Monday, December 26, 2016

Office 365 Advacned Data Governance

There was an announcement for a new feature of E5 being called Advanced Data Governance.  It was buried in an announcement back in Sept 2016.

Some time ago, Office 365 made several announcements for being able to consume corporate data from other major platforms.  There is a new Advanced Data Governance feature that will be coming to Office 365 that will provide you a dashboard that will give insight to the type of data you have, how it is classified, and how it is going to be retained.  There will also be tools to assist you with the data import process to filter out data that you do not need to retain, and you will have a tool that will allow you to set a central retention policy across all Office 365 solutions.  This is super exciting and I highly recommend you watch the session on this at the Ignite Conference.

Announcement - https://blogs.office.com/2016/09/26/applying-intelligence-to-security-and-compliance-in-office-365/

Ignite Conference Video - https://myignite.microsoft.com/videos/1323


Sunday, November 20, 2016

Office 365 Third-Party Security App Management

There are several new features coming to Office 365 through Advanced Security Management (ASM), which is part of E5 which will give admin much more visibility and control of how Office 365 data is flowing out to third-party applications.

Productivity App Discovery
A new feature is being released to Advanced Security Management called Productivity App Discovery.  This solution will provide admins the ability to understand their organization’s usage of Office 365 and other productivity services.  This will help you understand how data from Office 365 or should be stored in Office 365 is being sent to outside applications that are not in your administrative control.


Apps Permission
Additionally, a new feature is being added that will allow Office 365 Admins to better monitor and approved third-party applications that are integrated with Office 365.  This again is part of Office 365 Advanced Security Management.

Users can connect a third-party application with Office 365.  When they do this, the user is provided information about what that integration means, however it may be common that the end user does not full ramifications in the security risk they may or may not be taking.


What App Permissions will do will provide the administrators the ability to review which third-party applications have access to Office 365 data.  Admins have the ability to approve or revoke access plus notify the users that access to the third-party application is revoked.




Resources
Productivity App Discovery - https://blogs.office.com/2016/09/26/applying-intelligence-to-security-and-compliance-in-office-365/

Third-party Apps with Office 365 - https://blogs.office.com/2016/10/31/enhanced-control-over-third-party-apps-now-available-in-office-365/

Overview of Advanced Security Management in Office 365 - https://support.office.com/en-us/article/Overview-of-Advanced-Security-Management-in-Office-365-81f0ee9a-9645-45ab-ba56-de9cbccab475

New ATP Features for Office, SharePoint and OneDrive

There were some new ATP features being released.  For instance there is new reporting capabilities, better performance with lower latency for emails/attachments that are being scanned, deeper URL detonation, and intelligence sharing with Windows Defender.

However, what got be excited is that ATP is being extended beyond Exchange Online.  ATP will now include protection for SharePoint Online, OneDrive for Business, Word, Excel and PowerPoint.  I found this to be really exciting.


Reference
New ATP Features Coming - https://blogs.office.com/2016/09/26/applying-intelligence-to-security-and-compliance-in-office-365/

New OneDrive for Businss Admin and Compliance Management Capabilities

Back at the Ignite conference, you may have heard or read up on all the new capabilities being released for OneDrive - https://blogs.office.com/2016/09/26/sharepoint-online-sync-preview-headlines-ignite-announcements-for-onedrive/

There are tons of new user experiences, updated / improved sync capabilities, better mobile capabilities, etc.

However, what I get very excited about is the enterprise and compliance features that are being added into OneDrive.  There are a few features that were buried down in the announcement that enterprise customers should pay attention to.
  • New OneDrive Admin Center – There is a new admin area being created just for OneDrive for Business.  It has been within SharePoint Online.
  • New User Level Controls – This new capability provides the ability to set things like storage quota and external sharing capabilities down to the specific user versus the entire organization.  External sharing can be set-up to be to whitelist of trusted business partner domains.
  • New User Support Features – There are new features that will assist the admin in supporting their end users to find files that they have misplaced or shared with the wrong people.
  • Remove User Access – There is new capability that will allow you to quickly sign a user out of the service quickly when the lost a device or you need to remove them from the service.
  • Retention After the User Leaves – Additionally when a user leaves or is terminated, there is new capability to assist you with moving or copying data to other locations.  There is additionally capability that will allow you to preserve files in a deleted user’s OneDrive for Business up to 10 years.  This is fairly consistent with the Inactive Mailbox feature of Exchange Online.



Updated Office 365 Administration

If you have not been watching, the Office 365 administration experience has been getting overhauls and new capabilities in the Fall of 2016.  Tons of new capability and reporting is bring provided.  Much of this has been based on years of feedback that have been coming from customers.

Here is the new home page that has been re-designed based on the most common tasks that are required.  There is also the ability to customize the homepage based on personal preference to the activities the administrator does the most.


New activity reporting is available to give you insight into how the Office 365 service is being used.










Plus the old service health dashboard has been redesigned.




Resources
Announcement plus a video - https://blogs.office.com/2016/09/27/office-365-administration-announcements-new-admin-center-reaches-general-availability-and-introducing-the-service-health-dashboard/

Announcement - https://blogs.office.com/2016/10/31/whats-new-in-office-365-administration-october-update/

Announcement - https://blogs.office.com/2016/09/13/new-usage-reports-for-sharepoint-onedrive-and-exchange/

Saturday, November 5, 2016

Introducing Microsoft Teams

Introduction
Microsoft Teams was just announced as being released as Preview to customers.

Microsoft Teams is a continued promise by Microsoft to bring together best of breed capabilities from such solutions as Skype for Business Online, SharePoint Online, Office Online and Exchange Online together to deliver feature rich productivity applications that are not siloed.  Office 365 Groups was the first, now we have Microsoft Teams.

