Sunday, August 21, 2016

Azure Information Protection with Office 365

If you are a reader of my blog, you know for the past few years I have been very focused on discussing Office 365 services.  I recently decided to some catching-up on EMS and how it relates to Office 365.  Well as it turns out there have been several recent changes.  One thing that caught my attention very quickly was Azure Information Protection.  In this blog I will explore this solution.

I will say I am super excited to see the vision of this feature given I work with customers who have the most complex security and information protection policies out there.

Note that Azure Information Protection services is currently in Public Preview.

What is the new Azure Information Protection solution?A major challenge that organizations face is protection of their data.  Data loss prevention is constantly on customers’ minds.

With Azure Information Protection we can protect data at the lowest common denominator.  Instead of solely relying on the data storage systems to classify and protect data, we now protect the data directly at the source as email and documents move from place-to-place.

With Azure Information Protection:

  • Classify, label and protect data at the time of creation or modification.
  • Persistent protection travels with the data with rights management.
  • Provide users simple intuitive controls help users make the right decisions and stay productive.
  • Enable safe sharing of data both internally and externally.
  • Ability to create organizational enforceable policies to protect data.
  • Visibility and control over the shared data.
  • Deployment and management flexibility through the cloud.

What is the difference between Azure Information Protection and Azure RMS?
Simply put, Azure Rights Management Services (RMS) got a bunch of new features added to it.  Azure Information Protection building upon RMS with several new capabilities that have been introduced as part of the Secure Islands acquisition.

The new capability that should catch your attention is the intelligent classification and labeling solution that has been integrated with Azure RMS.  This is super exciting capability.

With the new labeling capability in Azure Information Protection services, you have the ability to be able to create enforceable policy to classify and protect your more important critical data.  You have the ability to create labels (classifications) like Personal, Public, Internal, Confidential, Secret, etc.  Then you have the ability to create policies define how data should be tagged with these classifications.  Once data is classified, that data can visual indicators applied to it, RMS protection policies pro-actively applied to the data, and DLP rules (like Exchange transport rules) can watch for this data and take action.

Additionally, there are new reports available to you that allow you to see how the most critical data in your organization is being accessed and managed.  This provides an audit trail for your most critical data.

How can an organization use Azure Information Protection?
Let’s look at Azure Information Protection a little closer.

When a user is in Office, they will see a new ribbon item (Protect) along with new labeling mechanism in the ribbon.  Users have the ability to tag any document or email on the spot.

Administrators have the ability to create the labels that customers see.

Within each label you can:

  • Associate RMS policies you want to apply (if any) to a specific label.  For instance, if you have a Confidential or Secret label, you may want to associate that label to an RMS policy.
  • Create visual markings that would be applied to the email or document once the label is applied.  For instance, add headers, footers, watermarks, etc.
  • Define conditions that could automatically label email and documents.  For instance, if you see data patterns within the content, a label can be auto applied.
There are numerous ways these labels can actually be applied.
  • Automatic – Labels can be applied by IT based on information it can see in the documents and emails.  This means as the user is creating the content, the label can be applied for them. 
  • User Drive – Users have the ability to choose to apply sensitive labels to email or file as they work on it.
  • Recommendation – Instead of automatically applied the label, you can make recommendations to the user on how classify/label.
  • Reclassification – Depending on your policy, you can allow users the ability to re-classify email and documents.  You can even require them to enter a justification which will be logged.
I see endless opportunity for organizations to use Azure Information Protection services to protect their data.  For instance:
  • An organization could create a policy that all documents are automatically classified as Internal.  The Internal does not have to have a RMS policies associated to it, but doing this will set a baseline that all content in the organization has been tagged.
  • As data needs to be become public, the data can be re-classified (labeled) as public by the end user.
  • For documents as classified as Secret or Confidential, an RMS policy could automatically be applied.
  • Re-classification can be allowed without justification for Internal and Public, but for any re-classifications of Secret or Confidential a justification must be provided.
  • I really think there are endless opportunities here with Azure Information Protection services.
How does this relate to Office 365?
As part of the Preview, Azure Information Protection services can be integrated with Office 365 ProPlus.  This means files that you author in Word, Excel, PowerPoint, etc. as well as emails in Outlook will have this user experience.  This will expand with time.

I thought Office 365 already had DLP, where does this play in?
Yes, Office 365 already has DLP capabilities within Exchange Online, SharePoint Online and OneDrive for Business.  Azure Information Protection services provides another layer of protection to data protection along with labeling solution.

