’s dive into a few of these scenarios.

 

Device/App based conditional access with Microsoft Intune

Microsoft Intune offers various levels of conditional access based on device and app state.  Conditional access policies may be set on whether or not a device is enrolled with Intune (i.e. MDM) or if the designated application is being used to access email (e.g. Outlook app vs. native email apps).  Additional controls of may be applied based on what type of app is allowed to access the service be that a web browser or a native application.  There are even application policies that may be applied to a mobile app to further control where data is moved, saved, etc. (i.e. Intune Mobile Application Management).

There are a wealth of conditional access controls available within Intune that may be used to protect company information from leaking.  The device based controls go beyond O365 services to 3rd party mobile apps, customer apps, on premises web apps, and 3rd party SaaS applications.

Intune also has integration with a number of 3rd party security and mobile defense partners such as Lookout, Citrix, Cisco ISE, and Skycure

 

O365 per app Conditional Access

One of many Azure Active Directory (Azure AD) differentiators from other identity providers (idps) is Azure AD can carve up O365 and apply Conditional Access (CA) policies on a service by service basis.  For example, a CA policy such as requiring Multi-Factor Authentication (MFA) can be applied to Exchange Online while leaving SharePoint Online without a CA policy (e.g. not prompt for MFA or allow a certain device type to access).  Azure AD can also apply conditional access policies on a per app basis for 3rd party SaaS apps and internal web apps via Azure AD Application Proxy.


SharePoint Online limited access

This is a new feature currently in preview, however it’s a form of Conditional Access.  Coupled with Azure AD Conditional Access policies, SharePoint Online access may be granted to browser based sessions with additional service/app restrictions configured through SharePoint Online.  For example, if the policies are configured in both services, and an end user attempts to access SharePoint Online on a device that isn’t enrolled with Microsoft Intune and/or SharePoint Online site is viewed as an unsecured device, the user will only have read only access.  In addition, download, print, and sync may be blocked as well.  This type of policy allows users to continue to be productive regardless of what type of device or browser being utilized.  Note: SharePoint on-prem is not supported.

The following is an example from my environment using Tor browser.  The user will receive a notification at the top of the SharePoint Online Page when accessed from an unsecured device or browser and block downloading and printing of content.  In addition a conditional access policy in Azure AD can be set to block access completely if needed.

clip_image001

 

OneDrive for Business and Mobile Application Management (MAM) in service features

A number of new device based access settings have been deployed directly to the OneDrive for Business (OD4B) service.  One of those is Mobile Application Management (MAM).  To utilize the MAM settings within OD4B an Intune license is required.  The MAM settings also are one in the same as those in Intune which means that if they’re enabled in OD4B they’ll show up in Intune and vice versa.  However, MAM settings in Intune will override those set in OD4B admin portal.

clip_image002

 

In summary, these features are all market differentiators and allow O365 and SPE or EMS customers to create unique sign-on and device based access scenarios on a per app basis across O365, 3rd party SaaS apps, and on-premises web applications.

 

When utilizing Office 365 I encourage everyone to consider the Enterprise Mobility and Security offering.

Azure AD Security – Protect Those Accounts, Services, and Audit Access!

Everyday I’m asked questions about Enterprise Mobility + Security as well as other Microsoft services. I’m also asked how we can provide single-sign on to SaaS and on-premises applications using Azure AD Premium. What surprises me though is how few organizations ask me about providing additional protection layers to protect accounts as well as the services themselves from credentials that have been compromised (unless I bring the topic up).  However, not a day goes by where I’m not asked about second factor authentication (i.e. Multi-Factor Authentication). Although MFA is extremely important and I highly recommend turning it on and testing within your organization, there are other important security mechanisms that can be turned on as well.

As you may have heard, identity is the new control plane, meaning protection starts at the account.

Azure AD Identity Protection

Do you have cloud only accounts or are you synchronizing your Active Directory accounts to Azure AD (e.g. O365, Dynamics CRM, etc.)? If you’re using O365 then you are, regardless of what identity provider you’re using. Azure AD Identity Protection can help you secure those identity today.

In a previous post I walked through setting up and implementing Azure AD Identity Protection, however below is a video where in the first half I log in as a user using a Tor browser and I’m able to access the service without challenge. In the second half, I turn on identity protection and when I attempt to sign on using a Tor browser, I’m challenged with multi-factor. A simple sign-on policy can protect you and your users from irregular sign-on activity and stolen credentials.

 

Azure AD Identity Protection Demo

Azure AD Privileged Identity Management (PIM)

Protecting the account itself is in my opinion non-negotiable and if you’re using Azure, O365, Dynamics CRM, Intune, or any other Microsoft services that leverage Azure AD, I highly recommend turning on Azure AD Identity Protection. However, what about protecting access to the service itself? You can by using Azure AD Privileged Identity Management.

What is Azure AD Privileged Identity Management?

Organizations want to minimize the number of people who have access to secure information or resources, because that reduces the chance of a malicious user getting that access. However, users still need to carry out privileged operations in Azure, Office 365, or SaaS apps. Organizations give users privileged access in Azure AD without monitoring what those users are doing with their admin privileges. Azure AD Privileged Identity Management helps to resolve this risk.

Azure AD Privileged Identity Management helps you:

  • See which users are Azure AD administrators
  • Enable on-demand, “just in time” administrative access to Microsoft Online Services like Office 365 and Intune
  • Get reports about administrator access history and changes in administrator assignments
  • Get alerts about access to a privileged role

Azure AD Privileged Identity Management can manage the built-in Azure AD organizational roles, including:

  • Global Administrator
  • Billing Administrator
  • Service Administrator
  • User Administrator
  • Password Administrator

Source

However, those are not the only roles available, did you know Exchange Online, Skype for Business, Intune, and many other roles are available as well? Which means global admins can protect access to elevated admin permissions and require admins to request access as well as provide additional info before their credentials are elevated.

More details about additional roles available in Azure AD PIM here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-privileged-identity-management-roles

The following video steps through a user elevating permissions to access the admin console for Skype for Business using Azure AD Privileged Identity Management. The user is only allowed one hour to accomplish their task (global admin can adjust the policy to span 1 to 72 hours if needed per role), once the one hour is up, the user would need to go through the process again to elevate their account permissions.

Azure AD PIM Demo

Reporting

Reporting on identity and access is critical as well. It’s important to have systems in place to protect identities and services, however it’s equally important to have insight as to who’s accessing the services, from where, from what, how, and when. Last week the Azure AD team announced an Azure AD content pack for Power BI.

Here are a few reports from a fresh environment I’ve created:

image

image

image

For more details on how to get started with Azure AD and the Power BI content pack please visit: https://powerbi.microsoft.com/en-us/blog/azure-active-directory-meets-power-bi/preview/

I encourage everyone to start protecting your identities and services today. There’s always going to be risk, why not reduce the risk by implementing safeguards to prevent unchallenged access.