Microsoft Teams introduces a new Persistent Chat solution that allows users to see chat discussions over time.  The chat discussions can be viewed over time between a group a people.  But it is much more than persistent chat.  Microsoft Teams will become a hub for teamwork.  Which quick integrated capabilities as Skype for Business Online, SharePoint Online and Office Online collaboration around content can initiated.  The team experience can also be customized as new tabs can be added to quickly access documents and other cloud services.

General Availability (GA) is set for CY 2017 Q1 with more features and capabilities being added after this.


Where does Microsoft Teams fit in the Overall Office 365 Picture
When you hear about Microsoft Teams you may immediately ask what about SharePoint Teams, Yammer, etc. and then ask when should I use Microsoft Teams.  I say the answer depends on what you are trying to accomplish and you should carefully look at how you end users work and what they are try to accomplish.  Each solution has its place in the enterprise.
  • Microsoft Teams – Recommend using when you have a defined group of users who are specifically working on a specific project.  Good for small groups of people who need to collaboration in reach time with each other.
  • Office 365 Groups – Recommend using when you have small groups of people who share conversations, group mailbox, files and content with each other, however they may not work in real-time with each other.
  • Yammer – Recommend using Yammer for across the “company wide” type of conversations and collaboration and communication.  Communities can be cross business disciplines.
  • SharePoint Online -  Recommend using when you have sharing and collaboration across an organization, or longer standing formal content management solutions.  Company intranets, repositories, applications, etc. are great for SharePoint Online.
  • Skype for Business Online – Continue using it phone calls, instant message, web meeting, etc.  Skype for Business Online is available across the Office 365 service and is the “glue” for collaboration.
As you can see, all these solutions are still relevant with the introduction of Microsoft Teams.

Turning Microsoft Teams On
It is pretty easy to do.  In the Office 365 Admin console, just go to Settings >> Services & Add Ins >> Microsoft Teams.

Some Other FAQs
  • Microsoft Teams is a Suite capability and is available through such plans as E1, E3 and E5.
  • There are Office 365 Connectors which can be used to receive updates from third party tools and services
  • There is a developer API preview available.
  • Microsoft Teams is a cloud feature only, and not available on-premises.
References
Announcement - https://blogs.office.com/2016/11/02/introducing-microsoft-teams-the-chat-based-workspace-in-office-365/
Video - https://blogs.office.com/2016/11/02/take-an-in-depth-look-at-microsoft-teams-now-in-preview/
Developer Preview - https://dev.office.com/blogs/microsoft-teams-developer-preview

Tuesday, November 1, 2016

Office 365 Business-to-Business (B2B) Capabilities

Introduction

This has come up a lot lately and I want to write something about this.  Business-to-business (B2B) capabilities are available in Office 365 and here are some features can consider turning on.
Skype for Business Online

Federation

Skype for Business Online external connectivity (federation) enables a Skype for Business Online user to connect with users in other organizations that use Skype for Business (as well as those that host their own Skype for Business Server on-premises). Federated contacts can see presence, communicate by using IM, and make Skype-to-Skype audio and video calls.

Skype for Business Online external connectivity requires the consent and correct configuration of both parties of the federation relationship. After the federation is set up by the administrators of both sides, users in each organization can see presence and communicate with users in the other agencies.

References

Public IM Connectivity


Additionally, Skype for Business Online can be configured to allow communications to consumer Skype.  This can enable communications scenarios with citizens and constituents.  Presence, instant messaging and video conversations is supported.

References

Exchange Online

Federated Sharing


Federation refers to the underlying trust infrastructure that supports federated sharing, a method for Microsoft Exchange Online users to share free/busy calendar data and contact information with recipients in other external federated organizations or with users that have Internet access. These include organizations that are also hosted by Exchange Online, or external Microsoft Exchange Server 2010 or Exchange Server 2013 organizations. Using organization relationships and sharing policies, Exchange Online administrators can enable users to send calendar-sharing invitations from Microsoft Outlook Web App or Microsoft Outlook 2010 or later.

Once configured, an organization will have the ability to coordinate schedules with people in different agencies or with friends and family members so that you can work together on projects or plan social events. With Office 365, administrators can set up different levels of calendar access in Exchange Online to allow businesses to collaborate with other businesses and to let users share their schedules with others. Business-to-business calendar sharing is set up by creating organization relationships. User-to-user calendar sharing is set up by applying sharing policies.

References

Exchange Online Protection

Trusted Partner Messaging


Organizations can set up secure mail flow with a trusted partner by using Office 365 connectors. Office 365 supports secure communication through Transport Layer Security (TLS). Agencies can create a connector to enforce encryption via TLS for business-to-business emails. Additionally, there is the ability to apply other security restrictions such as specifying domain names or IP address ranges from which your partner organization sends mail. TLS is a cryptographic protocol that provides security for communications over the Internet. Using connectors, you can configure both forced inbound and outbound TLS using self-signed or certification authority (CA)-validated certificates.
Note - this solution does not impact the actual end user experience of sending email between organizations, however it adds an additional level of security if desired for sending email between agencies.

References

SharePoint Online and OneDrive for Business


Guest Access


If an organization performs work that involves sharing documents or collaborating directly with vendors, clients, partners, or customers, it is possible to use SharePoint Online sites to share content with people outside your organization who do not have licenses for your organization’s Microsoft Office 365 subscription. When a site is shared in SharePoint Online, an email message is sent to the external user containing the invitation to join the site.
  • If the external user is already associated to an Office 365 tenant, that user can use that identity to access SharePoint Online sites and documents that are shared. 
  • If the external user does not have an Office 365 account, they can access SharePoint Online using Microsoft Account (Your Microsoft account is the one that you use for personal services like Xbox Live, Outlook.com, Windows 8, Windows Phone, and more).  Invitations can be sent to people with any type of email address, such as user@gmail.com, user@contoso.com, or user@Comcast.net. External users sign in to the shared site via a one-time association of their email address with a Microsoft account.
Additionally, site users can generate a Guest Link (an anonymous link to a document) to share documents stored in SharePoint Online with external users without requiring the external user to sign in. Site users can create a Guest Link right from where the document is stored, such as in OneDrive for Business or a team site library, by using the “Get a link” button.

