Parnter Sharing with Office 365 and Azure AD B2B

Background
With Office 365 and SharePoint Online, a common question is how can I external sharing with Partners. 

In SharePoint Online, the concept of External Sharing has been around for a while.  You have the ability to identify users you want to share with and administrative capabilities to manage external users.

One challenge people have is doing B2B sharing with SharePoint Online.  SharePoint Online external sharing does have PowerShell, so you can do some automation external sharing, however sometimes you just need a better approach.

Azure AD B2B Collaboration
Another approach to do external sharing with partner organizations is with a feature called Azure AD B2B.

With this capability you can:

• Organizations no longer have to managed a separate directory for external users nor have to go through the complexity of setting up federated auth on a per partner basis.
• Allows partner/external users to use their own credentials to access data you are sharing getting you out of the password management business.
• Removes partner/external user access with the user leaves their organization.  If the partner organization is turning off the accounts when the person leaves, you are assured their access to your data and applications is also being removed.
• Capability allows you to perform bulk invites of partner organizations.
• Partner users are invited and confirmed through an email notification process.
• If the partner organizations do not have Azure AD, no problem.  The partner users will complete the invitation process and have a free Azure AD account created for them that they will use to access shared data and applications.
• Set-up external sharing with partner organizations that goes beyond just Office 365 and SharePoint Online.

References
Azure B2B Collaboration - https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2b-collaboration-overview/

Azure B2B Video - https://channel9.msdn.com/Series/Azure-AD-Identity/AzureADB2B

Learn all about the Azure AD B2B Collaboration Preview - https://blogs.technet.microsoft.com/enterprisemobility/2015/09/15/learn-all-about-the-azure-ad-b2b-collaboration-preview/

Manage external sharing for your SharePoint Online environment - https://support.office.com/en-us/article/Manage-external-sharing-for-your-SharePoint-Online-environment-C8A462EB-0723-4B0B-8D0A-70FEAFE4BE85

Visio Online and Visio on iPad Preview

There are some recent announcements for Visio that are exciting.

Visio Online
First, Visio Online has been released in Preview and you have the ability to add it to your tenant through the Office 365 First Release program.  This feature allows you to view Visio diagrams through a browser.  For the preview it currently only allows you to view Visio diagrams.

This capability is different from the traditional Visio Services that is part of SharePoint Online Plan 2 (which is part of E3).  Visio Services I would term as the legacy solution from SharePoint Enterprise to allow you to render Visio diagrams through browser.  This new Visio Services capability is the solution moving forward and is aligned with Office Online.

Visio on iPad
Second, a preview of Visio on iPad App has been released.  This allows you have a nice Visio app to access your drawings stored in OneDrive for Business, SharePoint Online, etc.

References
Public Announcement - https://blogs.office.com/2016/08/31/visio-updates-advanced-design-collaboration-data-linked-diagrams-and-cross-platform-coverage/
Visio Online Preview - https://products.office.com/en-us/visio/visio-online
Visio Online FAQs for Preview - https://support.office.com/en-us/article/Visio-Online-Frequently-Asked-Questions-e6647040-2fca-42ec-9fa5-d16a4e39e0ee
Visio for iPad Insider Program - https://products.office.com/en-us/visio/visio-for-ipad
Visio for iPad Insider Program FAQs - https://support.office.com/en-us/article/Visio-on-iPad-Insider-Program-3dc2390d-6192-4fed-8b07-0647da2ccf3e

Office 365 MDM or Microsoft Intune?

Introduction
I have been asked several times, what are the MDM capabilities available in Office 365 versus what additional capabilities do you get with Intune?

In this quick article I will explore the differences.

What is Office 365 MDM?
In Office 365 there are several native MDM capabilities.

First there is Exchange ActiveSync (EAS) which is part of Exchange Online.  With EAS you:

• Have the ability to manage an inventory of mobile devices that are connected to Exchange Online. 
• Have the ability to remotely wipe email from a device.
• Have the ability to enforce mobile device configuration settings, such as PIN requirements, PIN lengths, etc.

Second with E1, you also get Office 365 MDM.  With this you:

• Can prevent access to both email and documents based on device enrollment and compliance policies.
• Protect against root and jail broken devices.
• Have reporting on devices that do not meet IT policy.
• Have selective wipe capability that allows you to wipe Office 365 data without impacting personal data.

Behind the scenes, Office 365 MDM leverages Microsoft Intune to help deliver these solutions.

