What's new in Microsoft 365 Business: Advanced security for small and medium | BRK3203
All. Right welcome everyone thank you, for being here, 4:30. On a Monday afternoon our first day of conference you're, all troupers we, appreciate that, my. Name is David Berman burr I'm a security, architect, at Microsoft, I'm, responsible for. Partners. Ability. To use our SMB, security. So I work in the center of excellence from Microsoft 365, and, a, lot of my work is involved or, involves, developing, training hands-on, labs speaking, to you folks at presentations. Like this and, with, me today is one of our partners Alex, fields, with success computing. And like. A round of applause Alex just received, his MVP so he's a brand new MVP oh. Yeah. Thanks. I mean I, guess. I hand these out to just anyone these days open season on the MVP award. Success. Computer consulting is managed. Services, provider and, managed security services provider, for. Small. To midsize organizations we, serve. By. And large organizations. In, the SMB market which Microsoft. Looks at is about 300 users or less that's what this Microsoft, we see if I business SKU applies to and that. Would account for probably. 90% of our clients, ok. Thank you Alex so, today we're here to talk about Microsoft 365, business, quick show of hands who is actually. Configured, Microsoft, 365, be in production. Ok. Other, show hands who is not. Ok. Good a little, mix of both here so before, we get going into, the. Technical, side of this I want to talk about like why or why we created Microsoft 36 by business, you, can see you, know some of these stories came, from a recent, research project we did you know unfortunately we live in a day, and time or virus and malware attacks are pretty common and they're especially common in SMB I don't want this to be the session about stats and feeds you know we have all that marketing material. But. These are these are just a few examples we, collected the top row or our fortunate, ones at the bottom are not so fortunate you. Know, bear. You got hit with a ransom or attack they're able to kill it pretty quickly you. Know Dave gave us one of the most significant. Losses and, see I've ever heard of you know we typically hear of losses in the 40k range but, 1.9. Million was was pretty significant, and this, is why you know SMBs are being hit with phishing, and ransomware. Many. SMBs are struggling. With their ability to combat. These threats. So. We created Microsoft 365 business to provide all the security, necessary to combat, not just cyber threats, like the ones here on this screen the email no ransomware, but, also help move customers, to a more secure, environment.
With. Their with regard to the information protection. And advice management, and, so forth and we wanted to do this fairly simply, like we've, found. That for many SMBs, they're confused, by the security. Marketplace, they're confused, they're sink overwhelmed, by the frameworks, out there so. Part of us part of the purpose, events m36, by business, is to basically bring, the. SMB. Appropriate, or equivalent, of our enterprise III. So Microsoft Enterprise III to SMB s so, this is not III but it's it's kind of where we where. We designed, from. And. So. When. I was a kid like my dad used to this saying that he would use with me he. Would say son. When, you pick up one under the stick you also pick up the other end and. Usually said that because like. I had done something really dumb and it, was a way of saying like you're not gonna get out of the consequences, I've said dumb thing. But. We, were kind of in a situation now where we've had this consequence, stick right we've picked up one end of the stick which is we're already living in this modern, era where, your, users are already adopting, cloud first mobile first technology, so, the expectations. Have shifted right in the, past. You. Would look at mobility and you think like okay you, know work primarily happens at the office my devices, that I use are primarily connected to that office infrastructure, the. Expectation, today with, mobility is that you can work anywhere and the device that you're using it could be a corporate. Device or it could be a bring your own device right, it could be a personal device the, expectation, is that that, experience. That you have is the same everywhere, it, doesn't matter if you're sitting at home or sitting in the corporate office you should have the same experience. Likewise, you know because of this shift you know we have we can't really rely on a perimeter based security. Model anymore there's a lot of literature on this. Out there we. Were shifting more to this identity based model, of security, and in. Addition to that like, collaboration. Has just become more effective right and more efficient, because people, started adopting apps like Dropbox, for instance when IT, struggled, to provide them ways of sharing large files or sharing files that where they could collaborate and co-author with people and so forth so. Microsoft. 365 obviously, is built to live. In this more modern world and the. Idea is that you know we don't really have a choice we have to kind of move into that modern paradigm now so, whether you decide, to solve it with Microsoft tools, or some other tools you, know what you need to be you, know thinking of in terms of love modern. So. I want to talk a couple a little bit about what is Microsoft, 365, business for those that aren't, aware so. Just real quickly are you know around 365. Business we have three key, pillars with regard to security one, is to help customers defend, against cyber threats this, is knocking, out the phishing now, where ransomware.