Finally, there is solution called Restricted Domain sharing that you can consider using.  This allows for an Allow/Deny List based on email domain.  At the tenant level, administrators can limit sharing invitations to a limited number of email domains.  This is a powerful feature that will allow you to set-up controlled external sharing with your partners.

References

What is Office 365 Groups?


Office 365 Groups is the next generation of collaboration solution available in Office 365 that brings together “best of breed” collaboration experiences.  Office 365 Groups bring together Exchange Online, SharePoint Online, OneDrive for Business, Office Online, and Skype for Business Online into a unified end user experience.  When a group is created:
  • A mailbox is created for the group for shared email
  • A shared calendar is created for group meetings and events
  • A shared library is created to store files and documents
  • A OneNote notebook is created to share project information and meeting notes
  • A planning tool is available to organize and assign tasks

Note that Office 365 Groups is a “suite” feature requiring the acquisition of an Office 365 E3 (or higher) Suite.

Guest Access for Business-to-Business Collaboration


Office 365 Groups supports the ability to invite guests in a similar manner as SharePoint Online and OneDrive for Business.  Office 365 Groups has been available for time and this is a new feature that US Federal agencies should consider leveraging for cross-business collaboration.

Friday, October 21, 2016

Office 365 US Defense Cloud Announcement

There was an exciting public Microsoft announcement made at the Gartner conference this week.  The slogan goes, not all cloud are created equal. 

With that in mind, Microsoft has added two new offerings to the Office 365 for Government portfolio that are aligned to FedRAMP (NIST 800-53 rev4) and the DoD Cloud Computing (CC) Security Requirements Guide (SRG) v1.2.  The portfolio is:
  • New - Office 365 US Government Defense – FedRAMP and DoD CC SRG L5 – aligned to US Defense
  • New - Office 365 US Government Defense Contractors – FedRAMP and DoD CC SRG L4 – aligned to US Defense Industry
  • Office 365 US Government – FedRAMP and DoD CC SRG L2 – solution is aligned to US Federal Civilian, State, Local and Tribal Government.
This announcement truly differentiates Microsoft in the marketplace and demonstrates Microsoft’s commitment to providing secure cloud solutions.

Announcement - https://blogs.office.com/2016/10/18/how-the-office-365-us-government-cloud-meets-the-regulatory-and-compliance-needs-of-the-department-of-defense/

If you are unfamiliar with the DoD CC SRG – here is a reference to it - http://iase.disa.mil/cloud_security/Pages/index.aspx

Saturday, September 10, 2016

Parnter Sharing with Office 365 and Azure AD B2B

Background
With Office 365 and SharePoint Online, a common question is how can I external sharing with Partners. 

In SharePoint Online, the concept of External Sharing has been around for a while.  You have the ability to identify users you want to share with and administrative capabilities to manage external users.

One challenge people have is doing B2B sharing with SharePoint Online.  SharePoint Online external sharing does have PowerShell, so you can do some automation external sharing, however sometimes you just need a better approach.

Azure AD B2B Collaboration

Another approach to do external sharing with partner organizations is with a feature called Azure AD B2B.


With this capability you can:
  • Organizations no longer have to managed a separate directory for external users nor have to go through the complexity of setting up federated auth on a per partner basis.
  • Allows partner/external users to use their own credentials to access data you are sharing getting you out of the password management business.
  • Removes partner/external user access with the user leaves their organization.  If the partner organization is turning off the accounts when the person leaves, you are assured their access to your data and applications is also being removed.
  • Capability allows you to perform bulk invites of partner organizations.
  • Partner users are invited and confirmed through an email notification process.
  • If the partner organizations do not have Azure AD, no problem.  The partner users will complete the invitation process and have a free Azure AD account created for them that they will use to access shared data and applications.
  • Set-up external sharing with partner organizations that goes beyond just Office 365 and SharePoint Online.
References
Azure B2B Collaboration - https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2b-collaboration-overview/

Azure B2B Video - https://channel9.msdn.com/Series/Azure-AD-Identity/AzureADB2B

Learn all about the Azure AD B2B Collaboration Preview - https://blogs.technet.microsoft.com/enterprisemobility/2015/09/15/learn-all-about-the-azure-ad-b2b-collaboration-preview/

Manage external sharing for your SharePoint Online environment - https://support.office.com/en-us/article/Manage-external-sharing-for-your-SharePoint-Online-environment-C8A462EB-0723-4B0B-8D0A-70FEAFE4BE85

Visio Online and Visio on iPad Preview

There are some recent announcements for Visio that are exciting.

Visio Online
First, Visio Online has been released in Preview and you have the ability to add it to your tenant through the Office 365 First Release program.  This feature allows you to view Visio diagrams through a browser.  For the preview it currently only allows you to view Visio diagrams.

This capability is different from the traditional Visio Services that is part of SharePoint Online Plan 2 (which is part of E3).  Visio Services I would term as the legacy solution from SharePoint Enterprise to allow you to render Visio diagrams through browser.  This new Visio Services capability is the solution moving forward and is aligned with Office Online.

Visio on iPad
Second, a preview of Visio on iPad App has been released.  This allows you have a nice Visio app to access your drawings stored in OneDrive for Business, SharePoint Online, etc.

References
Public Announcement - https://blogs.office.com/2016/08/31/visio-updates-advanced-design-collaboration-data-linked-diagrams-and-cross-platform-coverage/
Visio Online Preview - https://products.office.com/en-us/visio/visio-online
Visio Online FAQs for Preview - https://support.office.com/en-us/article/Visio-Online-Frequently-Asked-Questions-e6647040-2fca-42ec-9fa5-d16a4e39e0ee
Visio for iPad Insider Program - https://products.office.com/en-us/visio/visio-for-ipad
Visio for iPad Insider Program FAQs - https://support.office.com/en-us/article/Visio-on-iPad-Insider-Program-3dc2390d-6192-4fed-8b07-0647da2ccf3e

Monday, September 5, 2016

Office 365 MDM or Microsoft Intune?

