Upload
brendan-amory
View
229
Download
6
Embed Size (px)
Citation preview
Enhancing the Office 365Multi-Factor Authentication and RM OnlineOctober 2013
Agenda
Multi-Factor authentication Why is Multi-Factor
important Securing Cloud
resources Windows Azure AD
Multi-Factor Authentication (WAAD MFA)
Rich Client Support with App Password
Information Protection and Control using Windows Azure AD Rights Management
Windows Azure AD – Multiple-Factor Authentication
4
Why MFA is important Passwords are no longer enough. Customers want a
higher level of security than standard authentication of user name and password. Growing need for stronger security measures for identities Cloud services perceived as higher risk, requiring MFA Increase use of mobile access demands stronger seamless security
measures Competition is driving expectation for Strong Authentication Compliance drives increasingly rigorous authentication scenarios,
and is showing up as sales blocker (e.g. FISMA, NIST)
Windows Azure AD is used for multiple online services
What is Azure AD MFA?• Secure resources accessed
by Azure AD, with phone-based Multi-Factor Authentication.
• Applicable for Cloud Identities and Federated Identities
• Ease of configuration and low maintenance – no server installation required, end-users configure 2FA.
Azure AD MFA for Cloud IdentitiesSecuring Cloud resources
6
Customer
Azure AD& Office 365
1. Logon with Username / Password
2. MFA challenge
3. Reply to MFA challenge- 1-way or 2-way SMS- Phone call- Mobile Application
Microsoft Confidential
Enabling MFA on your tenant• Through Azure portal only
8 Microsoft Confidential
First logon experience with MFA
9
User Security Verification Options
Microsoft Confidential
Further web logon experience
11 Microsoft Confidential
Setting up App Password for rich client support
12 Microsoft Confidential
App Password maintenance
13
App PasswordRich client support with MFA
Customer
Azure AD& Office 365
1. One-time setup: User create App Password (1 per application) through MOP or AAD
2. Rich client logon withApp Password
14
App Password features Admin must:
Create a Windows Azure Authentication Provider Enable Multi-Factor Authentication for the users
App Password available to end-users only Not available for Administrative accounts
Password is automatically generated 16 characters
A limit of 40 passwords per user Passwords never expire
Set Expiration feature is schedule for a future release
15
Azure AD MFA offering Free for Administrators Must pay for Users
Purchase as a Multi-Factor Authentication Provider through Windows Azure AD Per-user or Per-authentication licensing models
Web application support by default Outlook Web Access (OWA), SharePoint, etc.
Must enable Application Passwords for use with rich clients Outlook, Lync, PowerShell, Lync IP phone Application passwords cannot be enabled for administrator accounts
Does not support Lync phones Not supported with Office 365 Pre-Upgrade (Wave 14
customers)
Windows Azure AD Right Management
Information Protection and Control (IPC) Industry trends
The traditional perimeter is rapidly erodingIT needs continuous data protection that work across ‘classic ‘boundaries’
Consumerization of ITUsers need access, from any device
Externalization of ITApplications are on-premises and in the cloud
More Data, Stored in More PlacesDispersed enterprise data needs protection
Social EnterpriseData is shared between people and applications
Internal Sharing of Sensitive DataOrganization of all sizes have sensitive data
The numbers vary from ~3% to “far more” when customer data contain PII
Data is increasing rarely in a state of permanent restMobile devices; data sync’d for use at home; SQL/SAP reporting to Excel; etc.
RMS is used / reasoned over by users / software
RMS protects sensitive data at rest and in motionRMS, and enlightened applications, offer native supports for file protectionOutlook and Exchange adds RMS support for emailVertical offers are now adding RMS too. SharePoint, DAC, DLP, and now SAP…
19
Right Management deployment options Use Windows Azure AD Right Management
Out-of the box Integrate natively with Exchange online and SharePoint online
Integrate Office 365 with existing on-premises AD RMS infrastructure
20
What is Windows Azure AD Right Management Windows Azure AD Rights Management enables the ability to encrypt and
assign usage restrictions to content for organizations that subscribe to Microsoft online services. Rights Management helps protect content created and exchanged using Microsoft Office as well as other applications or services that have been updated to integrate with the Rights Management service. By implementing a cloud-based rights management service, Rights Management provides an alternative for organizations seeking information protection capabilities within Microsoft Office 365.