Identity. Credential, theft that sort of thing the. Second sort of really the second. Pillar is protecting, business. Data this is a bit new for a lot of SM B's you know a lot of us in B's I've worked with they've typically, not. Put a lot of control around, who has information to or who has access to data they, typically don't have a lot of control around, employees. Who leave the company who may still have access to all email files, customers, that sort of thing this is a key key, pillar we have in the product and those, things don't those two things do not work very well if we're not managing devices if, any device available. Can. Attach to the data or the network, you're. Not really defending in cyber threats are not really, protecting, business data so, we have a full, complement, of device management capabilities, below, I've listed some of the features. You. Know we have full Intune, Microsoft. 365 business, if you're not aware includes, all the licensing, required for Windows virtual desktop don't. Want to this isn't a wvd, session but I just want to point that out if you're interested you can you know fully deploy virtual desktops, in the cloud with. Just a few clicks to, get a virtual, desktop experience, and allows organizations, to not only have their desktops, in the, cloud but then they can ring-fence the data or apply. Additional measures to protect the data those desktops, access. So. We have a layered approach to security really to address five things, you. Know we have to deal with the users, there's typical. Things that impact, users, with regard to security or compromised, logins, you know people are fished all the time and their logins are not you. Know or not being used by the actual people they're supposed to be people. Use the same passwords everywhere. People. Connect from suspicious, locations.
On. The device side we're trying to address the malware that ransomware, that's. Out there, unmanaged. Devices, as well as devices with weak pins we passwords, that basically anybody can access. On, the application, side we're. Addressing the. Fact people use personal, apps everywhere both on their work machines and their personal machines we really do need to evolve. To the concept of people working in a work context. That is separate from and distinct from personal. Context. So they may be using the same device but. We need to you, know help put controls in place to prevent people from copying, you. Know sensitive business information whether, it's sales list sales orders customer, data etc into, personal apps and personal email this. Could be you know an exciting, someone's, excited about a recent, product launch you. Know we don't want people to be able to like copy a product, launch announcements out of keys for example and paste it into their personal email and send it off to an, attractive reporter to, give him, or her to school. Unsanctioned. Apps are all over the place we're trying to do something about that, as. Far as email you know the same problems that been plaguing first for a while still persist, we, have malware phishing grows over sharing and lack of control with regard to email that's, unmanaged, and. On the document side we're kind of you know to address the fact that documents, do need for be protected, internally they, need to retain, protection, when they're shared, externally, with, partners and vendors and customers. We, want to ensure that only authorized people have access to documents, we, wanna make sure that we have you know retain control when employees depart the organization. So. This is our problem space and, then with Microsoft, 365, business, or, applying, security, policies to each of these areas and, so, I'm going to list here some of the controls, so in you know we kind of the identity security side we give full Azure MFA we. Give people the ability to do self-service, password reset password. Right back on premises. Conditional. Access is brand new and we're going to talk more about that in the how section of today's presentation. Device. Security side you may have best-in-class, Defender AV quickshow hands who uses defender today. Okay. Microsoft, conference I forgot so also, the folks here should at least be aware you know defenders got top notch as far as AV, test and third-party scores now it's a very different story today and. It was 18, months ago, all, the devices are managing the cloud. You. Know we and you know we we need the or we're delivering the ability to do remote wipe, BitLocker.
Encryption, Baseline. Security, policies, you know and all the other types of stuff. That people generally need on their devices such, as VPN. Profiles why pry profiles that kind of thing. On. The application security side where, we. Actually have Windows Information protection available fully, managed by the cloud again we'll show you a little bit of this where. We can actually ship, apps. With, both, understand, a work context, and a personal. Context, so in my example of, someone copying, a product announcement, you. Know teemed is smart enough to know if it's working in a work context, and the, device if it's managed by Microsoft 36 by business is, informed, that say someone's, personal email is not. Work and it's personal the. Contents, encrypted, and users don't have to fiddle with encryption policies, but they're they're unable to cross. These two boundaries, if it's set up properly so corporate. Data cannot be pasted, into personal. Email personal apps even, if they're on the same device which is really really really cool we. Have Windows virtual desktop again an. Email. We are delivering, full, you know enterprise grade advanced, threat protection to, protect against phishing emails. Now. Where we detonate, can detonate malware, in the cloud and play safe links policies there's. A ton of talk about ATP so I don't want to cover that in this session today I just make sure everyone's aware it's there we, have full DLP a IP, etc and email, as well as a documentation, so the full stack you would get in Enterprise III, along. These lines is included in Microsoft 365 business it's not any different. Some. People you know including, the even, down to the app level so either you, know in the office apps for Microsoft, 365 business they, fully work with DLP AIP fully works in the clients as well and. Real, quickly adhere to because, one. Of the really, interesting and. Compelling things, I think especially for an SMB market is that, you. Don't necessarily have to apply it all of these all the way across the board right and so one. Of the main things that I usually present to customers, is this ability to choose between device. Level security and application, level security and the. Reason that that's the, case is that you can base it like especially when it comes to mobility right with mobile devices you can solve, a lot of the same problems, just in different ways using. Mam, or mobile. Application, based management versus. MDM, a traditional, MDM we're managing, at the device level so instead of requiring a pin to, encrypt the device I'll require, a pin to come crypt you, know the app data only I can remotely, wipe a device or I can remotely wipe just the app data and SMB. Customers generally, really like that because you, can pull, back corporate data without touching anything else on the phone it also gives them that sense that you're not really playing playing, like Big Brother on their phone or anything like that because.