Introduction
I have been asked several times, what are the MDM capabilities available in Office 365 versus what additional capabilities do you get with Intune?

In this quick article I will explore the differences.

What is Office 365 MDM?
In Office 365 there are several native MDM capabilities.

First there is Exchange ActiveSync (EAS) which is part of Exchange Online.  With EAS you:
  • Have the ability to manage an inventory of mobile devices that are connected to Exchange Online. 
  • Have the ability to remotely wipe email from a device.
  • Have the ability to enforce mobile device configuration settings, such as PIN requirements, PIN lengths, etc.
Second with E1, you also get Office 365 MDM.  With this you:
  • Can prevent access to both email and documents based on device enrollment and compliance policies.
  • Protect against root and jail broken devices.
  • Have reporting on devices that do not meet IT policy.
  • Have selective wipe capability that allows you to wipe Office 365 data without impacting personal data.
Behind the scenes, Office 365 MDM leverages Microsoft Intune to help deliver these solutions.

What is Intune?
Microsoft Intune is Microsoft’s cloud mobile and PC management platform.  Sometimes customers will want to add this to help them manage devices and applications beyond what Office 365 natively provides.  With Intune you:
  • Have the ability to manage traditional PCs MACs; not just mobile devices.  Plus you can manage Linux and UNIX servers.
  • Have a full Mobile Device Management (MDM) platform available to you to protect enterprise assets beyond Office 365.
  • Have the ability to create profiles for certificates, VPN, email profiles and Wi-Fi settings.
  • Have the ability to enroll and manage corporate owned devices.
  • Can deploy and protect customer built line of business apps using Mobile Application Management.
  • Can securely protect access to corporate data using Office mobile and custom line of business apps by using Mobile Application Management by restricting such actions as copy, cut, paste, save as to only applications managed by Intune.
  • Can enable more secure web browsing.
As you can see, this is a much more comprehensive solution you have access to.

Why do you need both? 
All depends on your approach.  Microsoft Office 365 has the ability to integrate with many third-party MDM providers.  Customers do have the power of choice.  Intune does provide unique capabilities for Mobile Application Management (MAM) to protect data on mobile devices without compromising the end user experience.  However, the big value sell of Intune is the expanded set of solution to manage PCs and MACs.

What are these new plans?
Intune is bundled into EMS.  EMS used to stand for Microsoft Enterprise Mobility Suite.  Now, EMS stands for Enterprise Mobility + Security.

Plus, the new EMS Suite has taken very similar plan structures as Office 365.  For instance:
  • EMS E3 includes Azure AD Premium P1, Intune, Azure Information Protection Premium P1 (Azure Rights Management (RMS)), and Advanced Threat Analytics
  • EMS E5 includes Azure AD Premium P2, Azure Information Protection Premium P2 (Intelligent classification) and Cloud App Security.
As you can see Intune, lands in the EMS E3 bundle or you can purchase it a-la-carte.  See references below.

References

Exchange ActiveSync - https://technet.microsoft.com/en-us/library/aa998357(v=exchg.150).aspx
Overview of Mobile Device Management (MDM) for Office 365 - https://support.office.com/en-us/article/Overview-of-Mobile-Device-Management-MDM-for-Office-365-faa7d8e5-645d-4d59-839c-c8d4c1869e4a
Controlling Access to Office 365 and Protecting Content on Devices - https://www.microsoft.com/en-us/download/details.aspx?id=53317
Capabilities of built-in Mobile Device Management for Office 365 - https://support.office.com/en-us/article/Capabilities-of-built-in-Mobile-Device-Management-for-Office-365-a1da44e5-7475-4992-be91-9ccec25905b0
Choose between MDM for Office 365 and Microsoft Intune - https://support.office.com/en-us/article/Choose-between-MDM-for-Office-365-and-Microsoft-Intune-c93d9ab9-efb2-4349-9b93-30c30562ee22
Create and deploy device security policies - https://support.office.com/en-us/article/Create-and-deploy-device-security-policies-d310f556-8bfb-497b-9bd7-fe3c36ea2fd6
Enroll your mobile device in Office 365 - https://support.office.com/en-us/article/Enroll-your-mobile-device-in-Office-365-c8ac722d-dcaf-4135-8345-3e6327f5d3c5
Introducing Enterprise Mobility + Security - https://blogs.technet.microsoft.com/enterprisemobility/2016/07/07/introducing-enterprise-mobility-security/

Sunday, August 21, 2016

Azure Information Protection with Office 365

Introduction
If you are a reader of my blog, you know for the past few years I have been very focused on discussing Office 365 services.  I recently decided to some catching-up on EMS and how it relates to Office 365.  Well as it turns out there have been several recent changes.  One thing that caught my attention very quickly was Azure Information Protection.  In this blog I will explore this solution.

I will say I am super excited to see the vision of this feature given I work with customers who have the most complex security and information protection policies out there.

Note that Azure Information Protection services is currently in Public Preview.

What is the new Azure Information Protection solution?A major challenge that organizations face is protection of their data.  Data loss prevention is constantly on customers’ minds.

With Azure Information Protection we can protect data at the lowest common denominator.  Instead of solely relying on the data storage systems to classify and protect data, we now protect the data directly at the source as email and documents move from place-to-place.

With Azure Information Protection:

  • Classify, label and protect data at the time of creation or modification.
  • Persistent protection travels with the data with rights management.
  • Provide users simple intuitive controls help users make the right decisions and stay productive.
  • Enable safe sharing of data both internally and externally.
  • Ability to create organizational enforceable policies to protect data.
  • Visibility and control over the shared data.
  • Deployment and management flexibility through the cloud.