Rights management provides the following: Safeguards sensitive information. Provides persistent protection. Supports closer management of usage rights and conditions. Integrates rights management with Office 365.
21
Right Management deployment options Windows Azure AD Rights Management information rights management (IRM) features available in Microsoft Office 365 Enterprise E3 and Microsoft Office 365 ProPlus:
Office IRM Integration Exchange Online IRM Integration SharePoint Online IRM Integration
22
Office integration w/ Rights Management When creating or consuming information rights management (IRM) protected content only the following versions of Microsoft Office are supportedFor this Office product family… …these restrictions apply for Rights
Management use
Microsoft Office Professional Plus 2013 Supported for this release.
Microsoft Office 2010
Supported for this release.To publish rights-protected content requires Office Professional Plus. To consume rights-protected content, Office Standard is required.
Microsoft Office 2007 Not supported for this release.
23
Configuring RMO for Exchange online Step 1: Use the Office 365 Admin Center to activate
Windows Azure Active Directory Rights Management (see next slide)
Step 2: Use the Shell to configure the RMS Online key sharing location in Exchange Online Note: Use the RMS key sharing URL corresponding to your location (using Set-
IRMConfiguration -RMSOnlineKeySharingLocation ….)
Step 3: Use the Shell to import the Trusted Publishing Domain (TPD) from RMS Online Using Import-RMSTrustedPublishingDomain -RMSOnline -name "RMS Online"
Step 4: Use the Shell to enable IRM in Exchange Online Using Set-IRMConfiguration –InternalLicensingEnabled
Check RMS capability using OWA Note: this can take some additional hours to propagate Open OWA, Click on New Message and in the “…” menu you should see a “Set Permission” option
24
Activating Rights Management
25
RMO with Exchange online capabilitiesAfter it’s enabled, IRM protection can be applied to messages as follows:• Users can manually apply a template using Outlook and Outlook Web App• Users can apply an AD RMS rights policy template to an email message by selecting the template from
the Set permissions list. When users send an IRM-protected message, any attached files that use a supported format also receive the same IRM protection as the message. IRM protection is applied to files associated with Word, Excel, and PowerPoint, as well as .xps files and attached email messages.
• Administrators can use transport protection rules to apply IRM protection automatically to both Outlook and Outlook Web App • You can create transport protection rules to IRM-protect messages. Configure the transport protection
rule action to apply an AD RMS rights policy template to messages that meet the rule condition. After you enable IRM, your organization's AD RMS rights policy templates are available to use with the transport protection rule action called Apply rights protection to the message with.
• Administrators can create Outlook protection rules• Outlook protection rules automatically apply IRM-protection to messages in Outlook 2010 (not Outlook
Web App) based on message conditions that include the sender's department, who the message is sent to, and whether recipients are inside or outside your organization. For details, see Create an Outlook Protection Rule.
26
Configuring RMO for SharePoint online Need to be a SharePoint online administrator Step 1 go to SharePoint online Admin center / Settings Step 2 Check IRM usage
And click on Refresh IRM settings
Step 3 IRM-enable SharePoint document libraries and lists Go to the list or library for which you want to configure IRM. On the ribbon, click the Library tab, and then click Library Settings (If you are working in a list, click the List tab,
and then click List Settings). Under Permissions and Management, click Information Rights Management. On the Information Rights Management Settings page, select the Restrict permission to documents in this
library on download check box to apply restricted permission to documents that are downloaded from this list or library.
In the Create a permission policy title box, type a descriptive name for the policy that you can use later to differentiate this policy from other policies (Example Company Confidential)
In the Add a permission policy description box, type a description that will appear to people who use this list or library that explains how they should handle the documents in this list or library (Example, Discuss the contents of this document only with other employees)
To apply additional restrictions to the documents in this list or library, click Show Options, and select the one you want to apply
After you finish selecting the options you want, click OK.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.