They Are very personal devices yeah, that's a very good point you know there's a lot of stuff here and I put, this slide together to kind of show the breadth and depth that we have the product but. You know with especially with regard to MDM, and mam most SM bees don't, want to have like a really heavy weight management. Solution, they may and we can deliver that but, often times they want a lighter weight simpler, way to get. The same net effect so, they don't have to have you, know whole staff. Looking after people's mobile, phones and stuff like that. All. Right so now the fun part we're going to talk about how to implement, Microsoft, security, Microsoft, 365, business you, know we only have 30, minutes to do this we're not going to cover everything, I just mentioned but, we wanted to talk some up about some of the new stuff the cool stuff the, stuff we, think is most important. And. So, in, general, I see, there's two approaches, to addressing security for small and medium businesses, the, first is really to address top risks, you know we live you know the fact of the matter is a lot of businesses out there you. Know even. Though they may know it's the best product complex, security framework, I'm not going to encourage. Them not to do this however someone, needs you know kind of the easy button approach, we. Have we can generally, use the configuration. Wizards and security defaults to get them in a pretty good spot this. Is you know directly. This, is where most SMBs, should probably start if they're not going to go any further at least get the big stuff turned on that's how I look at it the. Second approach is to adopt an implemented security framework, this. Involves many of the same actions it's not different actions however when someone, adopts the security framework they're generally taking a more organized approach they're spending more time and thought behind it they're. Gonna pick a framework this has a number of advantages I mean the obvious one is they're using a framework so if they don't know what to do the framework tells them what to do and there's. All that in there but but secondly. Many, times by implementing, a reasonable, security framework when they're working with other partners or other customers, they, don't have to explain, with regard to data security everything they're doing you can simply tell them you know we're using NIST or using C is or something like that so, people have a common understanding, of the controls that, they're going, to be, using and, I want to point out something here that's fairly new is that the Microsoft data protection baseline, show, hands who's familiar with this, couple. Is, brand-new, our. Data protection baseline, is basically borrowing, from NIST, is borrows from FedRAMP, it borrows from GD P R and, it borrows it borrows from ISO two. Seven zero zero one the. Reason we developed it is many folks are just asking us you know Microsoft what do we need to do this, is a simplified, view of a. Reasonable, data protection standard, that doesn't tied to a particular framework, so, if someone doesn't know what to do they should look at the data protection baseline it's really that simple. There's. Approximately, 271. Controls, or somewhere in there so it's not super. Lightweight, but it is far simpler to implement this, than say a full NIST, 853. Or something, like that someone. Is required to follow another, base or another framework they, should do that. And. Then this also gives folks the ability to you, know when they're using our tools if they're at least following, at least following the data protection baseline, that we set up for other frameworks, as well. So. At success, computer consulting. Like. I said I mentioned that we do have a managed, security services offering. As well as a managed like a traditional managed services offering and when, we were designing that, like, we. Would go to these conferences, right and we would be looking for security partners to use and. Every. Partner, out there like anyone who sells security, products I'm sure you guys are familiar with us right have you seen like the, maturity, model right they'll have like some kind of security maturity, model and every maturity model by every vendor is exactly, the same right, it, unlike, you know unlike the far left-hand side it'll, say like, you.