What is Intune?
Microsoft Intune is Microsoft’s cloud mobile and PC management platform.  Sometimes customers will want to add this to help them manage devices and applications beyond what Office 365 natively provides.  With Intune you:

• Have the ability to manage traditional PCs MACs; not just mobile devices.  Plus you can manage Linux and UNIX servers.
• Have a full Mobile Device Management (MDM) platform available to you to protect enterprise assets beyond Office 365.
• Have the ability to create profiles for certificates, VPN, email profiles and Wi-Fi settings.
• Have the ability to enroll and manage corporate owned devices.
• Can deploy and protect customer built line of business apps using Mobile Application Management.
• Can securely protect access to corporate data using Office mobile and custom line of business apps by using Mobile Application Management by restricting such actions as copy, cut, paste, save as to only applications managed by Intune.
• Can enable more secure web browsing.

As you can see, this is a much more comprehensive solution you have access to.

Why do you need both? 
All depends on your approach.  Microsoft Office 365 has the ability to integrate with many third-party MDM providers.  Customers do have the power of choice.  Intune does provide unique capabilities for Mobile Application Management (MAM) to protect data on mobile devices without compromising the end user experience.  However, the big value sell of Intune is the expanded set of solution to manage PCs and MACs.

What are these new plans?
Intune is bundled into EMS.  EMS used to stand for Microsoft Enterprise Mobility Suite.  Now, EMS stands for Enterprise Mobility + Security.

Plus, the new EMS Suite has taken very similar plan structures as Office 365.  For instance:

• EMS E3 includes Azure AD Premium P1, Intune, Azure Information Protection Premium P1 (Azure Rights Management (RMS)), and Advanced Threat Analytics
• EMS E5 includes Azure AD Premium P2, Azure Information Protection Premium P2 (Intelligent classification) and Cloud App Security.

As you can see Intune, lands in the EMS E3 bundle or you can purchase it a-la-carte.  See references below.

References

Exchange ActiveSync - https://technet.microsoft.com/en-us/library/aa998357(v=exchg.150).aspx
Overview of Mobile Device Management (MDM) for Office 365 - https://support.office.com/en-us/article/Overview-of-Mobile-Device-Management-MDM-for-Office-365-faa7d8e5-645d-4d59-839c-c8d4c1869e4a
Controlling Access to Office 365 and Protecting Content on Devices - https://www.microsoft.com/en-us/download/details.aspx?id=53317
Capabilities of built-in Mobile Device Management for Office 365 - https://support.office.com/en-us/article/Capabilities-of-built-in-Mobile-Device-Management-for-Office-365-a1da44e5-7475-4992-be91-9ccec25905b0
Choose between MDM for Office 365 and Microsoft Intune - https://support.office.com/en-us/article/Choose-between-MDM-for-Office-365-and-Microsoft-Intune-c93d9ab9-efb2-4349-9b93-30c30562ee22
Create and deploy device security policies - https://support.office.com/en-us/article/Create-and-deploy-device-security-policies-d310f556-8bfb-497b-9bd7-fe3c36ea2fd6
Enroll your mobile device in Office 365 - https://support.office.com/en-us/article/Enroll-your-mobile-device-in-Office-365-c8ac722d-dcaf-4135-8345-3e6327f5d3c5
Introducing Enterprise Mobility + Security - https://blogs.technet.microsoft.com/enterprisemobility/2016/07/07/introducing-enterprise-mobility-security/

Azure Information Protection with Office 365

Introduction
If you are a reader of my blog, you know for the past few years I have been very focused on discussing Office 365 services.  I recently decided to some catching-up on EMS and how it relates to Office 365.  Well as it turns out there have been several recent changes.  One thing that caught my attention very quickly was Azure Information Protection.  In this blog I will explore this solution.

I will say I am super excited to see the vision of this feature given I work with customers who have the most complex security and information protection policies out there.

Note that Azure Information Protection services is currently in Public Preview.

What is the new Azure Information Protection solution?A major challenge that organizations face is protection of their data.  Data loss prevention is constantly on customers’ minds.

With Azure Information Protection we can protect data at the lowest common denominator.  Instead of solely relying on the data storage systems to classify and protect data, we now protect the data directly at the source as email and documents move from place-to-place.

With Azure Information Protection:

• Classify, label and protect data at the time of creation or modification.
• Persistent protection travels with the data with rights management.
• Provide users simple intuitive controls help users make the right decisions and stay productive.
• Enable safe sharing of data both internally and externally.
• Ability to create organizational enforceable policies to protect data.
• Visibility and control over the shared data.
• Deployment and management flexibility through the cloud.

