Saturday, November 15, 2014

Office 365 ProPlus Adding Passive Authentication

There has been a change I have been waiting on that. On the Office 365 Public roadmap it is called “Office 2013 client update to support passive authentication using SAML” - http://office.microsoft.com/en-us/products/office-365-roadmap-FX104343353.aspx.

What is this announcement?

Office 365 ProPlus / Office 2013 will be getting a modification to support 2FA authentication scenarios. This is enabled through the Active Direct Authentication Library (ADAL).

Why is it so important?

There are many customers who require 2FA to authenticate to the Office 365 service. For Office, the Outlook rich client typically comes up a lot because customers want to ensure that users using Outlook use 2FA to receive email. With Outlook today there are scenarios that organizations can implement to ensure there is 2FA with Outlook, however the better long-term solution is to have Office modified to support 2FA directly.

Specifically Office 2013 is changing such that is can support “passive authentication” scenarios in the same way a browser does.

This will enable is a cleaner solution with Office 365 MFA. More importantly it allows for additional support scenarios for organizations who use smart cards (PIV, CaC, etc.) to authenticate to the Office 365 service using the Office 2013 rich client.

What are some facts you should know?

Private Preview Release – Office 365 customers who are in the private preview program can have access to this.

ADAL Authentication – As I mentioned earlier, Office 2013 will be adopting passive authentication in the same way a browser authenticates. If you have AD FS implemented with Office 365, the user will authenticate through that federated trust relationship with Office 365. If you organization requires a second form factor (2FA) for authentication, the user will be required to provide it. A nice side effect of this is Outlook no longer needs to have direct access to the user’s password. Please read this blog for more details on the authentication process - http://office.microsoft.com/en-us/products/office-365-roadmap-FX104343353.aspx.

What Clients are impacted? - Word 2013, Excel 2013, PowerPoint 2013, Lync 2013, Outlook 2013, Publisher 2013, Visio 2013, Access 2013, Project 2013 and OneDrive for Business Sync Client.

Will this work with AD FS Only? – Please review information about other STS providers: http://blogs.office.com/2014/01/30/the-works-with-office-365-identity-program-now-streamlined/ and http://technet.microsoft.com/en-us/library/jj679342.aspx

Office 2010 Support? – No. This solution is for Office 2013 and Office 365 ProPlus.

References

New Announcement – Office 2013 update for SAML and 2FA Auth - http://blogs.office.com/2014/11/12/office-2013-updated-authentication-enabling-multi-factor-authentication-saml-identity-providers/

Original Announcement - http://blogs.office.com/2014/02/10/multi-factor-authentication-for-office-365/

SAML 2.0 Announcement - http://blogs.office.com/2014/03/06/announcing-support-for-saml-2-0-federation-with-office-365/

Outlook Connectivity with MAPI over HTTP Announcement - http://blogs.technet.com/b/exchange/archive/2014/05/09/outlook-connectivity-with-mapi-over-http.aspx

Skype for Business Announcement

There was a big announcement this week that Lync is being rebranded as Skype for Business. Please review the following announcement for the exact details - http://blogs.office.com/2014/11/11/introducing-skype-business/.

What are my takeaways?

  • In H1, Lync will transition its brand to Skype for Business.
  • Skype for Business will be available through Office 365 and/or customers can deploy Skype for Business on-premises. Customers who have Lync on-premises today, “No new hardware is required” is required to support this transition.
  • The user experience will begin to merge such that Skype for Business has a similar experience to Skype.

This is very similar and consistent change that Microsoft did to OneDrive and OneDrive for Business brands. These are very similar solution offerings however there is a different offering for consumers and business. As a result of this change there is a pretty common user experience between OneDrive and OneDrive for Business. OneDrive and OneDrive for Business are not the same implement. OneDrive for Business is specific to Office 365 only. OneDrive for Business has enhanced features to support enterprise business scenarios (supported through SharePoint Online). Customers who are 100% on-premises still have the ability to deploy OneDrive for Business within their SharePoint 2013 on-premises deployments.

Current Office 365 Encryption Solutions

The question comes up a lot on is does Office 365 support encryption? The answer is Yes and there are lots of encryption solutions implemented.
A great resource that you should always start at is the Office 365 Trust Center - http://trust.office365.com. You should also review the Office 365 Security Whitepaper located here - http://www.microsoft.com/en-us/download/details.aspx?id=26552.
I usually break this down into a couple different views. Encryption in Transit, Encryption at Rest and Payload Encryption.

Encryption in Transit
All Office 365 traffic / data is encrypted in using SSL/TLS to client machines connecting to the service. Read about this in the Office 365 Security Whitepaper.

Encryption at Rest
BitLocker has been deployed to encrypt data at rest inside of Office 365.
Additionally for OneDrive for Business and SharePoint Online a new file based encryption solution has been implemented. Read about both of theses in the Office 365 Security Whitepaper.