Know This, isn't very mature and it'll basically have a bunch of bullet points that are describing. Their. Competitors product or some legacy product that they have and then, like the middle column. Is like this is where we want you to be this is like our you, know, bread-and-butter. Product this is what we're pushing right now and then the. Last column is like here's a more premium product, or premier offering it was like now you're like optimized, for security, and. That's kind of a bad approach in some ways because you're just kind of like buying the kool-aid or whatever they're selling you I mean even Microsoft has one of these out on their website right now but. We. Are subscribing. To CIS and that's just one of the control frameworks out there it's happens to be a very simple, one that I think is really good for us and B is to start with especially, the first six. Controls, which are the basic, security controls most, SMBs can't even meet that to a very high degree now. When we were looking for partners, and and, products. That we could use to help our clients meet that to like a baseline, level we. Were quickly discovering, especially. This year after some of the announcements came out some like things like conditional access for instance. Microsoft. 365, business, can help us deliver. That. Solution, faster. And check off more of those boxes with less money than any of those other products that we're looking at so. That's a pretty compelling statement. I think like for the. First control, inventory and control parlor assets. From. Doing a security assessment for. A small business I don't care what platform they're on and care if they're traditional, or if they're using modern I'm going, to ask them you. Know do you have an inventory of your devices, a lot, of times they don't even have that. But. Assuming they do. Then. I'll. Take, another step and say all right give me logs. From your system so that I can see a list, of the devices that are actually, accessing the system and most. Of the time like wherever they pulled their inventory from there's an AR mm tool or whatever and then, the logs that show like devices, that are actually accessing they don't match right, so, they're. Not they, don't have to have blind spots basically right the first principle. Of security is like you can't protect. What you cannot see in the NIST framework it's called identify, that's the first pillar you have to be able to see it or you cannot protect it well. Conditional access now. That it's available Microsoft, wasted by business gives, us the ability to enforce device. Compliance, which means, that. If. It has access it's, in my management tool, so. It's a complete list and I have complete leverage over that device so, I just solved the first control like that and it also took care of software, assets, as well because I have an inventory of those so. It's it's. Pretty compelling, and that's just I'm not I'm just talking about the first control okay like as we go through the matrix here it's really.
Awesome. Like how much this product can do for us so. Would. We talk about what like what security default is this, is a setting that does four, things for even for show. Hands who here has used baseline, policies, in a very deep before, all. Right and who right keep your hands raised if you're aware they're going away. All. Right so they are going away however, we've replaced them with security, to fall so just point note just. Make a note mental note that, be already 2020 baseline policies are supposed to go away what. Will they'll be replaced with his security defaults which turns on MFA, for administrators, turns on MFA, for the users blocks, legacy. Authentication. And protects. Privileged admin actions, additionally. Security, defaults, as the name implies will start to roll out by default, in. The future so as I think most of you know today and, 365, doesn't have and with eight or nine by default that's going to change. All right and also just by today like just so she to add like if you go and turn on the security defaults, feature today, you. Cannot add conditional. Access policies, that are custom likewise. If you go and you create, custom conditional, access policy so you're requiring device compliance, you're not going to be able to turn on security defaults you go in and try to it'll like bark at you even tell you you can't do it yeah yeah good point security defaults, or again, it's kind of goes back to his point where there's kind of two paths you have to choose you can pick these like security, defaults and just kind of I just need the easy button give me a good baseline at security to just click go there but, if you're gonna go down the path of trying to implement a control framework especially, if you have like you. Know customers. That are like HIPAA or something like that where they need to be managing. Their data differently, and you're gonna go down a custom round then you have to do custom policies. So. We're going to do a couple demos two demos. For you today the, we're, not gonna do them live because a demo Wi-Fi network is horribly so so we've spent the last couple hours screenshotting. Everything we wanted to talk. But. I wanted to kind, of show you guys what to expect, with regard to sir here is security defaults, so security, defaults are part of as your ID so. You'd open the azure ad admin, portal from your Microsoft admin portal notice. Here on the bottom there's, a little link that says manage security defaults, and. We simply turn it on by turning this on you get the equivalent of what baseline, policies, are, congratulations. You're done with at least identity, security, you're. Not able to configure additional conditional, access policies, as soon as you do that this gets turned off and you'll actually have to recreate. Those policies, as CA policies, which will we'll show you today. So. We also have configuration, wizard so identity, is probably the most important, thing people have to get right in the product so turning on security defaults are turning on CA it's, the right thing to do you, know we need MFA for the admins we should have MFA for the users and. We need to block legacy authentication, because legacy, auth basically, allows anybody to bypass MFA, and the additional security controls we have, in. Addition to that we have, security. Configuration, wizards it basically make it easy, to. Manage devices, and manage, the applications, onto devices. So, in this example I'm showing the, device. Configuration we, in Microsoft 365, businesses is unique to this product we're. Creating a Windows 10 information, protection policy so I gave the example of the ability to protect you know someone from say, opening a document in Word, that's protected, with Windows Information protection and not, being able to copy it to a personal app this is how that's done we. Tell it to encrypt work files we, turn on prevent, users from copying company, data or personal files we. Turn on protect traditional networking locations, and we, pick the apps that we want to protect pretty. Straightforward. Now.
