Skype for Business Online Ports Reduced

Back in April 2017, I wrote about how Skype for Business Online IP address ranges and ports were planning on being reduced (http://www.astaticstate.com/2017/04/skype-for-business-online-ranges-and.html).

The most recent announcement is that this has been completed.

Recent Announcement - https://techcommunity.microsoft.com/t5/Skype-for-Business-Blog/Simplified-port-requirements-for-Skype-for-Business-Online/ba-p/77094

This is a very big change which I know many Skype for Business Online customers will be happy to hear about.  The big change is that UDP/TCP 50,000-59,999 port ranges are now options for Skype for Business Online.  The reason for the change is that given the quality of service that that can be delivered out of Office 365 and the performance Microsoft Network does not require these ports.  Some other facts are:

• Must be on Skype for Business Online client.
• UDP/TCP 50,000-59,999 is being marked as optional for Skype for Business Online.
• If your organization is not blocking them today, still recommended that you keep them open.
• This change is only for users in Skype for Business Online (in Office 365).  If you have a hybrid environment these ports are still required.

I highly recommend that you review the details of the announcement.

Here is a reference to all Office 365 URLs and IP address ranges - https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US&fromAR=1

Office 365 and Azure EMS Overlap

I decided to create a simple cheat sheet for folks to help you understand how Office 365 suites such as E3 and E5 relate to Azure Enterprise Security + Mobile Suite (EMS).  There is a lot of cross-over and relationship between these capabilities.

I will assume in this discussion we are an Office 365 customer trying to understand how does EMS overlap and extend Office 365.

EMS Suites

First, we must first understand what is in the EMS Suites.  There are two EMS Suites E3 and E5.  Here is an overview site - https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security-pricing

EMS E3 is made up of:

• Azure Active Directory Premium P1 - Designed to empower organizations with more demanding identity and access management needs, Azure Active Directory Premium edition provides feature-rich enterprise-level identity management capabilities and enables hybrid users to seamlessly access on-premises and cloud capabilities. This edition includes solutions for the information worker and identity administrators in hybrid environments across application access, self-service identity and access management (IAM), and security in the cloud.  Solutions available are: Secure single sign-on to cloud and on-premises apps, Multi-factor authentication, Conditional access and Advanced security reporting.
• Azure Information Protection Premium P1 - Control and help secure email, documents, and sensitive data that are shared outside the customer walls with Azure Information Protection Premium (formerly known as Active Directory Rights Management Service (AD RMS)). From easy classification to embedded labels and permissions, enhance data protection at all times with Azure Information Protection—no matter where it’s stored or who it’s shared with.  Solution provides encryption for all files and storage locations and cloud-based file tracking.
• Microsoft Intune - Microsoft Intune provides mobile device management, mobile application management, and PC management capabilities from the cloud. Using Intune, customer can provide personnel access to corporate applications, data, and resources from virtually anywhere on almost any device, while helping to keep customer information secure.  With the increasing volume and diversity of both ‘bring your own device’ (BYOD) and corporate-owned devices being used in organizations today, a growing challenge for IT departments is keeping corporate information secure. Microsoft mobile application management (MAM) and mobile device management (MDM) solutions help minimize this complexity by offering management capabilities both on-premises and in the cloud, all from a single console.  Solution provides mobile device and app management to protect corporate apps and data on any device.
• Microsoft Advanced Threat Analytics (ATA) - Microsoft Advanced Threat Analytics (ATA) protect customer from advanced, persistent cyber threats.  From detecting known malicious attacks to uncovering abnormal activity with machine learning and behavioral analytics, identify advanced persistent threats to customer quickly and act swiftly with Microsoft Advanced Threat Analytics.  Solution provides protection from advanced targeted attacks by applying user and entity behavior analytics.

EMS E5 is made up of:

• Azure Active Directory Premium P2 - Builds off Azure Active Directory Premium P1, enhanced with advanced identity protection and privileged identity management capabilities.  Solution includes risk-based conditional access and privileged identity management.
• Azure Information Protection Premium P2 - Builds off Azure Information Protection Premium P1 providing intelligent classification policies to classify and label data at time of creation or modification based on source, context, and content. Classification with Azure Information Protection is fully automatic, driven by users or based on recommendation.  Additionally, this services provides Hold Your Own Key (HYOK) that spans Azure RMS and Active Directory RMS for highly regulated scenarios.
• Microsoft Cloud App Security - Microsoft Cloud App Security provides enterprise-grade security for customer cloud applications.  Whether or not you're in the cloud, customer personnel are. Bring the security of on-premises systems to cloud applications—both approved and unapproved—for deeper visibility, comprehensive controls, and enhanced protection against cloud security issues.  Solution provides enterprise-grade visibility, control, and protection for cloud applications.