Payload Encryption
There are additional solutions that customers can choose to utilize with Office 365 to encrypt data.

S/MIME was actually the original intent of why I was writing this blog; but I figured it was worth communicating that encryption is more than just S/MIME. S/MIME encryption of email is supported with Office 365. Please review these two article for more information: http://blogs.office.com/2014/02/26/smime-encryption-now-in-office-365/ and http://technet.microsoft.com/en-us/library/dn626158(v=exchg.150).aspx.

UPDATE 1/2/2015 - Shortly after I wrote this blog, a really good article was created here - http://blogs.technet.com/b/exchange/archive/2014/12/15/how-to-configure-s-mime-in-office-365.aspx

Rights Management Service (RMS) is supported as well. Office 365 supports both Windows RMS or Azure RMS. You can use RMS is a great solution to assist with DLP for email and documents. You have the ability to create policy to encrypt data. For SharePoint Online please review the Service Description here - https://support.office.com/en-us/article/Set-up-Information-Rights-Management-IRM-in-SharePoint-admin-center-239ce6eb-4e81-42db-bf86-a01362fed65c?ui=en-US&rs=en-US&ad=US. For Exchange Online please review http://technet.microsoft.com/en-us/library/jj983436(v=exchg.150).aspx.

Office 365 Message Encryption (OME) is another solution that is available to you. This is another solution provided that allows you administrators to create policy to encrypt data that is leaving the organization. For detailed information, please review this - http://technet.microsoft.com/library/dn569286.aspx.

Additionally in Exchange Online Protection (EOP) you have the ability to enforce Transport Layer Security (TLS) for SMTP messages to partners. For more information, please review the following - http://technet.microsoft.com/en-us/library/jj723154(v=exchg.150).aspx.

Sunday, November 9, 2014

New Office 365 App Launcher

Again there has been a new usability function added to Office 365. Some people call it the “Waffle”. It is in the top left hand corner and when you click on it, you can get to any Office 365 App.

I absolutely love it. It is changing the way I use Office 365.

I will be honest, at times Office 365 felt like SharePoint Online, OneDrive for Business, Exchange Online, Lync Online, Office Online, Yammer, etc. were all separate applications. Now through the browser, these applications are all meshed together. I challenge people to spend the entire day in the browser experience and you will see everything is connected.

The “Waffle”, officially called the Office 365 App Launcher provides you the ability to quickly access apps. You can create a Word Online file, jump over to OWA, etc. You have the ability to pin your own personal items into the menu as well that you use the most. Plus organizations can customize the App Launcher with custom theme for your company.

clip_image002

Reference - http://blogs.office.com/2014/10/16/organize-office-365-new-app-launcher-2/

New OWA and OneDrive for Business Integration

Sometimes it is the little things that count. There has been a new feature added to OWA and OneDrive for Business. If you have not tried, trying closing down Outlook for a day and play with OWA, SharePoint Online and OneDrive for a day. You will see all this new integration where everything seems to be one click away.

Case in point, Microsoft just added a new feature to OWA that allows you very easily send a OneDrive for Business file.

First attaching a file has changed. In the old days you used to attach a file to a message, send it to someone, they edit the file locally and then reattach the file to an email and send it back to you. Inefficient in numerous ways. Now there is a new feature in OWA that allows you to select a file from OneDrive for business and then a link to the file is sent to users. This is more efficient because we are not attaching and sending around numerous versions a file. There is a single version of that file, and it is located in your OneDrive for Business. What is even more impressive is that the permissions to the OneDrive for Business file is automatically set to view/edit for all the people in the To and CC line of your email. This is awesome because you can quickly send a file to anyone via a link. They and perform edits without having to download the file and then just give you a simple notification they are done with their edits.

clip_image002

Second, there is also a new option in OWA that allows you to quickly attach a local file to an email, but instead of attaching the file to message, you can again select to share the file through OneDrive for Business. What will happen this time is OWA will take the local file, upload it to OneDrive for Business for you and then insert a link to in an email. This again saves me tons of clicks.

One really good point made about this is once a file gets into OneDrive for Business, everyone on the email can co-author the file. No more ten people creating different edits and then you having to try to merge everything back together.

Like I said it is the simple things that count.

Reference - http://blogs.office.com/2014/10/08/introducing-new-way-share-files-outlook-web-app/

Lync Online Report Updates

Lync Online recently expanded is reporting capability. To date, there are numerous Lync Online reports such as peer-to-peer session report, conferences report, active users report, and audio / video minutes report - http://technet.microsoft.com/en-us/library/dn362827.aspx. All of these reports are available visually through the admin center plus there are REST web services and PowerShell available to pull the data.

Lync Online has just new report called the Client Devices report - http://blogs.office.com/2014/10/17/announcing-lync-online-client-devices-report/. This report provides data about what types of devices are being used to connect to Lync Online.