When You're setting these up in here you're this is like a simplified, wizard to like kind of get you off the ground these, correspond, to policies, that are in the, Intune portal or the device management portal and. That's, where you can go do some more customization, we'll show you some of that a little later as well but. Be sure if as you're setting it up in here like you're gonna have to include like all of these like, checkmark boxes especially that protect additional network in cloud locations, otherwise you're going to create havoc for people yeah fair, point there's, a simple simplified, view of a complex policy and the, purpose is to get folks to get it turned on to turned on correctly, without having to learn all of in tune right away so, of your device type in this example were using company owned we want to protect the company information on the devices we own turn. On encryption we're, turning on the you, know the basically, mam for windows which prevents us from Mirabal, copy from work to personal. Turning. Out an additional network locations, this switch is important the policy doesn't work correct the simplified policy does not core correctly without this on. In. Addition to that for devices the company owns we can manage them and I'm pointing this out there's another simplified, wizard this, is really. Straightforward to understand, you know that we're turning on BitLocker stuff, like that so the, purpose of this wizard is to democratize, security, and make, it simple for businesses. To get up get their Intune device configuration, policies up and running off the ground quickly without. Having to learn everything about into. And. Additionally. You know we have, app management, policies for Android and iOS. So, again this just controls the apps on these devices. We're. Not actually enrolling the devices under full management but, a couple of the important, settings that are the. Most important settings are preventing jailbroken, and rooted devices from accessing the system and, again, turning on the app protection, within the device, so that you know Word or outlook mobile on the device will, not be able to interact with personal, email or personal storage on that device. Yeah. The same thing for iOS so. Again this is our easy button run, the device, configuration. Wizards, to get a tenant, configured. Pretty well for security and we're, done we. Look at how to implement a framework this is another one where folks are often looking where to start so, when the, best place to start for small and medium businesses, is to use our compliance manager tool this, is already loaded with the brand-new data protection baseline. Now DP, the data protection baseline, is is probably three years in the work so, you're getting the benefit, of tens, of thousands of man-hours spent. Figuring out operational, controls but more importantly like the technical, actions required, to, go fully. Implement, various. Frameworks like NIST 853. ISO. Or our own standard, here and, there's basically two things that are generally considered controls, and inactions, for. Most of the technical folks you probably gonna be more interested, in the actions the controls, oftentimes, involve operational, controls and policies, if the organization, organization. Writes about themselves, so. To, get to compliance manager, and will generally click through the admin portal into. Compliance, here. I'll be given a compliance, score and, it'll. Kind of give us a rough idea of the compliance controls configured, in there Tennant I want. To click on assessments, that, will show me which assessments, I have loaded tenants. By default now will be preloaded with the Microsoft, data protection standard, if, you're if, you wanted to include. An assessment such as HIPAA or NIST or ISO you can do that by. Clicking on the. Compliance. Manager link. They're actually, linked into the actual compliance, manager there's, compliance, manager sessions here so this is not a compliance, manager session I just want to kind of highlight where, to start and where to go and to get this information kind of what's, in here is anyone using this yet.
A Couple, just a couple of it good yeah yeah. So what we don't want to have folks. Do is have to go read lengthy, documents, on like the Microsoft data protection standard, it's, kind of the traditional approach to compliance and figure. It all out for themselves so, in many regards we're gonna tell, you what to do if you, notice here, I think I have a laser, pointer you. Notice, here on the and my data protection baseline, standard there's Microsoft, managed controls and compliance, or customer, managed controls, so. We separate, what we do for the customer and what you have to do and the Microsoft managed controls. If. We think of something about you know access. To information, you know we're responsible, for locking the building requiring biometrics. Background. Checks for our employees, on the, customer side they don't have to worry about physical, security but they'll have to configure logical, security decide, who's authorized, to access company data who's, authorized to be an admin that sort of thing, if. I click into the stand the baseline itself I'm listed you know I have all my controls here, and that, each has a relevant, score and the. Score kind of you know gives a weight of importance, I wanted, to bring your attention to the one with the red circle and that says not implemented, and failed high-end race or it's my second control, one. Of the unique things with, this. Platform is it to the extent we can will automatically, check for some. Controls. You know for example, if. I click into the blot so I mentioned we should block legacy off the, conditional access policy, this, tenant this is not configured, I can it can read all about it and. When, I click, on this one it's a technical control that should be implemented, part, of our baseline but. Everything is grayed out the user doesn't have to go implement this and test this we can test that for them simply, you know we can easily go look in Azure ad to see if legacy authentication, is on and off so. As soon as the customer. Configures, this particular control this is satisfied is, not just satisfied, for the Microsoft data protection baseline, it's also satisfied, for NIST it's also satisfied, for ISO it's also satisfied, for HIPAA etc. So one of the advantages, of using this platform is. People, can configure control, one time satisfy, control one time actually. Sort of get credit, for any other framework they may be there might be interested, in in the future. I'll. Give you an example of a different type of control, so controlling, information control, flow, is, a policy, this is an example of where we can't check to see if they're doing this they have decided to decide for themselves where, information should go so. In this case I would assign it to a user Megan, is Megan, bowen is responsible, for this particular control, she. Would give it an implementation. Status of when she finished, this and then typically, someone would go test to make sure this is actually done you, give it a status as well actually is they also have a place for you to like upload documentation, right because a lot of the controls some of them are technical or I just need to flip a bit in the tenon or something but some of them are more like procedural, process, or something so oftentimes you might have like a process, doc that you have to upload here as well and, so, there's, a lot of controls in here it's it's the.