How does this compare with Office 365 solutions?
There is overlap with Office 365 solutions.  There are tons of good reference articles that show you exactly where deltas are.

Azure AD Overlap
As you know when you have an Office 365 instance, Azure AD is used underneath the hood.

Azure AD Comparison Table - https://www.microsoft.com/en-us/cloud-platform/azure-active-directory-features.  This table shows you the difference Office 365 and the features and capabilities you get with Azure AD Premium Plans 1 and 2.

Azure Information Protection / Rights Management Overlap
If you are an Office 365 E3 customer, you may know you get some Office 365 Rights Management.  However Azure Information Protection Plans 1 and 2 provided extended capabilities.

Information Rights Management Comparison Table - https://www.microsoft.com/en-us/cloud-platform/azure-information-protection-features - Shows you exactly what you get between the different plans.

Office 365 MDM / Microsoft Intune Overlap
Office 365 natively provides some MDM capabilities.  EMS Intune is the enterprise capability for MDM.  Office 365 MDM is just providing a subset of Intune for Office 365 only.

Office 365 MDM and Microsoft Intune comparison table is located here - https://support.office.com/en-us/article/Choose-between-MDM-for-Office-365-and-Microsoft-Intune-c93d9ab9-efb2-4349-9b93-30c30562ee22.

Microsoft ATA and Office 365 Advanced Security Management Overlap
Office 365 Advanced Security Management (ASM) is part of the Office 365 E5 Suite.  Microsoft ATA is part of the Azure EMS E3 Suite.

Unfortunately, there is not a good comparison table like with the other service offerings previously discussed, yet there are some good references.  Just like previously discussed, Office 365 ASM is providing a subset of Microsoft ATA but Office 365 ASM is a subset of capability for Office 365 only.

Office 365 ASM - https://support.office.com/en-us/article/Get-started-with-Advanced-Security-Management-d9ee4d67-f2b3-42b4-9c9e-c4529904990a?ui=en-US&rs=en-US&ad=US – This is a good reference article that describes the types of alerts that you can sign-up for, monitor cloud app usage and set-up SIEM integration for logging.

Azure Threat Analytics (ATA) is a broader approach that extends to on-premises.  Here is the top-level article on it - https://docs.microsoft.com/en-us/advanced-threat-analytics/what-is-ata.

OneDrive On-Demand

OneDrive On-Demand
There was a recent announcement of some new features coming for OneDrive for Business and SharePoint Online that I am very excited to see.  The new feature is called OneDrive On-Demand.

The OneDrive On-Demand capability allows you to access files without having to download them and use storage locally on your device.  Effectively, File Explorer has connectivity to data in the OneDrive for Business cloud just like it has with data on network attached storage.  When you select a file, that file will be synced locally and then opened in the app.

Additionally, there are reasons why some folders and files you will always want to ensure are available locally.  With this new capability, you have the ability to designate which files and folders you want to have as always available locally.

Benefits
A major benefit is not having to use local device storage.  This becomes important because storage available on a per user basis with OneDrive for Business in cloud can be more than what is available on the device itself.  So, if a user has 1TB of data of OneDrive Storage in the cloud, and they

Another benefit is more efficiency in data synchronization to a corporate network.  When lots of user sync a SharePoint Online site, all the files are synced to that device.  Additionally, when a file is updated, that update is pushed to all devices.  Now files are only synced at the user’s designation if the file must be available locally all the time.  This will reduce the amount of data being pushed.

Other Notes
OneDrive On-Demand is available as part of the Windows 10 Fall Creators Update.
This feature will work with OneDrive for Business, OneDrive (personal) and SharePoint Online.

What about Mobile?
Mobile Apps for OneDrive have always been on-demand.  A new solution is being introduced into the iOS and Android Apps which allow users to designate folders as “offline”.  This allows you to access those files while you have no internet connectivity.  Now we have some feature parity across devices.

References
https://blogs.office.com/2017/05/11/introducing-onedrive-files-on-demand-and-additional-features-making-it-easier-to-access-and-share-files/
https://blogs.office.com/2017/05/16/new-sharepoint-and-onedrive-capabilities-accelerate-your-digital-transformation/

Office 365 and Azure Government Support DFARS

Azure Government services is not able to support DoD contractors and the Defense Industrial Base (DIB) by supporting for Defense Federal Acquisition Regulation Supplement (DFARS) requirements. Office 365 US Government Defense is also able to accept the flow down terms based on FedRamp+ requirements (as defined in the DoD Cloud Computing Security Requirements Guide (SRG)).  This allows DoD's mission partners to host Covered Defense Information (CDI) in Microsoft's secure, compliant cloud dedicated to US government workloads.

A lot of work had been completed by Microsoft and demonstrates a commitment to satisfy the stringent requirements for a major market segment to use compliant commercial cloud solutions.