What is the difference between Azure Information Protection and Azure RMS?
Simply put, Azure Rights Management Services (RMS) got a bunch of new features added to it.  Azure Information Protection building upon RMS with several new capabilities that have been introduced as part of the Secure Islands acquisition.

The new capability that should catch your attention is the intelligent classification and labeling solution that has been integrated with Azure RMS.  This is super exciting capability.

With the new labeling capability in Azure Information Protection services, you have the ability to be able to create enforceable policy to classify and protect your more important critical data.  You have the ability to create labels (classifications) like Personal, Public, Internal, Confidential, Secret, etc.  Then you have the ability to create policies define how data should be tagged with these classifications.  Once data is classified, that data can visual indicators applied to it, RMS protection policies pro-actively applied to the data, and DLP rules (like Exchange transport rules) can watch for this data and take action.

Additionally, there are new reports available to you that allow you to see how the most critical data in your organization is being accessed and managed.  This provides an audit trail for your most critical data.

How can an organization use Azure Information Protection?
Let’s look at Azure Information Protection a little closer.

When a user is in Office, they will see a new ribbon item (Protect) along with new labeling mechanism in the ribbon.  Users have the ability to tag any document or email on the spot.


Administrators have the ability to create the labels that customers see.

Within each label you can:

  • Associate RMS policies you want to apply (if any) to a specific label.  For instance, if you have a Confidential or Secret label, you may want to associate that label to an RMS policy.
  • Create visual markings that would be applied to the email or document once the label is applied.  For instance, add headers, footers, watermarks, etc.
  • Define conditions that could automatically label email and documents.  For instance, if you see data patterns within the content, a label can be auto applied.
There are numerous ways these labels can actually be applied.
  • Automatic – Labels can be applied by IT based on information it can see in the documents and emails.  This means as the user is creating the content, the label can be applied for them. 
  • User Drive – Users have the ability to choose to apply sensitive labels to email or file as they work on it.
  • Recommendation – Instead of automatically applied the label, you can make recommendations to the user on how classify/label.
  • Reclassification – Depending on your policy, you can allow users the ability to re-classify email and documents.  You can even require them to enter a justification which will be logged.
I see endless opportunity for organizations to use Azure Information Protection services to protect their data.  For instance:
  • An organization could create a policy that all documents are automatically classified as Internal.  The Internal does not have to have a RMS policies associated to it, but doing this will set a baseline that all content in the organization has been tagged.
  • As data needs to be become public, the data can be re-classified (labeled) as public by the end user.
  • For documents as classified as Secret or Confidential, an RMS policy could automatically be applied.
  • Re-classification can be allowed without justification for Internal and Public, but for any re-classifications of Secret or Confidential a justification must be provided.
  • I really think there are endless opportunities here with Azure Information Protection services.
How does this relate to Office 365?
As part of the Preview, Azure Information Protection services can be integrated with Office 365 ProPlus.  This means files that you author in Word, Excel, PowerPoint, etc. as well as emails in Outlook will have this user experience.  This will expand with time.

I thought Office 365 already had DLP, where does this play in?
Yes, Office 365 already has DLP capabilities within Exchange Online, SharePoint Online and OneDrive for Business.  Azure Information Protection services provides another layer of protection to data protection along with labeling solution.

For instance, SharePoint Online DLP will identify sensitive documents that were put in a location that has too broad access.  That file can be locked down and then remediated with SharePoint Online DLP by the user or an administrator.  However, what if the end user made a mistake (or worse was malicious) and then tried to send a file tagged as secret outside of the organization?  Azure Information Protection could protect that data tagged as Secret based on your policies.  For instance, you can automatically apply an RMS policy to Secret data and not allow users to re-classify that data.  There are several other mitigations you can take such as watch for documents tagged as secret being emailed externally.

From what I have observed, a challenge customers have had with RMS is educating users on how they should use it.  With Azure Information Protection services classification and labeling solution, the decision has just been super simple for end users.  End users do not need to know complex RMS policies and rule sets; all they need to know are organization contextual tags and the RMS policy is applied for them.

How is Azure Information Protection related to the EMS Suite?
There are two plans, there is Azure Information Protection Plan 1 and Plan 2. 

Plan 1 provides the encryption for files and cloud based file tracking.  From a legacy perspective, this is what you know of as Azure RMS as part of the EMS suite.

Plan 2 adds the new intelligent classification and labeling policies.

There are as well EMS Suites (E3 and E5).  Azure Information Protection Plan 2 is part of the EMS Suite 5.

If you are an Office 365 E3 suite customer, you already get access to Azure RMS service.  However, having Office 365 E3 does not give you access to all the EMS E3 or E5 capabilities.  So to get access to Azure Information Protection Plan 2, to get this new classification and labeling solution, you will need acquire some additional EMS plans.

References
Announcing Azure Information Protection - https://blogs.technet.microsoft.com/enterprisemobility/2016/06/22/announcing-azure-information-protection/
Azure Information Protection Public Review Announcement- https://blogs.technet.microsoft.com/enterprisemobility/2016/07/12/azure-information-protection-public-preview-available-now/
Introducing Enterprise Mobility + Security - https://blogs.technet.microsoft.com/enterprisemobility/2016/07/07/introducing-enterprise-mobility-security/
Acquisition of Secure Islands - http://blogs.microsoft.com/blog/2015/11/09/microsoft-to-acquire-secure-islands-a-leader-in-data-protection-technology
Azure Information Protection product page - https://www.microsoft.com/en-us/cloud-platform/azure-information-protection
What is Azure Information Protection (good video) - https://docs.microsoft.com/en-us/rights-management/information-protection/what-is-information-protection 
Azure Information Protection FAQs - https://docs.microsoft.com/en-us/rights-management/information-protection/faq
Azure Information Protection Quick Start for Preview - https://docs.microsoft.com/en-us/rights-management/information-protection/infoprotect-quick-start-tutorial

Saturday, August 20, 2016

Office 365 Secure Score and Information Security Planning

Introduction
Office 365 customers are provided a highly security solution for business productivity.  Microsoft ensures that the Office 365 service is secure and demonstrates this commitment through many of the third-party accreditations it receives.  Yet that is only half the battle as the customer who manage the Office 365 tenant shares in that security responsibility.  There are a tremendous amount security features and capabilities that are available to Office 365 customers that require configuration and management.  Customers frequently miss they too have a security responsibility to manage and continuously monitor their tenant.  In this blog I will discuss:
  1. The new Office 365 Secure Score analytics tool.
  2. Office 365 Information Security Planning.
Microsoft is invested in providing a safe and secure productivity cloud solution for your end users.  A clear differentiator for Microsoft is that they provide you plans, frameworks and tools that help you plan and continually monitor your security risk with Office 365.