Reason I'm bringing this up is for folks who want to take an organized approach to security this, is the best place to start we tell you what to do how to do it and, you. Know a wait it's not only going to make sense for most security professionals, it's also kind. Of would, make sense for other folks in the industry even folks who are not Microsoft partners. So. I'm gonna let now let's talk a little bit about endpoint. DLP, yeah. So any DLP, or. Windows. Information protection. This. Basically, does two things for us one is going to encrypt all of the corporate data on. The, device in, the, application, at the application, layer right, so you can apply these policies, both to devices that are managed and devices. That are not managed so even, an unmanaged, device if it's using, app. That is being protected like. Right like the Microsoft apps like uh outlook, teams and so forth then, that. Device has to respect those policies and those boundaries it will not be able to move data you. Know without at least tripping. Up in. Action to log that event and you can also just block it out right or. Allah beings that are override and I want to point out one thing this is the same policy we created earlier so, the same one we ran the device configuration for, your viewing that exact same policy, in the, device management portal and. So in the device matter in this portal you would go to apps app protection, policies this is where you would find a per section policies for Windows and for Android and for iOS all of those things this. Is just we're focusing here just on Windows these work a little bit differently than the iOS, and Android there's a little bit more to them so we wanted to spend. Some time going through it. The. Main thing that you can do here with, your policy. Is defined like what apps are in and out of the boundary so. Technically. There are two different types of apps, there are enlightened, apps and non enlightened apps and light maps understand, the difference between data, that is corporate and not so in an Outlook profile. For example I could have two. Different accounts linked to the same profile I could have one that is my work office 365, account but. I could also add something that's personal like a Gmail or outlook.com account or something and outlook. Is going to know the difference between that and it's going to respect, the wall that you put up and it's not going to allow data to transfer between those locations, but. In an outside app like let's see you have a line of business app for. Your organization, we see this in healthcare a lot more. It's a web location somewhere, you. Know you're going to have to add those applications. To. This policy, if you want to protect them now, the difference is because they don't know the difference between personal and corporate they're always going to be treated as corporate data as soon as you add them to protection ok. So that means all the data is going to be encrypted and, you. Won't be able to you. Know cross the boundary lines of the personal data for, line of business app that's usually fine but if you have apps like. People. Always want to protect a third party web browser like Chrome it's, really difficult to do that because if you wrap Chrome in that and protection, then, everything, you interact with through Chrome is now, corporate, data so if they're going to personal web sites like Gmail or whatever a G's suite you. Know you've, kind of destroyed the purpose there it's just important, to point out you can also exempt, apps though so. System. Processes, are exempted by default but, if you also had apps that you didn't want this protection to apply to you, could exempt them there they, wouldn't necessarily have to be held, to that standard so. Here. We're just adding an app we, there's actually a list of recommended apps that you can just pick from like for example teams, you'll, out know if you notice this in the wizard but when we were in the wizard, team. Does not one, of the apps yet for some reason so. The, good idea to always go and add that app at least from this from, this location and then there's a whole bunch of others you can choose from you can also put your own custom apps in there.
