Tuesday, June 21, 2016

Advanced Security Management for Office 365

What is Advanced Security Management?
There is a new E5 capability called Advanced Security Management that is becoming available for Office 365.  This new feature helps with threat protection, provides enhanced control and discovery / insights into your Office 365 tenant.

Advanced Security Management is a solution that sits on top of the Office 365 activity reporting.  It uses 70 indicators to watch how your service is being used.  You will be able to see things like:

  • If there are users who are performing mass downloads of data.
  • If there are users who have failed multiple log on attempts.
  • If a user is trying to login in from a risky IP address that is outside of your management boundary.
  • If new accounts are being created; especially administrator accounts.
  • It can check connecting applications, for example if a user connects an external application to access Office 365 data, your administrators can see the details of that connection and determine if it should be revoked.
The Advanced Security Management feature will review and understand the patterns of how your users access the Office 365 service; it can learn what is considered good versus bad activity.
Within the Security and Compliance Center you have the ability to set up Anomaly Detection Policies; there are two types of policies.  First there are Anomaly Detection Alerts which are automatic algorithms that are used to detect suspicion activity.  Second there are Activity Alerts which are custom alerts set up by the customer in their Office 365 tenant.  Once you have policies set-up for the activities you want to watch for, you can set up notifications that can send you email or texts.  Depending on your policy, you can even suspend a user from Office 365 who violated the policy. 

Additionally, you have the ability to dig through the user’s other activity to determine if there are other suspicious activity that may have occurred.  There is a reporting dashboard for you to review all of the alerts, determine if there are false positives and take radiation actions.


It is worth stating; Microsoft Office 365 is always managing the security of your tenant regardless if you purchase Advanced Security Management (part of E5) or not.  Advanced Security Management provides additional insight to contextual policies that are relevant to customer.  For instance like checking for unusual activity that resides outside of the customer specified IP address ranges.

ResourcesAnnouncement for Office 365 Advanced Security Management - https://blogs.office.com/2016/06/01/gain-enhanced-visibility-and-control-with-office-365-advanced-security-management/

Overview of Advanced Security Management for Office 365 - https://support.office.com/en-us/article/Overview-of-Advanced-Security-Management-in-Office-365-81f0ee9a-9645-45ab-ba56-de9cbccab475

How to add Advanced Security Management - https://support.office.com/en-us/article/Opt-in-steps-for-Advanced-Security-Management-ba919c73-d021-404d-9850-eec57e78678c?ui=en-US&rs=en-US&ad=US

Getting Started with Advanced Security Management - https://support.office.com/en-us/article/Get-started-with-Advanced-Management-Security-d9ee4d67-f2b3-42b4-9c9e-c4529904990a

How to create activity policies in Advanced Security Management - https://support.office.com/en-us/article/Create-activity-policies-and-alerts-in-Advanced-Security-Management-367f25d3-10a0-4a91-bdae-70ebb7a79c98?ui=en-US&rs=en-US&ad=US

Review and take action on Advanced Security Management Alerts - https://support.office.com/en-us/article/Review-and-take-action-on-Advanced-Security-Management-alerts-97e9c3d9-df89-458e-924b-369becee5532?ui=en-US&rs=en-US&ad=US