Office 365 Secure Score
Microsoft has released “in preview” a new capability called Office 365 Secure Score.  This is a new analytics tool that can review the configuration of your tenant and make recommendations (based initially on 77 different factors).  Think of it as a “credit score”.  The higher the score, the more controls you have configured into your tenant.  The goal is to create a score that is aligned to your business requirements which do not impact your user experience.

Features of this capability are:
  • There is a summary panel that provides you your score and when you last ran it.
  • There is a modeling tool that allows you to do analysis to determine if you introduce more controls how those new controls will impact your score.
  • There is detailed information about each control it evaluates and the risk that it mitigates.
  • There are remediation instructions for each control that you introduce and how it would impact your end users.
  • There is a score analyzer that allows you to measure your performance over time.  You can download the scores from the reports and make them part of continuous monitoring program.
  • New controls will be introduced into the tool as new features are added to the service.
Plan for Office 365 Information Security
Since I have discussed this new Office 365 Secure Score tool that helps you continuously evaluate your security position, it is also worth mentioning there are several new Office 365 Information Planning worksheets you should review (see references below).
What these references will do is provide you direction on how you can utilize and configure all of the Office 365 security features (several new ones). 

Here are features I talk about a lot:
  • Federated Authentication (ADFS) and ADFS Client Access Policies.
  • Two-factor Authentication with Office 365 MFA and integration with third-party 2FA (smart cards, PIV, CaC).
  • Data Loss Prevention for Exchange Online, SharePoint Online, OneDrive for Business and Skype for Business Online.
  • Rights Management Service (RMS) Exchange Online, SharePoint Online, OneDrive for Business and Office 365 ProPlus.
  • Office 365 Message Encryption (OME) and S/MIME support.
  • eDiscovery, Legal Hold and Retention policies for Exchange Online, SharePoint Online, OneDrive for Business and Skype for Business Online.
  • Advanced eDiscovery with text analytics, machine learning and predictive coding.
  • Exchange Online Inactive Mailboxes.
  • Data spillage and deletion methods.
  • Permissions management.
  • Service usage reports.
  • Customer Lockbox
  • Office 365 MDM and Exchange ActiveSync policies.
  • Intune MDM advanced features for Exchange Online, SharePoint Online, OneDrive for Business and Skype for Business Online.
  • Office on the Web (OWA) client policies for data sync and attachment downloads.
  • Exchange Online Protection.
  • Advanced Threat Protection for Exchange Online.
  • Office 365 Advanced Security Management.
  • Azure AD usage and audit reports.
  • Exchange Online mailbox auditing and administrator auditing reports.
  • SharePoint Online usage audit reports.
  • Rights Management Service (RMS) audit reports.
  • External sharing policies for SharePoint Online, OneDrive for Business and Skype for Business Online.
There are a lot of features available to customers and planning is required.


In Closing
It can be daunting to see the amount of information security features that a customer has available to them in Office 365.  Customers need to plan and develop continuous monitoring plans to evaluate their risk in the Office 365.  Microsoft, unlike many of the cloud vendors out there, provide comprehensive solutions to help you plan and measure your risk.


Monday, August 1, 2016

New Office 365 Exchange and SharePoint User Experiences Coming

New User Experiences
There are some important new user experiences that are being released for Office 365 that you should be aware of:
  1. SharePoint Online Modern Lists
  2. Outlook Focused Inbox
  3. Outlook Mentions
Modern SharePoint Lists are coming
A new user experience is coming to SharePoint Lists.  It will be referred to as Modern SharePoint lists and many of the changes are consistent with the user experience changes you have been seeing with SharePoint modern document libraries.  You will many new features such as:
  • Simplified user experience to add columns to lists.
  • Ability to elevate (pin) list data for viewing.
  • Ability to edit data in an information panel without having to leave the list view.
  • Improved bulk editing.
  • Simplified automation with versions, approvals and alerts.
  • New user experience for view and edit lists in mobile browsers and SharePoint mobile app.
  • Integration with PowerApps and Microsoft Flow.  This will allow you to build new workflow applications connected to cloud data and then expose these workflows via PowerApps.


Transition over this user experience can be managed as well so that end users are no disrupted:
  • By default, classic list will automatically inherit the new modern list experience.
  • If there is a compatibility blocker to move to the modern list experience, the classic list experience will stay as is.
  • Users will have the ability to revert to the classic experience at any time.
  • Administrators will have the ability to configure classic list experience as the default at the list, site, site collection or tenant level.  This allows for lots of flexibility for user transition.

Outlook Focused InboxThis is a new experience that is called Focused Inbox that is being released for Outlook.  It was initially release on Outlook for iOS but will be release to all versions of Outlook.

The Focused Inbox will prioritize email that is important to you based on such things as who you interact with the most often, while other email (newsletters, DLs, generated emails, etc.) will land in the Other Inbox.  All the data is staying in your primary mailbox, just the email that most important to you is being prioritized.

Focused Inbox will be replacing the Clutter feature that was introduced awhile back.  Clutter was different in that it actually moved email data to a different email folder.  With Focused and Other Inbox, these are just views into the primary Inbox folder.  Clutter will stop moving mail as the Focused Inbox feature is rolled out.