For more information, please read this public announcement - https://blogs.msdn.microsoft.com/azuregov/2017/05/11/microsoft-azure-government-expands-support-for-defense-industrial-base-and-defense-contractors-announcing-support-for-dfars-requirements/

Advanced Threat Protection expands to Office 365 ProPlus

I have been watching the Office 365 Advanced Threat Protection (ATP) service evolve over the past year.  Every time they add some new, I am just impressed.

In the most recent announcement, it was stated that ATP Safe Links is now being extended to the Office 365 ProPlus desktop clients.  That is super exciting.  So now embedded links that are in Word, Excel and PowerPoint files are protected by ATP Safe Links.

ATP initially started as an Exchange Online solution.  It has subsequently expanded to Office Online (browser).  The goal is to have ATP Safe Links uniformly applied to all Office 365 services.

Announcement - https://blogs.office.com/2017/04/04/announcing-the-release-of-threat-intelligence-and-advanced-data-governance-plus-significant-updates-to-advanced-threat-protection/
Other Advanced Threat Protection (ATP) feature releases - http://www.astaticstate.com/search/label/Advanced%20Threat%20Protection

Skype for Business Online Ranges and Port Changes are Coming

For a long time, customers that have transitioned to Skype for Business Online have provided feedback on the number of IP ranges and ports that are required to be configured with an enterprise’s firewalls.  Microsoft Office 365 will be making some changes alleviate these challenges.

Recommend reading this and monitoring this as the changes are being rolled out -  https://techcommunity.microsoft.com/t5/Skype-Operations-Framework-Skype/Updated-IP-ranges-and-ports-for-Skype-for-Business-Online/ba-p/47470

SharePoint Framework is GA

SharePoint Framework now GA
The SharePoint Framework went generally available (GA) in Feb 2017.  I am personally very excited to see the next evolution of SharePoint development be made available to Office 365.

One of the toughest discussion with organizations transitioning to Office 365 is how to transition SharePoint to SharePoint Online.  For organizations with complex deployments, SharePoint Online is transition could be challenging.  The biggest challenge was what to do with Full Trust code that was either developed internally or part of a third-party solution that was acquired.  Over the years since SharePoint Online has been released, organizations and third-party solution providers have transitioned over to the APIs and the SharePoint Apps model.  However, there was still gaps in what could achieve with SharePoint Online.  With the introduction of the new SharePoint Framework, these gaps have been closed.

What is the SharePoint Framework?
Simply put, the SharePoint Framework is a new web page and web part development model that supports open source tools providing new flexibility in the creation of apps using modern web technologies.  This framework works for either SharePoint on-premises or SharePoint Online.  The new SharePoint Framework will give you a smooth transition from .Net development to Javascript development using this new method.

Up this point, SharePoint Online development options were:

• Full Trust Code: Not supported in SharePoint Online.
• Sandbox Solutions: Limited set of Full Trust code APIs available however this solution is being deprecated; so it was not recommended to invest time in Sandbox Solutions.
• SharePoint Apps:  Was first introduce in SharePoint 2013 days and was used by many to transition complex solutions to SharePoint Online.  This solution moved complex code to other locations and then provided a user experience through a iFrame that was integrated into SharePoint Online.  This approach had many benefits however iFrame boundary created some barriers for building an integrated solution with the SharePoint user experience.
• Script Editor: Has been and will continue to be as a solution to inject javascript and customizations into web pages.  This solution has several limitations around configuration and its ability to integrate deeply into the SharePoint API. 

How have things changed from the old way?
With the new SharePoint Framework, we can get back to writing web-parts the way we used to; which is truly exciting.

• Development Environment – The first big change is that Visual Studio is no longer required to do development.  Yeoman generator is used to create your project artifacts that can then be used to do your development is Visual Studio, Subline, Atom, etc.
• API – Instead of using server side code using .NET, you will use Node.js.
  Strongly Typed Scripting – Even though development is done in Javascript; Typescript is the primary language providing developers the ability to do object-oriented development that they were used to do with .NET.
• Build – Instead of using MSBuild to compile and build your solutions, you will use Gulp which is operating agnostic.  It will build solutions using Node.js.
• Deployment – Deployment of code is no longer pushed out to the GAC.  With the SharePoint Framework code is built and then deployed to any CDN service.  For instance a public CDN used to make the solution publicly available or can be deployed in a SharePoint CDN only make the solution available to a tenant.

References

I highly recommend you start reviewing these articles.

SharePoint Framework GA Announcement - https://blogs.office.com/2017/02/23/sharepoint-framework-reaches-general-availability-build-and-deploy-engaging-web-parts-today/
Overview from Ignite - https://myignite.microsoft.com/videos/2723
Overview - https://dev.office.com/sharepoint/docs/spfx/sharepoint-framework-overview
Enterprise Guidance - https://dev.office.com/sharepoint/docs/spfx/enterprise-guidance