For instance, SharePoint Online DLP will identify sensitive documents that were put in a location that has too broad access.  That file can be locked down and then remediated with SharePoint Online DLP by the user or an administrator.  However, what if the end user made a mistake (or worse was malicious) and then tried to send a file tagged as secret outside of the organization?  Azure Information Protection could protect that data tagged as Secret based on your policies.  For instance, you can automatically apply an RMS policy to Secret data and not allow users to re-classify that data.  There are several other mitigations you can take such as watch for documents tagged as secret being emailed externally.

From what I have observed, a challenge customers have had with RMS is educating users on how they should use it.  With Azure Information Protection services classification and labeling solution, the decision has just been super simple for end users.  End users do not need to know complex RMS policies and rule sets; all they need to know are organization contextual tags and the RMS policy is applied for them.

How is Azure Information Protection related to the EMS Suite?
There are two plans, there is Azure Information Protection Plan 1 and Plan 2. 

Plan 1 provides the encryption for files and cloud based file tracking.  From a legacy perspective, this is what you know of as Azure RMS as part of the EMS suite.

Plan 2 adds the new intelligent classification and labeling policies.

There are as well EMS Suites (E3 and E5).  Azure Information Protection Plan 2 is part of the EMS Suite 5.

If you are an Office 365 E3 suite customer, you already get access to Azure RMS service.  However, having Office 365 E3 does not give you access to all the EMS E3 or E5 capabilities.  So to get access to Azure Information Protection Plan 2, to get this new classification and labeling solution, you will need acquire some additional EMS plans.

Announcing Azure Information Protection -
Azure Information Protection Public Review Announcement-
Introducing Enterprise Mobility + Security -
Acquisition of Secure Islands -
Azure Information Protection product page -
What is Azure Information Protection (good video) - 
Azure Information Protection FAQs -
Azure Information Protection Quick Start for Preview -

Saturday, August 20, 2016

Office 365 Secure Score and Information Security Planning

Office 365 customers are provided a highly security solution for business productivity.  Microsoft ensures that the Office 365 service is secure and demonstrates this commitment through many of the third-party accreditations it receives.  Yet that is only half the battle as the customer who manage the Office 365 tenant shares in that security responsibility.  There are a tremendous amount security features and capabilities that are available to Office 365 customers that require configuration and management.  Customers frequently miss they too have a security responsibility to manage and continuously monitor their tenant.  In this blog I will discuss:
  1. The new Office 365 Secure Score analytics tool.
  2. Office 365 Information Security Planning.
Microsoft is invested in providing a safe and secure productivity cloud solution for your end users.  A clear differentiator for Microsoft is that they provide you plans, frameworks and tools that help you plan and continually monitor your security risk with Office 365.

Office 365 Secure Score
Microsoft has released “in preview” a new capability called Office 365 Secure Score.  This is a new analytics tool that can review the configuration of your tenant and make recommendations (based initially on 77 different factors).  Think of it as a “credit score”.  The higher the score, the more controls you have configured into your tenant.  The goal is to create a score that is aligned to your business requirements which do not impact your user experience.

Features of this capability are:
  • There is a summary panel that provides you your score and when you last ran it.
  • There is a modeling tool that allows you to do analysis to determine if you introduce more controls how those new controls will impact your score.
  • There is detailed information about each control it evaluates and the risk that it mitigates.
  • There are remediation instructions for each control that you introduce and how it would impact your end users.
  • There is a score analyzer that allows you to measure your performance over time.  You can download the scores from the reports and make them part of continuous monitoring program.
  • New controls will be introduced into the tool as new features are added to the service.
Plan for Office 365 Information Security
Since I have discussed this new Office 365 Secure Score tool that helps you continuously evaluate your security position, it is also worth mentioning there are several new Office 365 Information Planning worksheets you should review (see references below).
What these references will do is provide you direction on how you can utilize and configure all of the Office 365 security features (several new ones). 