What is the difference between Azure Information Protection and Azure RMS?
Simply put, Azure Rights Management Services (RMS) got a bunch of new features added to it.  Azure Information Protection building upon RMS with several new capabilities that have been introduced as part of the Secure Islands acquisition.

The new capability that should catch your attention is the intelligent classification and labeling solution that has been integrated with Azure RMS.  This is super exciting capability.

With the new labeling capability in Azure Information Protection services, you have the ability to be able to create enforceable policy to classify and protect your more important critical data.  You have the ability to create labels (classifications) like Personal, Public, Internal, Confidential, Secret, etc.  Then you have the ability to create policies define how data should be tagged with these classifications.  Once data is classified, that data can visual indicators applied to it, RMS protection policies pro-actively applied to the data, and DLP rules (like Exchange transport rules) can watch for this data and take action.

Additionally, there are new reports available to you that allow you to see how the most critical data in your organization is being accessed and managed.  This provides an audit trail for your most critical data.

How can an organization use Azure Information Protection?
Let’s look at Azure Information Protection a little closer.

When a user is in Office, they will see a new ribbon item (Protect) along with new labeling mechanism in the ribbon.  Users have the ability to tag any document or email on the spot.

Administrators have the ability to create the labels that customers see.

Within each label you can:

• Associate RMS policies you want to apply (if any) to a specific label.  For instance, if you have a Confidential or Secret label, you may want to associate that label to an RMS policy.
• Create visual markings that would be applied to the email or document once the label is applied.  For instance, add headers, footers, watermarks, etc.
• Define conditions that could automatically label email and documents.  For instance, if you see data patterns within the content, a label can be auto applied.

There are numerous ways these labels can actually be applied.

• Automatic – Labels can be applied by IT based on information it can see in the documents and emails.  This means as the user is creating the content, the label can be applied for them. 
• User Drive – Users have the ability to choose to apply sensitive labels to email or file as they work on it.
• Recommendation – Instead of automatically applied the label, you can make recommendations to the user on how classify/label.
• Reclassification – Depending on your policy, you can allow users the ability to re-classify email and documents.  You can even require them to enter a justification which will be logged.

I see endless opportunity for organizations to use Azure Information Protection services to protect their data.  For instance:

• An organization could create a policy that all documents are automatically classified as Internal.  The Internal does not have to have a RMS policies associated to it, but doing this will set a baseline that all content in the organization has been tagged.
• As data needs to be become public, the data can be re-classified (labeled) as public by the end user.
• For documents as classified as Secret or Confidential, an RMS policy could automatically be applied.
• Re-classification can be allowed without justification for Internal and Public, but for any re-classifications of Secret or Confidential a justification must be provided.
• I really think there are endless opportunities here with Azure Information Protection services.

How does this relate to Office 365?
As part of the Preview, Azure Information Protection services can be integrated with Office 365 ProPlus.  This means files that you author in Word, Excel, PowerPoint, etc. as well as emails in Outlook will have this user experience.  This will expand with time.

I thought Office 365 already had DLP, where does this play in?
Yes, Office 365 already has DLP capabilities within Exchange Online, SharePoint Online and OneDrive for Business.  Azure Information Protection services provides another layer of protection to data protection along with labeling solution.

For instance, SharePoint Online DLP will identify sensitive documents that were put in a location that has too broad access.  That file can be locked down and then remediated with SharePoint Online DLP by the user or an administrator.  However, what if the end user made a mistake (or worse was malicious) and then tried to send a file tagged as secret outside of the organization?  Azure Information Protection could protect that data tagged as Secret based on your policies.  For instance, you can automatically apply an RMS policy to Secret data and not allow users to re-classify that data.  There are several other mitigations you can take such as watch for documents tagged as secret being emailed externally.

From what I have observed, a challenge customers have had with RMS is educating users on how they should use it.  With Azure Information Protection services classification and labeling solution, the decision has just been super simple for end users.  End users do not need to know complex RMS policies and rule sets; all they need to know are organization contextual tags and the RMS policy is applied for them.

How is Azure Information Protection related to the EMS Suite?
There are two plans, there is Azure Information Protection Plan 1 and Plan 2. 

Plan 1 provides the encryption for files and cloud based file tracking.  From a legacy perspective, this is what you know of as Azure RMS as part of the EMS suite.

Plan 2 adds the new intelligent classification and labeling policies.

There are as well EMS Suites (E3 and E5).  Azure Information Protection Plan 2 is part of the EMS Suite 5.

If you are an Office 365 E3 suite customer, you already get access to Azure RMS service.  However, having Office 365 E3 does not give you access to all the EMS E3 or E5 capabilities.  So to get access to Azure Information Protection Plan 2, to get this new classification and labeling solution, you will need acquire some additional EMS plans.