From a transition perspective, again you have control.  Admins will have mailbox and tenant level control of this feature to do a staged rollout to your end users.

Outlook Mentions

This is a really neat feature that I find super exciting.  This features will help you write emails so much quicker.

As you type an email, you can simple type the @ symbol anywhere in the body of a message.  Once you do that, a people picker will appear, which you can select a person’s name.  Once you pick the person, their name will he highlighted in the message calling out action to them.  Additionally, if the person’s name is not yet on the TO line, their name will be automatically added to the TO line for you.  This is very much like a user experience you have in Facebook when writing a message.

Saturday, July 23, 2016

Certificate Based Authentication for Exchange Online

Exchange Online now has Certificate Based Authentication (CBA) in Preview.  I have been waiting for this for a while.  CBA will be supported with Microsoft mobile Outlook apps and it will be supported with Exchange ActiveSync (EAS).  This is a really important release for organizations who more complex security and authentication requirements when accessing Exchange Online data.  Typically organizations that use Smart Cards for all their log-in and access applications have required CBA.

For more information, review this - https://blogs.technet.microsoft.com/exchange/2016/07/19/preview-of-certificate-based-authentication-cba-for-exchange-online/  

Monday, July 18, 2016

Microsoft Stream in Preview

Microsoft Stream
Microsoft made a really interesting announcement today about a new offering called Microsoft Stream.  Microsoft Stream is currently in Preview and available for customers to try out.

Microsoft Stream is a new business video service that builds on the past experiences Microsoft has had with the Office 365 Video Service.  Office 365 Video was originally announced back in Nov 2014 and has is available to customers who have purchased an Office 365 suite.  Office 365 Video leverages Azure Media Services to provides a portal solution for enterprise organizations to share video content.

Microsoft’s long term plan is to converge both the Office 365 Video with Microsoft Stream; making Stream the de-facto video service for Office 365 customers.  Over the short-term, both of these services will run side-by-side.

So what is new with Microsoft Stream?  There will be a several new features:
  • Updated user experiences in general with even more simplistic user experiences to upload video.
  • Enhanced content delivery and discovery.  Specifically trending videos will be powered by machine learning to get users to videos that more relevant to them.
  • More control over video channels to secure access videos.
  • Ability to follow channels through a personalized homepage.
  • New social features for sharing, liking, etc.
However, the vision of Microsoft Stream is what really excited me.  Microsoft mentioned some directions they see Microsoft Stream taking:
  • Integration between Microsoft Stream and Microsoft Skype Broadcast such that both live and video on demand is available to the user through a single video solution.
  • Intelligent video search so that you have the ability to search within a video instead of just relying on the descriptions, tags and metadata provided by a user.  For instance, audio transcription and face detection can be used to search videos. 
  • Integration of video into workflow and applications built into Office 365.
  • More IT management control for managing access to video channels, remove and monitoring video content and what video is available for specific groups of people.
  • New APIs that will allow partners to build Microsoft Stream solutions.

Resources
Introducing Microsoft Stream - https://blogs.microsoft.com/blog/2016/07/18/introducing-microsoft-stream-the-secure-destination-to-manage-and-share-videos-for-businesses-of-all-sizes
Microsoft Stream - https://stream.microsoft.com/en-us/
What Microsoft Stream means to Office 365 - https://blogs.office.com/2016/07/18/what-microsoft-stream-means-to-office-365/
Introducing Office 365 Video - https://blogs.office.com/2014/11/18/introducing-office-365-video/

Tuesday, June 21, 2016

Advanced Security Management for Office 365

What is Advanced Security Management?
There is a new E5 capability called Advanced Security Management that is becoming available for Office 365.  This new feature helps with threat protection, provides enhanced control and discovery / insights into your Office 365 tenant.

Advanced Security Management is a solution that sits on top of the Office 365 activity reporting.  It uses 70 indicators to watch how your service is being used.  You will be able to see things like:

  • If there are users who are performing mass downloads of data.
  • If there are users who have failed multiple log on attempts.
  • If a user is trying to login in from a risky IP address that is outside of your management boundary.
  • If new accounts are being created; especially administrator accounts.
  • It can check connecting applications, for example if a user connects an external application to access Office 365 data, your administrators can see the details of that connection and determine if it should be revoked.
The Advanced Security Management feature will review and understand the patterns of how your users access the Office 365 service; it can learn what is considered good versus bad activity.
Within the Security and Compliance Center you have the ability to set up Anomaly Detection Policies; there are two types of policies.  First there are Anomaly Detection Alerts which are automatic algorithms that are used to detect suspicion activity.  Second there are Activity Alerts which are custom alerts set up by the customer in their Office 365 tenant.  Once you have policies set-up for the activities you want to watch for, you can set up notifications that can send you email or texts.  Depending on your policy, you can even suspend a user from Office 365 who violated the policy. 

Additionally, you have the ability to dig through the user’s other activity to determine if there are other suspicious activity that may have occurred.  There is a reporting dashboard for you to review all of the alerts, determine if there are false positives and take radiation actions.


It is worth stating; Microsoft Office 365 is always managing the security of your tenant regardless if you purchase Advanced Security Management (part of E5) or not.  Advanced Security Management provides additional insight to contextual policies that are relevant to customer.  For instance like checking for unusual activity that resides outside of the customer specified IP address ranges.