Here are features I talk about a lot:
  • Federated Authentication (ADFS) and ADFS Client Access Policies.
  • Two-factor Authentication with Office 365 MFA and integration with third-party 2FA (smart cards, PIV, CaC).
  • Data Loss Prevention for Exchange Online, SharePoint Online, OneDrive for Business and Skype for Business Online.
  • Rights Management Service (RMS) Exchange Online, SharePoint Online, OneDrive for Business and Office 365 ProPlus.
  • Office 365 Message Encryption (OME) and S/MIME support.
  • eDiscovery, Legal Hold and Retention policies for Exchange Online, SharePoint Online, OneDrive for Business and Skype for Business Online.
  • Advanced eDiscovery with text analytics, machine learning and predictive coding.
  • Exchange Online Inactive Mailboxes.
  • Data spillage and deletion methods.
  • Permissions management.
  • Service usage reports.
  • Customer Lockbox
  • Office 365 MDM and Exchange ActiveSync policies.
  • Intune MDM advanced features for Exchange Online, SharePoint Online, OneDrive for Business and Skype for Business Online.
  • Office on the Web (OWA) client policies for data sync and attachment downloads.
  • Exchange Online Protection.
  • Advanced Threat Protection for Exchange Online.
  • Office 365 Advanced Security Management.
  • Azure AD usage and audit reports.
  • Exchange Online mailbox auditing and administrator auditing reports.
  • SharePoint Online usage audit reports.
  • Rights Management Service (RMS) audit reports.
  • External sharing policies for SharePoint Online, OneDrive for Business and Skype for Business Online.
There are a lot of features available to customers and planning is required.

In Closing
It can be daunting to see the amount of information security features that a customer has available to them in Office 365.  Customers need to plan and develop continuous monitoring plans to evaluate their risk in the Office 365.  Microsoft, unlike many of the cloud vendors out there, provide comprehensive solutions to help you plan and measure your risk.

Monday, August 1, 2016

New Office 365 Exchange and SharePoint User Experiences Coming

New User Experiences
There are some important new user experiences that are being released for Office 365 that you should be aware of:
  1. SharePoint Online Modern Lists
  2. Outlook Focused Inbox
  3. Outlook Mentions
Modern SharePoint Lists are coming
A new user experience is coming to SharePoint Lists.  It will be referred to as Modern SharePoint lists and many of the changes are consistent with the user experience changes you have been seeing with SharePoint modern document libraries.  You will many new features such as:
  • Simplified user experience to add columns to lists.
  • Ability to elevate (pin) list data for viewing.
  • Ability to edit data in an information panel without having to leave the list view.
  • Improved bulk editing.
  • Simplified automation with versions, approvals and alerts.
  • New user experience for view and edit lists in mobile browsers and SharePoint mobile app.
  • Integration with PowerApps and Microsoft Flow.  This will allow you to build new workflow applications connected to cloud data and then expose these workflows via PowerApps.

Transition over this user experience can be managed as well so that end users are no disrupted:
  • By default, classic list will automatically inherit the new modern list experience.
  • If there is a compatibility blocker to move to the modern list experience, the classic list experience will stay as is.
  • Users will have the ability to revert to the classic experience at any time.
  • Administrators will have the ability to configure classic list experience as the default at the list, site, site collection or tenant level.  This allows for lots of flexibility for user transition.

Outlook Focused InboxThis is a new experience that is called Focused Inbox that is being released for Outlook.  It was initially release on Outlook for iOS but will be release to all versions of Outlook.

The Focused Inbox will prioritize email that is important to you based on such things as who you interact with the most often, while other email (newsletters, DLs, generated emails, etc.) will land in the Other Inbox.  All the data is staying in your primary mailbox, just the email that most important to you is being prioritized.

Focused Inbox will be replacing the Clutter feature that was introduced awhile back.  Clutter was different in that it actually moved email data to a different email folder.  With Focused and Other Inbox, these are just views into the primary Inbox folder.  Clutter will stop moving mail as the Focused Inbox feature is rolled out.

From a transition perspective, again you have control.  Admins will have mailbox and tenant level control of this feature to do a staged rollout to your end users.

Outlook Mentions

This is a really neat feature that I find super exciting.  This features will help you write emails so much quicker.

As you type an email, you can simple type the @ symbol anywhere in the body of a message.  Once you do that, a people picker will appear, which you can select a person’s name.  Once you pick the person, their name will he highlighted in the message calling out action to them.  Additionally, if the person’s name is not yet on the TO line, their name will be automatically added to the TO line for you.  This is very much like a user experience you have in Facebook when writing a message.