References
Announcing Azure Information Protection - https://blogs.technet.microsoft.com/enterprisemobility/2016/06/22/announcing-azure-information-protection/
Azure Information Protection Public Review Announcement- https://blogs.technet.microsoft.com/enterprisemobility/2016/07/12/azure-information-protection-public-preview-available-now/
Introducing Enterprise Mobility + Security - https://blogs.technet.microsoft.com/enterprisemobility/2016/07/07/introducing-enterprise-mobility-security/
Acquisition of Secure Islands - http://blogs.microsoft.com/blog/2015/11/09/microsoft-to-acquire-secure-islands-a-leader-in-data-protection-technology
Azure Information Protection product page - https://www.microsoft.com/en-us/cloud-platform/azure-information-protection
What is Azure Information Protection (good video) - https://docs.microsoft.com/en-us/rights-management/information-protection/what-is-information-protection 
Azure Information Protection FAQs - https://docs.microsoft.com/en-us/rights-management/information-protection/faq
Azure Information Protection Quick Start for Preview - https://docs.microsoft.com/en-us/rights-management/information-protection/infoprotect-quick-start-tutorial

Office 365 Secure Score and Information Security Planning

Introduction
Office 365 customers are provided a highly security solution for business productivity.  Microsoft ensures that the Office 365 service is secure and demonstrates this commitment through many of the third-party accreditations it receives.  Yet that is only half the battle as the customer who manage the Office 365 tenant shares in that security responsibility.  There are a tremendous amount security features and capabilities that are available to Office 365 customers that require configuration and management.  Customers frequently miss they too have a security responsibility to manage and continuously monitor their tenant.  In this blog I will discuss:

1. The new Office 365 Secure Score analytics tool.
2. Office 365 Information Security Planning.

Microsoft is invested in providing a safe and secure productivity cloud solution for your end users.  A clear differentiator for Microsoft is that they provide you plans, frameworks and tools that help you plan and continually monitor your security risk with Office 365.

Office 365 Secure Score
Microsoft has released “in preview” a new capability called Office 365 Secure Score.  This is a new analytics tool that can review the configuration of your tenant and make recommendations (based initially on 77 different factors).  Think of it as a “credit score”.  The higher the score, the more controls you have configured into your tenant.  The goal is to create a score that is aligned to your business requirements which do not impact your user experience.

Features of this capability are:

• There is a summary panel that provides you your score and when you last ran it.
• There is a modeling tool that allows you to do analysis to determine if you introduce more controls how those new controls will impact your score.
• There is detailed information about each control it evaluates and the risk that it mitigates.
• There are remediation instructions for each control that you introduce and how it would impact your end users.
• There is a score analyzer that allows you to measure your performance over time.  You can download the scores from the reports and make them part of continuous monitoring program.
• New controls will be introduced into the tool as new features are added to the service.

Plan for Office 365 Information Security
Since I have discussed this new Office 365 Secure Score tool that helps you continuously evaluate your security position, it is also worth mentioning there are several new Office 365 Information Planning worksheets you should review (see references below).
What these references will do is provide you direction on how you can utilize and configure all of the Office 365 security features (several new ones). 

Here are features I talk about a lot:

• Federated Authentication (ADFS) and ADFS Client Access Policies.
• Two-factor Authentication with Office 365 MFA and integration with third-party 2FA (smart cards, PIV, CaC).
• Data Loss Prevention for Exchange Online, SharePoint Online, OneDrive for Business and Skype for Business Online.
• Rights Management Service (RMS) Exchange Online, SharePoint Online, OneDrive for Business and Office 365 ProPlus.
• Office 365 Message Encryption (OME) and S/MIME support.
• eDiscovery, Legal Hold and Retention policies for Exchange Online, SharePoint Online, OneDrive for Business and Skype for Business Online.
• Advanced eDiscovery with text analytics, machine learning and predictive coding.
• Exchange Online Inactive Mailboxes.
• Data spillage and deletion methods.
• Permissions management.
• Service usage reports.
• Customer Lockbox
• Office 365 MDM and Exchange ActiveSync policies.
• Intune MDM advanced features for Exchange Online, SharePoint Online, OneDrive for Business and Skype for Business Online.
• Office on the Web (OWA) client policies for data sync and attachment downloads.
• Exchange Online Protection.
• Advanced Threat Protection for Exchange Online.
• Office 365 Advanced Security Management.
• Azure AD usage and audit reports.
• Exchange Online mailbox auditing and administrator auditing reports.
• SharePoint Online usage audit reports.
• Rights Management Service (RMS) audit reports.
• External sharing policies for SharePoint Online, OneDrive for Business and Skype for Business Online.