ResourcesAnnouncement for Office 365 Advanced Security Management - https://blogs.office.com/2016/06/01/gain-enhanced-visibility-and-control-with-office-365-advanced-security-management/

Overview of Advanced Security Management for Office 365 - https://support.office.com/en-us/article/Overview-of-Advanced-Security-Management-in-Office-365-81f0ee9a-9645-45ab-ba56-de9cbccab475

How to add Advanced Security Management - https://support.office.com/en-us/article/Opt-in-steps-for-Advanced-Security-Management-ba919c73-d021-404d-9850-eec57e78678c?ui=en-US&rs=en-US&ad=US

Getting Started with Advanced Security Management - https://support.office.com/en-us/article/Get-started-with-Advanced-Management-Security-d9ee4d67-f2b3-42b4-9c9e-c4529904990a

How to create activity policies in Advanced Security Management - https://support.office.com/en-us/article/Create-activity-policies-and-alerts-in-Advanced-Security-Management-367f25d3-10a0-4a91-bdae-70ebb7a79c98?ui=en-US&rs=en-US&ad=US

Review and take action on Advanced Security Management Alerts - https://support.office.com/en-us/article/Review-and-take-action-on-Advanced-Security-Management-alerts-97e9c3d9-df89-458e-924b-369becee5532?ui=en-US&rs=en-US&ad=US

Sunday, May 22, 2016

SharePoint 2016 Excel Services Deprecated and the Road Forward

I felt it was worth writing a little something extra on this topic as I have been seeing this question come up a lot with the new release of SharePoint 2016.

What is Excel Services?
Excel Services was introduced way back in SharePoint 2007 which was SharePoint’s first step at bringing Excel into the browser to create dashboards.  The concept was straight forward, empower users who know Excel to create a web dashboard with the tools they know.  It was made part of the SharePoint Enterprise Suite and has gone through several improvements over the years.

Is Excel Services really gone?
Excel Services in SharePoint has been deprecated as part of the SharePoint 2016 on-premises release however you can still get to a similar solution with Office Online Service (OOS) and Power BI.

When you review the deprecated features listing, it specifically states that Excel Services is no longer “hosted on SharePoint Server” and that Excel Services functionality is now part of Excel Online in OOS.  My understanding of this is that there is a general move of capabilities.

What is Office Online Service (OOS)?
The new Office Online Service (OOS) can be installed on-premises and is the replacement to the Office Web Apps Server 2013.  This will provide you the similar services to Office Online that is part of Office 365.  OOS provides you the ability to view, edit and co-author Word, Excel, PowerPoint and OneNote.  OOS integrates with SharePoint 2016, Exchange Server 2016 and Skype for Business 2015 which all have capabilities to provide Office through a browser.  Moving the Office Web Apps Server out into its own service has been part of the vision to provide Office Online to all Microsoft productivity and enterprise services.

What Excel Services features are lost as part of this move?
Are there some changes as part of the move?  Yes, for sure.  When you review the deprecation listing, it says that feature such as Trusted data providers, Trusted file locations, Trusted data connection libraries, Unattended service account, Excel Services Windows PowerShell cmdlets, and Opening of Excel workbooks from SharePoint Central Administration site are deprecated. 

However, with OOS, you still have access the following Excel Services capabilities: Viewing and editing Excel workbooks in a browser (with or without the Data Model), Excel Web Access web part for SharePoint, ODC file support (no longer requires Data Connection Libraries), and Programmability features such as JavaScript OM, User Defined Function Assemblies, SOAP and REST protocol support.

So, if you are reliant on features that were deprecated, then you will need to achieve the same end result through other means.  But in most cases, organizations are going to be able to do almost everything they had been doing with the old Excel Services with the new OOS.

So how do I Excel Services moving forward?

Transition to OOS: My personal recommendation is the following, I would try to start making the transition over to OOS with Excel Services altogether.  I would review what you are doing with the older Excel Server web parts and try to get completely hooked in with OOS.

Introduce Power BI: Additionally, if you are using Excel Services to make connections to line of business databases that is still supported on-premises.  For instance, you can still connect to Analysis Services, SQL Server, and Custom data providers (via connection string) on-premises.  However, making these line of business connections in SharePoint Online (Office 365) is not possible.  If you are really thinking about transitioning to the Office 365 cloud, you really need to start thinking about moving over to Power BI because that is the direction moving forward.  Power BI has the ability to connect to a wide range of data sources whether they are on-premises databases, data in SharePoint Online, data residing on other clouds, etc.  Power BI is the next generation cloud BI service that will allow you to create high end reporting and dashboard solutions in the cloud.  You can make this work with your on-premises SharePoint and when you transition the rest of it to SharePoint Online, Power BI will already be in the cloud.  From a get started perspective, you basically need to introduce the Power BI Gateway into your on-premises environment this will refresh your data in the cloud for reporting purposes.  I have some references below.

What about licensing of OOS?
OOS is available to customers who have a Volume Licensing account with at no cost.  This will provide you the ability to get view-only functionality.
If you need the ability to create, edit, save, and co-author, you will need to have an on-premises Office suite license with Software Assurance or an Office 365 ProPlus subscription.  Note if you have purchased on-premises Office 2016 suite VL before Aug 1, 2016 you are exempt from the Software Assurance requirement through Aug 1, 2019.

References
What's deprecated or removed from SharePoint Server 2016 - https://technet.microsoft.com/en-us/library/mt346112(v=office.16).aspx

Business intelligence in Excel and Excel Services (SharePoint Server 2013) - https://support.office.com/en-us/article/Business-intelligence-in-Excel-and-Excel-Services-SharePoint-Server-2013-2740f10c-579d-4b40-a1d9-7beb5d38547c - This provides a good comparison between Excel Services in SharePoint 2013 and Excel Web Apps.  I recommend reading this to help remind you why you picked Excel Services in the first place.

Office Online Server now available - https://blogs.office.com/2016/05/04/office-online-server-now-available/

Office Online Server - https://technet.microsoft.com/en-us/library/jj219456(v=office.16).aspx

Data authentication for Excel Online in Office Online Server - https://technet.microsoft.com/en-us/library/jj219657(v=office.16).aspx

Power BI - https://powerbi.microsoft.com/en-us/documentation/powerbi-landing-page/

Power BI Gateway – Enterprise - https://powerbi.microsoft.com/en-us/documentation/powerbi-gateway-enterprise/

Data sources for Power BI service - https://powerbi.microsoft.com/en-us/documentation/powerbi-service-get-data/