Saturday, July 23, 2016

Certificate Based Authentication for Exchange Online

Exchange Online now has Certificate Based Authentication (CBA) in Preview.  I have been waiting for this for a while.  CBA will be supported with Microsoft mobile Outlook apps and it will be supported with Exchange ActiveSync (EAS).  This is a really important release for organizations who more complex security and authentication requirements when accessing Exchange Online data.  Typically organizations that use Smart Cards for all their log-in and access applications have required CBA.

For more information, review this -  

Monday, July 18, 2016

Microsoft Stream in Preview

Microsoft Stream
Microsoft made a really interesting announcement today about a new offering called Microsoft Stream.  Microsoft Stream is currently in Preview and available for customers to try out.

Microsoft Stream is a new business video service that builds on the past experiences Microsoft has had with the Office 365 Video Service.  Office 365 Video was originally announced back in Nov 2014 and has is available to customers who have purchased an Office 365 suite.  Office 365 Video leverages Azure Media Services to provides a portal solution for enterprise organizations to share video content.

Microsoft’s long term plan is to converge both the Office 365 Video with Microsoft Stream; making Stream the de-facto video service for Office 365 customers.  Over the short-term, both of these services will run side-by-side.

So what is new with Microsoft Stream?  There will be a several new features:
  • Updated user experiences in general with even more simplistic user experiences to upload video.
  • Enhanced content delivery and discovery.  Specifically trending videos will be powered by machine learning to get users to videos that more relevant to them.
  • More control over video channels to secure access videos.
  • Ability to follow channels through a personalized homepage.
  • New social features for sharing, liking, etc.
However, the vision of Microsoft Stream is what really excited me.  Microsoft mentioned some directions they see Microsoft Stream taking:
  • Integration between Microsoft Stream and Microsoft Skype Broadcast such that both live and video on demand is available to the user through a single video solution.
  • Intelligent video search so that you have the ability to search within a video instead of just relying on the descriptions, tags and metadata provided by a user.  For instance, audio transcription and face detection can be used to search videos. 
  • Integration of video into workflow and applications built into Office 365.
  • More IT management control for managing access to video channels, remove and monitoring video content and what video is available for specific groups of people.
  • New APIs that will allow partners to build Microsoft Stream solutions.

Introducing Microsoft Stream -
Microsoft Stream -
What Microsoft Stream means to Office 365 -
Introducing Office 365 Video -

Tuesday, June 21, 2016

Advanced Security Management for Office 365

What is Advanced Security Management?
There is a new E5 capability called Advanced Security Management that is becoming available for Office 365.  This new feature helps with threat protection, provides enhanced control and discovery / insights into your Office 365 tenant.

Advanced Security Management is a solution that sits on top of the Office 365 activity reporting.  It uses 70 indicators to watch how your service is being used.  You will be able to see things like:

  • If there are users who are performing mass downloads of data.
  • If there are users who have failed multiple log on attempts.
  • If a user is trying to login in from a risky IP address that is outside of your management boundary.
  • If new accounts are being created; especially administrator accounts.
  • It can check connecting applications, for example if a user connects an external application to access Office 365 data, your administrators can see the details of that connection and determine if it should be revoked.
The Advanced Security Management feature will review and understand the patterns of how your users access the Office 365 service; it can learn what is considered good versus bad activity.
Within the Security and Compliance Center you have the ability to set up Anomaly Detection Policies; there are two types of policies.  First there are Anomaly Detection Alerts which are automatic algorithms that are used to detect suspicion activity.  Second there are Activity Alerts which are custom alerts set up by the customer in their Office 365 tenant.  Once you have policies set-up for the activities you want to watch for, you can set up notifications that can send you email or texts.  Depending on your policy, you can even suspend a user from Office 365 who violated the policy. 

Additionally, you have the ability to dig through the user’s other activity to determine if there are other suspicious activity that may have occurred.  There is a reporting dashboard for you to review all of the alerts, determine if there are false positives and take radiation actions.

It is worth stating; Microsoft Office 365 is always managing the security of your tenant regardless if you purchase Advanced Security Management (part of E5) or not.  Advanced Security Management provides additional insight to contextual policies that are relevant to customer.  For instance like checking for unusual activity that resides outside of the customer specified IP address ranges.

ResourcesAnnouncement for Office 365 Advanced Security Management -

Overview of Advanced Security Management for Office 365 -

How to add Advanced Security Management -

Getting Started with Advanced Security Management -

How to create activity policies in Advanced Security Management -

Review and take action on Advanced Security Management Alerts -

Sunday, May 22, 2016

SharePoint 2016 Excel Services Deprecated and the Road Forward

I felt it was worth writing a little something extra on this topic as I have been seeing this question come up a lot with the new release of SharePoint 2016.

