Securing and maintaining a trustworthy Office 365 and Microsoft Azure deployment is not an easy task. In this session we'll take a look into how you can secure and control your cloud-based servers and services, data and users using Azure Active Directory, Azure Security Center, Privileged Identity Management and Advanced Security Management. In addition we’ll also take a look at how Operations Management Suite and Microsoft Advanced Threat Analytics can be used to provide better overall security for on-premises and hybrid deployments.

1. Securing Office 365 and
Microsoft Azure like a
rockstar (or like a groupie)
Jussi Roine
14 octobre 2017
#SPSParis
@JussiRoine

2. Merci pour votre soutien

4. France Finland

5. Agenda and
takeaways
Security building blocks
External threats
Internal threats
Licenses
The Big Picture
How to protect Azure and
Office 365
How to protect On-
Premises services
Super-exciting!

6. Security Building blocks
It’s like LEGO but not really at all

7. Office 365: Core services
Azure AD

8. Office 365: All major services
Azure AD

9. Office 365: All major services with extensibility
Azure AD

10. Office 365: With major Azure-related services
MFA
Stream
OMS
Azure AD

12. Wait, what? Hold on!
Do I have to learn and manage ALL
this?

13. A traditional approach to embracing the cloud
This is the common, kind-of hybrid architecture model.
Microsoft Azure
Office 365
Site-to Site
VPN
Azure AD Connect
ADFS
Proxy
On-premises

14. The heart of security: Azure Active Directory
 The core of each Azure subscription
 You can have multiple AAD tenants
within the same Azure subscription
 Users, groups, licenses, permissions,
apps, app proxies, domains.. all
here!
 Managed through Azure Portal,
some tiny things are still only
available in the Classic Portal
 It’s important to understand the
difference between AAD, AD and
AAD Connect (and AAD DS)
Identities, management and security

15. Your mission
Protect the identities in the cloud – it is the new perimeter!

16. Azure Active Directory: Free, Basic, Premium
Feature AAD Free AAD Basic AAD Premium P1 AAD Premium P2
SSO support 10 apps/user 10 apps/user No limit No limit
Security reports 3 (basic) 3 (basic) Advanced Advanced
Self-Service password reset
Application Proxy
Multi-Factor Authentication
Connect Health
Cloud App Discovery
Privileged Identity
Management
Identity Protection
Price Free! 0.84 €/user/month 5.06 €/user/month 7.59 €/user/month
A few highlighted features of AAD and a comparison between licenses
(cloud users)(cloud users)

17. Security building blocks in Azure
Role-Based Access Control
Key Vault
Microsoft anti-malware
Rights Management/Information
Protection
Cloud App Discovery
Security Center
Infrastructure
Network Security Groups (NSG)
Site-to-Site VPN
Point-to-Site VPN
ExpressRoute
Network Security Appliances
Host-based & NextGen firewalls
Azure Active Directory
Connect Health
Identity Protection
Privileged Identity Management
OMS Security & Audit
Multi-Factor Authentication
Security

18. Analogy to cloud security
Rancilio Silvia
Best. Espresso. Ever.
Customized Rancilio Silvia
Rancilio Silvia with the
Rocky grinder and steel base

19. Protecting against external
threats
Authentication with social security numbers

20. Securing authentication for users with Multi-Factor Authentication
 Enforces security beyond username and password
 User must possess something – typically a mobile device
 Strong authentication occurs over text message, pin, fingerprint, mobile app approval or voice call
 Users must enroll through https://aka.ms/mfauserhowto
 Available as Office 365 MFA, Azure MFA for Admins and Azure MFA
 Certain non-browser apps do not support MFA -- users have to provision separate App
Passwords (one or more) through the MyApps portal
 This tends to be challenging for non-technical users
Multi-Factor Authentication for on-premises with Azure MFA Server
 Enables easy securing of VPNs, IIS web apps & Remote Desktop
 Maybe not the most logical to set up..
 Supports RADIUS so fairly easy to integrate with legacy systems ;-)
Strong and secure authentication for on-premises, hybrid & the cloud

21. Baseline your security in Office 365 with Secure Score
 Free service at https://securescore.office.com
 After initial scoring you can select a new
baseline
 Provides a list of actions for things to fix, in order
to achieve a new baseline
 Max score is 432..452
 Office 365 average is 29  I have 71!
 You get to >100 just by enabling MFA for global
admins
Automated scan of your Office 365 subscription settings and general security

22. A dashboard for Azure security with Security Center
 A simple way to view what’s secured and what’s not in Azure
 Includes behavioral analytics and incident reporting
 Standard license gives advanced threat detection & intelligence
Provides an overview on security for cloud resources

23. Securing and monitoring Azure AD Connect, ADFS and on-
premises AD configuration with Azure AD Connect Health
 Monitors your AD FS, AD FS Proxy, AAD Domain Services
and AAD Connect status
 Can alert you when things break down – useful for many
directory-related services, and especially for Azure AD
Connect issues
 Deploying is easy:
 Install agents for AD FS, AAD Connect and AD DS servers
 Verify configuration on AAD CH blade in Azure Portal
 Somewhat sadly this feature requires AAD Premium license
– all users must be licensed in the scope of AAD CH
Agent-based service to monitor your AD domain controllers and ADFS infrastructure

24. Safeguarding for users who log in from weird countries with
Azure AD Identity Protection
 Watchdog for user sign-ins, can associate
individual logins with risk factors
 Automatically flags suspicious events, such as
users who perform impossible travel times
(typically with VPN connectivity)
 Enforces additional policies based on low/high risk
factors
 Enforce MFA for the duration of the login
 Enforce self-service password reset (which subsequently
enforces MFA)
 Weekly email digest of findings and things to lose
your sleep over
Monitoring for risk events, vulnerabilities and automatic policy changes