There are a lot of features available to customers and planning is required.

In Closing
It can be daunting to see the amount of information security features that a customer has available to them in Office 365.  Customers need to plan and develop continuous monitoring plans to evaluate their risk in the Office 365.  Microsoft, unlike many of the cloud vendors out there, provide comprehensive solutions to help you plan and measure your risk.

Reference
Office 365 Secure Score Announcement - https://blogs.technet.microsoft.com/office365security/new-security-analytics-service-finding-and-fixing-risk-in-office-365/
Take a systematic approach to security and information protection with Office 365 - https://blogs.office.com/2016/07/27/take-a-systematic-approach-to-security-and-information-protection-with-office-365/
Plan for Office 365 security and information protection capabilities - https://support.office.com/en-US/article/Plan-for-Office-365-security-and-information-protection-capabilities-3d4ac4a1-3920-4ff9-918f-011f3ce60408?ui=en-US&rs=en-US&ad=US

New Office 365 Exchange and SharePoint User Experiences Coming

New User Experiences
There are some important new user experiences that are being released for Office 365 that you should be aware of:

1. SharePoint Online Modern Lists
2. Outlook Focused Inbox
3. Outlook Mentions

Modern SharePoint Lists are coming
A new user experience is coming to SharePoint Lists.  It will be referred to as Modern SharePoint lists and many of the changes are consistent with the user experience changes you have been seeing with SharePoint modern document libraries.  You will many new features such as:

• Simplified user experience to add columns to lists.
• Ability to elevate (pin) list data for viewing.
• Ability to edit data in an information panel without having to leave the list view.
• Improved bulk editing.
• Simplified automation with versions, approvals and alerts.
• New user experience for view and edit lists in mobile browsers and SharePoint mobile app.
• Integration with PowerApps and Microsoft Flow.  This will allow you to build new workflow applications connected to cloud data and then expose these workflows via PowerApps.

Transition over this user experience can be managed as well so that end users are no disrupted:

• By default, classic list will automatically inherit the new modern list experience.
• If there is a compatibility blocker to move to the modern list experience, the classic list experience will stay as is.
• Users will have the ability to revert to the classic experience at any time.
• Administrators will have the ability to configure classic list experience as the default at the list, site, site collection or tenant level.  This allows for lots of flexibility for user transition.

Outlook Focused InboxThis is a new experience that is called Focused Inbox that is being released for Outlook.  It was initially release on Outlook for iOS but will be release to all versions of Outlook.

The Focused Inbox will prioritize email that is important to you based on such things as who you interact with the most often, while other email (newsletters, DLs, generated emails, etc.) will land in the Other Inbox.  All the data is staying in your primary mailbox, just the email that most important to you is being prioritized.

Focused Inbox will be replacing the Clutter feature that was introduced awhile back.  Clutter was different in that it actually moved email data to a different email folder.  With Focused and Other Inbox, these are just views into the primary Inbox folder.  Clutter will stop moving mail as the Focused Inbox feature is rolled out.

From a transition perspective, again you have control.  Admins will have mailbox and tenant level control of this feature to do a staged rollout to your end users.

Outlook Mentions
This is a really neat feature that I find super exciting.  This features will help you write emails so much quicker.

As you type an email, you can simple type the @ symbol anywhere in the body of a message.  Once you do that, a people picker will appear, which you can select a person’s name.  Once you pick the person, their name will he highlighted in the message calling out action to them.  Additionally, if the person’s name is not yet on the TO line, their name will be automatically added to the TO line for you.  This is very much like a user experience you have in Facebook when writing a message.

References
https://blogs.office.com/2016/07/25/modern-sharepoint-lists-are-here-including-integration-with-microsoft-flow-and-powerapps/
https://blogs.office.com/2016/07/26/outlook-helps-you-focus-on-what-matters-to-you/

Certificate Based Authentication for Exchange Online

Exchange Online now has Certificate Based Authentication (CBA) in Preview.  I have been waiting for this for a while.  CBA will be supported with Microsoft mobile Outlook apps and it will be supported with Exchange ActiveSync (EAS).  This is a really important release for organizations who more complex security and authentication requirements when accessing Exchange Online data.  Typically organizations that use Smart Cards for all their log-in and access applications have required CBA.

For more information, review this - https://blogs.technet.microsoft.com/exchange/2016/07/19/preview-of-certificate-based-authentication-cba-for-exchange-online/