What is Excel Services?
Excel Services was introduced way back in SharePoint 2007 which was SharePoint’s first step at bringing Excel into the browser to create dashboards.  The concept was straight forward, empower users who know Excel to create a web dashboard with the tools they know.  It was made part of the SharePoint Enterprise Suite and has gone through several improvements over the years.

Is Excel Services really gone?
Excel Services in SharePoint has been deprecated as part of the SharePoint 2016 on-premises release however you can still get to a similar solution with Office Online Service (OOS) and Power BI.

When you review the deprecated features listing, it specifically states that Excel Services is no longer “hosted on SharePoint Server” and that Excel Services functionality is now part of Excel Online in OOS.  My understanding of this is that there is a general move of capabilities.

What is Office Online Service (OOS)?
The new Office Online Service (OOS) can be installed on-premises and is the replacement to the Office Web Apps Server 2013.  This will provide you the similar services to Office Online that is part of Office 365.  OOS provides you the ability to view, edit and co-author Word, Excel, PowerPoint and OneNote.  OOS integrates with SharePoint 2016, Exchange Server 2016 and Skype for Business 2015 which all have capabilities to provide Office through a browser.  Moving the Office Web Apps Server out into its own service has been part of the vision to provide Office Online to all Microsoft productivity and enterprise services.

What Excel Services features are lost as part of this move?
Are there some changes as part of the move?  Yes, for sure.  When you review the deprecation listing, it says that feature such as Trusted data providers, Trusted file locations, Trusted data connection libraries, Unattended service account, Excel Services Windows PowerShell cmdlets, and Opening of Excel workbooks from SharePoint Central Administration site are deprecated. 

However, with OOS, you still have access the following Excel Services capabilities: Viewing and editing Excel workbooks in a browser (with or without the Data Model), Excel Web Access web part for SharePoint, ODC file support (no longer requires Data Connection Libraries), and Programmability features such as JavaScript OM, User Defined Function Assemblies, SOAP and REST protocol support.

So, if you are reliant on features that were deprecated, then you will need to achieve the same end result through other means.  But in most cases, organizations are going to be able to do almost everything they had been doing with the old Excel Services with the new OOS.

So how do I Excel Services moving forward?

Transition to OOS: My personal recommendation is the following, I would try to start making the transition over to OOS with Excel Services altogether.  I would review what you are doing with the older Excel Server web parts and try to get completely hooked in with OOS.

Introduce Power BI: Additionally, if you are using Excel Services to make connections to line of business databases that is still supported on-premises.  For instance, you can still connect to Analysis Services, SQL Server, and Custom data providers (via connection string) on-premises.  However, making these line of business connections in SharePoint Online (Office 365) is not possible.  If you are really thinking about transitioning to the Office 365 cloud, you really need to start thinking about moving over to Power BI because that is the direction moving forward.  Power BI has the ability to connect to a wide range of data sources whether they are on-premises databases, data in SharePoint Online, data residing on other clouds, etc.  Power BI is the next generation cloud BI service that will allow you to create high end reporting and dashboard solutions in the cloud.  You can make this work with your on-premises SharePoint and when you transition the rest of it to SharePoint Online, Power BI will already be in the cloud.  From a get started perspective, you basically need to introduce the Power BI Gateway into your on-premises environment this will refresh your data in the cloud for reporting purposes.  I have some references below.

What about licensing of OOS?
OOS is available to customers who have a Volume Licensing account with at no cost.  This will provide you the ability to get view-only functionality.
If you need the ability to create, edit, save, and co-author, you will need to have an on-premises Office suite license with Software Assurance or an Office 365 ProPlus subscription.  Note if you have purchased on-premises Office 2016 suite VL before Aug 1, 2016 you are exempt from the Software Assurance requirement through Aug 1, 2019.

What's deprecated or removed from SharePoint Server 2016 -

Business intelligence in Excel and Excel Services (SharePoint Server 2013) - - This provides a good comparison between Excel Services in SharePoint 2013 and Excel Web Apps.  I recommend reading this to help remind you why you picked Excel Services in the first place.

Office Online Server now available -

Office Online Server -

Data authentication for Excel Online in Office Online Server -

Power BI -

Power BI Gateway – Enterprise -

Data sources for Power BI service -