Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Managing People, Devices &
Information in Office 365
Welcome
What do you hope to learn today?
Please take a moment to fill out the yellow cards.
Our presenters will review the cards to ensure that we cover
the topics/areas of interest.
We will collect them before we get started.
Thanks!
Collect ‘Learn Today’ Cards
What do you hope to learn today?
Please take a moment to fill out the yellow cards.
Our presenters will review the cards to ensure
that we cover the topics/areas of interest.
We will collect them before we get started
Thanks!
System Source & Microsoft: Microsoft Certified Partner…since 1980’s
Silver – Learning Solutions
Train 6,000 students/year
Our Instructors rate 20% higher than Microsoft National
Average Customer Satisfaction Scores.
Silver – Infrastructure
1,000’s of Microsoft implementations
Small Business to Enterprise
Non-profit
Education
System Source & Microsoft:
Agenda (Dave’s portion)
What is Office 365
Identity Management
Azure AD
Cloud, Synchronized, Federated accounts
Azure AD Features Examples
Multi-Factor Authentication / Self Serve Password Reset
Single Sign On – Using Azure AD for SaaS SSO
Native Office 365 Mobile Device Management
What is Office 365?
What is Office 365? Office 365 is mostly a SaaS solution
Your connectivity to and use of Office 365 and other Microsoft Cloud
services are flexible. Subscribe to one service only or a suite of services
Subscription plans offer various levels of features
You can use only the Cloud for login and data
Synchronize directories and/or Federate to control accounts locally
Integrate the Cloud services with on-premises services (Hybrid) so data and services
can span both locations
What is Office 365?
•SharePoint Online
•OneDrive
•Yammer
•Rich client
•Web client
•Apps
•Skype for Business
•Exchange Online
•Archiving
•Encryption
EmailReal-time
Communication
CollaborationOffice
Plans
Plans
Plans
Plans
World-Class Data Centers
Office 365 Trust Center
Clear messaging with plain English
Details for security experts
Links videos, whitepapers
http://trust.office365.com
Identity ManagementHow does Office 365 (and Azure) integrate with my environment?
How does Office 365 integrate with my environment?
Office 365 services (Exchange, SharePoint, Skype for Business) can be
on-premises, in the cloud or a combination (hybrid)
Microsoft offers hybrid configurations for Skype for Business, SharePoint and
Exchange. Available features vary with service and subscription plans.
Interoperability between Exchange, SharePoint and Skype for Business has some limitations but
integration is improving.
DirSync and ADFS is a requirement* for hybrid deployments
User accounts can be in the cloud or on-premises
User accounts can be managed in the cloud or on-premises
Where are your Office 365 Accounts?
Microsoft Azure Active Directory Azure Active Directory (Azure AD) is Microsoft’s
multi-tenant cloud based directory and identity
management service.
Azure AD also includes a full suite of identity
management capabilities including multi-factor
authentication, device registration, self-service
password management, self-service group
management, privileged account management,
role based access control, application usage
monitoring, rich auditing and security monitoring
and alerting. Active Directory
Azure
Active Directory
What is Azure Active Directory? The Azure Active Directory service comes in three editions:
Free
Basic
Premium
The Free edition is included with an Azure or Office 365 subscription.
The Basic and Premium editions are available through a Microsoft Enterprise
Agreement, the Open Volume License Program, and the Cloud Solution
Providers program.
Every paid subscription to Office 365
comes with a free subscription to Azure
Active Directory.
You can use Azure AD to manage your
apps and to create and manage user
and group accounts independent of
Office 365.
To activate this subscription and access
the Azure management portal, you
have to complete a one-time
registration process.
Office 365 Subscription – Domains The default domain when opening a subscription is
<DomainName>.onmicrosoft.com
This domain is fully functional and can be used for
login and email.
This domain will be used for internal routing in co-
existence scenarios.
Your production domains are added to the
subscription for login and email.
Login IDs are in UPN format
Note – When using Directory Synchronization you
would match your local Active Directory UPNs to a
domain(s) configured in your subscription.
Local AD Integration with Office 365
Cloud identity
Single identity in the cloud Suitable
for small organizations with no
integration to on-premises
directories
Cloud identity with directory synchronization
Single identity
suitable for medium
and large organizations without
federation*
Federated identity
Single federated identity
and credentials suitable
for medium and large
organizations
On-Premises ADFS Implementation
Multiple ADFS Servers and Proxy (Web Application
Proxy)
WID Replication and NLB for redundancy
On-Premises ADFS Implementation Users are redirected to the ADFS server for authentication
portal.microsoftonline.com“example.com” is recognized as a
Federated Domain. User will be
redirected to local ADFS server.
A SAML token is generated
and used to authenticate the
user to Office 365 resources.
Managing Cloud Identities Accounts are independent of your local AD
Managed through the Office 365 portal
DEMO
Synchronizing Identities Azure AD Connector (DirSync) tool.
Installed on 64-bit domain controller.
Builds a connector between Azure
AD and your local AD.
Synchronizes selected objects
every three hours by default.
Managing Synchronized Identities Accounts are managed in local
AD and synchronized Every three hours by default
Password changes immediately
Account disabled on normal cycle
Passwords synchronized one-
way unless the Azure AD
subscription is upgraded.
Exchange attributes need to be
managed using an on-
premises Exchange Server /
Console or through ADSIEdit
(not recommended).
Managing Federated Identities Federated IDs are managed
on-premises. There is no
synchronization delay since
users are directed to the local
AD for authentication.
Disabling an account or
changing a password is
immediate.