So. Is it this example the customer is using teens for work they want the data in teens protected, if they don't want their employees to be able to copy paste files. Or text out of teams and put it somewhere else like in my you know my product announcement. Example once. This is done if a user is reading a channel in teens they will not be able to copy data and you know send it off to their friend the reporter for example. So. I mentioned earlier you know we have the easy button for security defaults if, you're not gonna use security defaults you want to know how to setup conditional, access we're. Going to show you that because baseline, is going away so anyone who's relying on baseline, will have to configure these steps the, good news is these are well documented so if you just click on the documentation, for. Our. Security to follow us you'll see the documentation, to configure these, these. Policies, so. From my admin Center I'm going to click on add your Active Directory to get to conditional access and. Once. I'm in there I'll click on the security, icon. In the left-hand nav. And. Click on conditional, access, so. Today's tenants, you'll see this you'll see baseline. Policies, I don't recommend you use them because they're literally going away in February so, in, this case I'm going to create a new policy by clicking on it and my. First policy I want to configure is to, enable admin, mf8, so. In this case I'm going to assign this to my users I'm, gonna. Select. The users and groups in this example I'm going to pick on my global admins. We. Highly, recommend you, exclude, a break class account we have a whole site on how to configure this it, is important to configure, a break class account in case you make a mistake you, don't want to create a mistake, and lock yourself out of the tenant it's fairly, painful to get access again you have to call us to help Olinda theoretically, you know just theoretically, speaking only you, know in the MFA service might go down I never. Have you know it never happened. So. In this case I'm gonna I'm gonna configure. This policy for all cloud apps. Right. We're gonna grant the. Goal you know access to global admins provided, they come, with multi-factor. Authentication. Their session and will. Enable a policy and create it, if. You're a little bit unsure of yourself or you want to see what's going to happen you can always use a report only which is certainly a good idea for. A new policy, so. That's it for admin FMF a user, MFA is a little bit you know is, it follows much the same line but if you're not if you're you're gonna just lock all users from the fate everywhere you might as well use security to fall so in this next example we're. Going to turn, on MFA, for all of our users. In, this case I'm going to configure you know I'm going to exclude, trusted, locations, so some example, of a custom. Conditional. Access policy that's different from security, faults doing mostly the same thing except. Maybe you know in my environment I want to suppress MFA prompts while people are in the corporate office. This, is really important, for MFA adoption, because we, now know I you. Guys should all check out the article and your password doesn't matter if you're not familiar with that yet there's a really, good Microsoft, blog out there that explains why. Additional. Password controls don't make us any safer in, fact sometimes they do the opposite. So. Like requiring complexity, and things those, don't really matter but your MFA, does that's what protects you okay, and a lot. Of times users we, you know we experienced this in the SMB n I'm sure you guys have run into a - there's a resistance, to that change there's a resistance to having to go through that extra security control but, it's not optional anymore so, when we're converting. Folks from like a traditional, office 365, subscription into Microsoft 365 business, or they're, just coming from an on-premises, solution we're converting them to Microsoft for use by a business. We. Don't bring, them on unless they're willing to do MFA, it's, just they're not our customer like move on to the next one right because, it's, just that risky, they shouldn't be doing it and there's a lot we can do to make the experience better we can exclude trusted locations I think if you forward here we can actually also exclude trusted.
Devices So, if you are enrolling. People's devices for management you can exclude those as well if they're using a trusted corporate device or whatever less. Prompts and, these, kinds of things can help take away some of that pain while still protecting those accounts, from anonymous sources right if. Someone's using a device that I owned its marked compliant, right and they're coming from the corporate office you, have a fare case that maybe we can you know we have a valid case for suppressing MFA. You, know if they're using their home, computer, you, know in some sketchy location, we probably do want. You. Define them so. Yeah, there's. A nut so like outside. Of the conditional. Access screen I can write it where you first go into conditional access you can create new policy, on the Left there's locations, and then you just click on locations, we, have named locations, and trusted locations so there's you, know just do the time we didn't want to put demo screens for every little thing but there's, a screen to configure that. So. In this case we're gonna grant access. Requiring. A map a. Navel. And turn it on so. Now, that that's done we have a another, requirement to. Block. Legacy authentication this one's I didn't, show all the screen but we're doing the same thing before we're selecting our users selecting. All cloud apps but this one we're actually going to click into the condition and click into the clients act a p--, preview. Right, and we're gonna select other clients, and only other clients, cuz we're actually gonna block on this time we're not granting, access and one other additional note here is like if you, know, for a fact in your environment that everyone is on modern. Versions about look for mobile and for desktop you, could technically also blink block exchange activesync because it is considered legacy at that point the new modern apps do not rely on it anyway, so, you could block that as well. But. You know if you still have some legacy devices other people still using older email apps or whatever you'll. Probably not want to do that right. In, this case we're gonna block access now it goes without saying if you have a particular, user like the CIA who just loves Thunderbird, or something like that by all means you could exclude him from this policy but, I'd still encourage them to you know courage him or her to use em f8 or not, use Thunderbird, and not an IMAP so. Again we're gonna turn it on. Probably. The other the fourth, interesting, policy and Alex talked about this one is you may also want to protect. Or have a conditional access policy based on device. Compliance, right, and so you. Know technically to enforce this control you would also want to make sure you set up compliance policies and in tune first so you would want to have one compliance, policy for every one of the operating, systems and. Once you have that and you can make them really basic to start out like something really simple like require plan or what. And then, when. You would go in here you know you would do the same thing you would target, all your users exclude your emergency. Access accounts. You. Can target all cloud apps or you can target specific apps, to start a lot of people just want to start off by protecting, exchange online right, or SharePoint which includes onedrive. That. Would be fine too but if you do choose all cloud apps one thing I want to draw to your attention is that you'll probably want, some apps excluded, from this requirement namely.