25. Getting rid of static admin roles with Azure AD
Privileged Identity Management (PIM)
 Instead of granting permanent admin privileges, PIM
allows ad-hoc & just-in-time admin roles
 Users can request for new privileges for predefined duration
 Scans for fixed admin roles and changes them to temporary
roles
 Admin roles become non-permanent
 Duration can be set from 1 hour to 72 hours
 Can enforce MFA during role grant
 In preview: Approval workflows for new privilege requests
 Central view & management for all admins roles
throughout Azure and Office 365
”Just-in-time” administration privileges for users on request

26. Tracking botnet and brute force attacks
 OMS provides System Center-like capabilities in the cloud
 Capable of tracking hybrid deployments, including Office 365 and Azure
 Gathers logs (also custom ones), configuration data, update status,
availability, backup info and even Surface Hub data 
Operations Management Suite (OMS) is the Swiss Army knife you need

27. Protecting from external threats with Office 365
 Provides a 360ᴼ view on external threats against users
 Insights and analysis based on evidence, act accordingly
 Allows for custom policies and reactions
Threat Intelligence uses evidence-based knowledge on threats

28. Publishing internal services securely
 Enforce authentication at Azure AD, before allowing access to internal
resources
 Configuration is simple, and support high availability deployments
 Internal services do not require changes
 Dual-authentication also supports:
 First on Azure AD, then in on-premises against local AD/service
Azure AD Application Proxy provides a one-way HTTPS tunnel to on-premises

29. Demo

30. Protecting against internal
threats
Trust noone

31. Securing Edge network & cloud app usage with Cloud App Security (used to be
Advanced Security Management)
 Similar to OMS, but directly aimed for Office 365 workloads
 Records all activities of users, including external users
 Supports on-premises edge router log analysis
Discover activity and incidents in Office 365

32. Monitoring what admins and developers are doing with Azure resources
 Query against Azure backends to see operations against services
 Connect with
 Log Analytics (for further analysis)
 Power BI (for reports)
 Application Insights (for wisdom)
Azure Monitor provides monitoring throughout tenants and resource groups

33. Finding Shadow IT within the organization with Cloud App Discovery
 Works by dropping an agent on workstations
 Consent can be requested; or just install silently..
 Discover apps, amount of data transferred and who uses what
 Based on reports, act accordingly
Discover unmanaged (and managed) cloud apps in use

34. Active Directory surveillance & analysis with Advanced Threat Analytics (ATA)
 Captures all authentication traffic to-
and-from Domain Controllers
 Uses Machine Learning to identify
issues and unauthorized usage
 Fully automatic, install & forget!
Almost like SharePoint ;-)
 Can connect with OMS to provide
hybrid reporting in the cloud
Aggressive auditing and analytics for on-premises Active Directory requests

35. Compliance Manager
 A new service in Office 365
 Coming in November
 Centralized compliance
view to GDPR, ISO 27001
certifications and other
frameworks
 Sign up for preview
https://aka.ms/compliance-
manager-preview

36. Customer Key
 Announced at Ignite 2017 last
week
 Use customer-managed
encryption keys
 Includes protection if you lose your
keys
 Uses Azure Key Vault to hold
keys – can be HSM (Hardware
Security Module) backed

37. Don’t worry, security will keep you busy

38. Demo

39. I’m lost – too many services and options
Active Directory
Advanced Threat Analytics
Firewall, proxy, VLANs etc.
Microsoft Identity Manager
On-premises Office 365
Data Loss Prevention
Threat Intelligence
Secure Score
Compliance Manager
Microsoft Azure
Connect Health
Cloud App Discovery
Network Security Group
Cloud App Security
Identity Protection
Privileged Identity Management
Azure Active Directory
Conditional Access
Operations Management Suite
Security Center
Azure MFA
Azure Information Protection
Intune

40. Licenses
It depends.

41. Onsight
Enterprise Mobility + Security (EMS)
Used to be known as Enterprise Mobility Suite
E3E5

42. What about Microsoft 365?
Microsoft 365 Enterprise
Microsoft 365 Business
Office 365 Enterprise
Windows 10 Enterprise
Enterprise Mobility + Security
Intune
Office 365 for Business
Windows10Pro
3001
E5
E3

43. Security-related services and licenses
Advanced Threat
Analytics
Active Directory Azure MFA Server
Advanced Security
Management
Threat Intelligence Secure Score Intune
Azure MFA for
Admins
Azure AD
Azure AD Premium
Security Center
Cloud App
Discovery
Privileged Identity
Management
Identity
Protection
Azure MFAConnect Health
Network Security
Groups
Next-Gen FirewallsInformation
Protection
Operations
Management Suite
No extra license needed
EMS E3/Microsoft 365 E3
EMS E5/Microsoft 365 E5
Additional licensing

44. Recommendations & recap
Follow current practices and patterns: http://bit.ly/azuresecpnp
Get the book!
http://bit.ly/azuresecbook
Get the guidance!
http://bit.ly/perimeterbook
Deploy the free services
 Azure Security Center
 Office 365 Secure Score
 Azure MFA for Admins
 OMS Security (AAD+O365)
Go for AAD Premium
 Either with EM+S or
separately
 Deploy ATA
 Enable PIM and Identity
Protection

45. Thank you, for your for #SPSParis
@JussiRoine