All of these reports will provide you good insight into how the Lync Online service is being utilized by your end users.

Saturday, November 8, 2014

Office 365 Message Encryption (OME) Enhancements

Some of you may be familiar with the Office 365 Message Encryption (OME) solution. This solution has been available for some time in Office 365 for some time and it is next release of the Exchange Hosted Encryption (EHE). OME is a slick solution that allows administrators to rules and policy to encrypt email that is leaving the organization. Encryption policy is simply added to transport rules. When a message goes external, the receiver of the email will be given a simple user experience to access the email. To date, the external receive of the email had to authenticate to access the email by using either their Office 365 ID (if they are an existing Office 365 user) or use a Microsoft Account which is free and anyone can sign up for.

This past month, Office 365 has modified this offering to now allow external receivers to access a message using a One-Time Passcode to access the encrypted message. The user does not need to have a Microsoft Account either. This provides a lot flexibility to be able to send an encrypted message externally. The external user simply selects the option to view with a one-time passcode which will be separated emailed to them. If your organization does not like this option, it can be turned off through PowerShell.

Remember OME is not the only type of encryption that is available in Office 365. I typically put encryption into three buckets. There is encryption in transit supported with TLS and SSL. There is encryption at rest with BitLocker. There is finally payload encryption which you can use OME, Information Rights Management (AD RMS) and S/MIME.

Here are some references:

http://blogs.office.com/2014/10/03/one-time-passcode-office-365-message-encryption/

http://blogs.office.com/2013/11/21/introducing-office-365-message-encryption-send-encrypted-emails-to-anyone/

Office for Android Table

I have to say this has been an extremely active time for Office 365. A significant announcement was announced that Office for Android Tablet is being announced for preview - http://blogs.microsoft.com/blog/2014/11/06/office-everywhere/.

Microsoft has made good on its vision to provide Office across all major mobile platforms. Office is now available on iPhone, iPad, Android Phone, Android Tablet, Windows Phone and Windows tables.

This is amazing.

Organizations can now empower their employees to remain productive where ever they are at without compromises.

MDM for Office 365

There was another major announcement recently for Office 365. This past week Microsoft announced that is was adding a new solution called MDM for Office 365 is being released. To date many organizations utilized Exchange ActiveSync (EAS) policies and sometimes other third-party MDM solutions to protect business data on mobile devices connecting to Office 365.

With this new announcement, organizations will now have the ability to provide even more protection of their business data on mobile without having to rely on other solutions.

The new MDM for Office 365 will be available in Q1 of 2015.

Devices: MDM for Office 365 will provide organizations the ability to manage email and documents across iPhone, iPad, Android Phone, Android Table and Windows Phones.

Data Protection: When you learn more about it, you will be impressed with the approach. Typically other MDM providers have enforced data protection through a container and even custom applications within those containers. Many times the feature set offered is limited. In the case of MDM for Office 365, protection is enforced within the applications that users use. For instance Office is now available across all major mobile platforms. Customers can set up protection within Office such that business data is protected and cannot leave the application. End users can remain highly productive without having to learn something new.

Device Lock: There are several new features being added as well such as Pin lock and jailbreak detection.

Device Wipe: Plus enhanced features are being added for device wipe for not just email but also documents. The nice thing about the wipe policy is that it will only wipe company owned data, and not impact a user’s personal data. This is extremely important in a BYOD world no one should have their personal files impacted when they go from one company to another.

Integrated Administration: From an administrative perspective, MDM for Office 365 is integrated right in the administrative experience of Office 365. Administrators do not need to bounce around to other third-party applications nor do they have to spend the time trying to configure them together. MDM for Office 365 is simply just built into the service. Administrators will have access to a full set of reports as well through their reporting center.

InTune: Finally, organizations can easily upgrade to advanced MDM with InTune. With InTune there is advanced mobile application management, integration with System Center and advanced mobile device policy.

Please review these announcements: http://blogs.office.com/2014/10/28/office-365-latest-innovations-security-compliance/ and http://blogs.office.com/2014/10/28/introducing-built-mobile-device-management-office-365/.

OneDrive for Business Unlimited Storage

There are a bunch of new announcements that have been made for Office 365 of the past several days. Probably the most significant announcement is that OneDrive for Business will changing its offering to allow end users to have unlimited storage. This change will not have available until CY 2015. As of right now, OneDrive for Business users do have 1TB of storage available per user.

I feel this change is significant:

  • It is aligned to rate that data is being created.
  • Gives organizations the ability to save significant amount of money by getting rid of all those old files shares.
  • Organizations have the ability to keep all their corporate data in a single location and have all data managed through compliance policy across devices. Office 365 provides compliance solutions such as DLP, legal hold, retention, archiving, eDiscovery, etc.

No other cloud productivity platform can provide this combination solutions.

For more information, please read here - https://blog.onedrive.com/office-365-onedrive-unlimited-storage/