The Microsoft, Intune enrollment, if you don't do that then you won't be able to enroll your devices because, it thinks that it, needs to be compliant, in order to authenticate you to the integer enrollment service but it's not compliant yet so you get in this weird like infinite loop that differ so, don't, lock yourself out and make, sure to include that. All. Right and then under client apps I'm. Actually going, to be a little bit careful about how I choose and what conditions, I'm targeting here for, for client applications, I may, not want to require device. Compliance. In every, situation for. Example. With web browsers, right because. Maybe. I'd like to enable my users to be able to get into a web application like, Outlook Web Access or, whatever and still access that are working mail from like a home device. But. If. That is a, modern, client, like a mobile app or desktop client, that can actually sync data down to that device like, look has an OST file right the onedrive client, stores data on the device locally. That. Corporate data is something that I'm interested in protecting to. A greater extent so I may require that that, is why that's that's what I want to target because if that. Device walks, away or that device gets compromised, I need to know that I have controls, to wipe it I need to know that I have controls to have my agents on I protected, all that. And. Then. We're going to grant access but just require the device to be marked as compliant, and, that's the control that will basically. Refer, any, device. To the Intune portal to make sure that they're meeting that device compliance, policy, before it lets you in an, important. Point if you haven't used intend before by default all, devices are compliant, so that we're not going to show it here today but to. Make this work effectively you need to go in there and make some decisions and what is a compliant, device for, you it, could be as simple as a pin with BitLocker, or it can be much more complex whatever really you know make sense for your organization. So. I wanted to bring just to everyone's attention a couple things, before we close one, is you know we have compliance score now I showed. You a precursor. To this for compliance, manager it, helps give you a better understanding, of how you know where you are with regards, to clients. Compliance. And data protection controls, and. In addition, we've rebooted, secure score to include more stuff so I'm hoping, everyone here is familiar with secure score knows. What it is it's not a secure score session but in the past you know folks had to figure out you know like what insecure score is most important or making that easier with a data protection baseline. Something. That I work with a lot of partners and where I've seen partners, really succeed, with secure score is grabbing.
A Couple items off the list once a period that could be monthly it could be quarterly, or something like that putting together a road map with the customer and picking you know a couple things to go accomplish, so, for customers just getting started the obvious things are gonna be conditional, access policies, that if a security to false stuff like that a. Lot of times the organization's can't absorb a ton of change all at once so usually that will be enough for one period but once that's done they're gonna want to go in and figure out what else should we do we might want to block email. Forwarding, or configure auditing alerting. Things like that so, secure score is a great way for folks to kind of get organized and figure out what to do next you, know we give all the information of how to do things right right in secure score and for those partners in the room it's a great way to show. Incremental. Progress towards security you can go back to your customer, or if you can go back to your boss and say hey look what I've done for you lately look what we've you know we see, continuous, improvement, it's. Worth pointing out that you can grab secure, score the controls the details of score itself they're through the UI. Here, but if your partner's the room is entirely possible to do this against the graph and, have a simple little script that pulls secure score on a regular basis or pulls it for all your customers or. Something like that. So. Before we close today I want to point out some kind of cool, new things one. Is we have a brand-new CS and your new CS a website who. Has seen this already I think. It's hilarious if, you haven't do, yourself a favor and hit that website before you leave the conference this week it is, really really good. We've, rebooted, compliance major secure score but. Beyond that we have an SMB tech community, so if folks in this room have you have deep technical questions, you want to know how to do some of the things we talked about today or you'd like some help from us hit, us up on this SMB, TC, I answer. Questions their, product. Group answers question zero product marketing we'll help out in. Addition we have the SMB design community which is brand new so if you want to have a say in how we take Microsoft. 365, business, going forward that's. The community for that in fact the owners are here we've got fred pullin in the room from engineering group and i believe we have Natalie Irvine who is a general manager for SMB engineering, in. Here as well so these, folks will can help you or, they can you can help influence a product through them and then both Alex and I are reachable directly you have any questions on today's sessions want to talk about something more get more information feel. Free to shoot us an email and we'll help you out. Thanks.
2020-01-19 09:42