Access to Office 365
resources is dependent on
your AD and ADFS being
available!
Multi-Factor Authentication and Self Serve Features
(Samples of Azure AD features)
Multi-Factor Authentication (MFA) Office 365 offers two-factor authentication.
Office 365 MFA covers…
Exchange Online
SharePoint Online
Lync Online
Dynamics CRM Online
Project Online
Office 2013 Pro Plus on-premises
App Passwords are used for Office applications
App Password – A 16-character randomly generated password used with Office
applications in lieu of the second authentication factor.
Note – The roadmap is to add true MFA to Office applications
Multi-Factor Authentication (MFA)
Demonstration – User setup and administration, user controls
Self Serve Password Reset Azure AD Free - cloud-only administrators can reset their own passwords
Azure AD Basic or Basic with a Paid O365 Subscription - cloud-only users and
cloud-only administrators can reset their own passwords
Azure AD Premium - any user or administrator, including cloud-only, federated, or
password synced users, can reset their own passwords (requires password writeback
to be enabled)
Self Serve Setup Setup through Azure AD
Enable service for the
users
Setup required parameters
Self Serve Use Part of portal login
process
Single Sign On – Using Azure AD for SaaS SSO
SaaS Authentication Challenge
Azure AD as the control point
2500+ Pre-integrated SaaS Solutions
The On-Premises SSO Portion (ADFS)
Azure AD – SaaS SSOhttps://azure.microsoft.com/en-us/documentation/articles/active-directory-saas-salesforce-tutorial/
We need to discuss if this should
be in my portion of the
presentation or a part of Steve’s
EMS (InTune) presentation.
I have about an hour’s worth of
material without MDM.
Office 365 MDM – Device Types You can use MDM for Office 365 to secure and manage the following types
of devices.
Windows Phone 8.1
iOS 7.1 or later versions
Android 4 or later versions
Windows 8.1*
Windows 8.1 RT*
* Access control for Windows 8.1 and Windows 8.1 RT devices is limited to Exchange ActiveSync.
Office 365 MDM – Enrollment and Polices These apps will prompt
users to enroll if there is a
policy applied to the user.
Exchange
Exchange ActiveSync includes native email
and third-party apps, like TouchDown, that
use Exchange ActiveSync.
Office and OneDrive for Business
Office 365 MDM – Enrollment and Policies The following diagram shows what
happens when a user with a new device
signs in to an app that supports access
control with MDM for Office 365.
The user is blocked from accessing
Office 365 resources in the app until
they enroll their device.
Office 365 MDM – Enrollment and Polices User logs in with an enrolled device that
isn’t compliant with a security setting in a
mobile device management policy that
applies to their device.
They are blocked from accessing Office
365 resources in the app until their device
complies with the security setting.
Setting up MDM in Office 365 Set up MDM for Office 365—Activate the feature and configure the
environment.
Configure MDM policies—Configure Security Groups and Device
policies.
Enroll devices—When users access Exchange, SharePoint or
OneDrive using the MDM-enabled applications, they are required to
enroll their devices.
Manage devices—You can wipe enrolled devices and run reports.
Set up MDM
EnterpriseEnrollment CNAMEEnterpriseEnrollment.manage.m
icrosoft.com3600
EnterpriseRegistration CNAMEEnterpriseRegistration.windows.
net3600
Setup DNS
iOS – APN Certificate Create a CSR
Generate certificate as Apple’s site
Download and upload the certificate to Office 365
Policies – Security Settings
Policies – Other Settings
https://technet.microsoft.com/en-us/library/ms.o365.cc.devicepolicysupporteddevice.aspx
ActiveSync Policies
ActiveSync polices are in
the Exchange admin center
You can create multiple
policies and apply different
settings to different users
Wiping a device Full wipe: Deletes all data on a user's mobile device, including installed
applications, photos, and personal information. When the wipe is complete,
the device is restored to its factory settings.
Selective wipe: Removes only organization data and leaves installed
applications, photos, and personal information on a user's mobile device.
When a device is wiped (full wipe or selective wipe), the device is removed
from the list of managed devices.
You can set up a mobile device management policy that automatically wipes
a device after the user unsuccessfully tries to enter the device’s password a
specific number of times.
Break
Enterprise Mobility Suite for SMB
Steve Deming – Technology Strategist
Agenda What PAINS does EMS solve for?
Overview and Key Points
Technical Components of EMS
Getting Started
Are organizations prepared?
59
50% 90%
93% 80%50% of employers by 2017 will
require employees to supply their
own devices for work purposes *
90% of enterprises will have two
or more mobile operating systems
to support in 2017**
93% of employees admit
to violating information
security polices ***
80% of employees admit using non-
approved software-as-a –service applications in their jobs ****
*Gartner Press Release link** CEB Survey of 165,000 employees***CEB Executive Guidance - http://www.executiveboard.com/exbd/executive-guidance/index.page?cid=70180000000anZM**** http://www.computing.co.uk/ctg/news/2321750/more-than-80-per-cent-of-employees-use-non-approved-saas-apps-report
Cross Platform Device ManagementMicrosoft Enterprise Mobility Suite
Microsoft Partner Confidential – SMB LIVE 2015
Enterprise Mobility Suite (EMS)
Hybrid and Cloud Identity • Single sign-on across multiple SaaS applications• Self Service Password Reset & Group management• Security audit reports & Multi Factor Authentication• Watch the hybrid identity demo
Enabled via Azure Active Directory Premium:
Mobile Device Management• Mobile device settings management• Mobile app management• Selective wipe• Watch the mobile device management demo
Enabled via Microsoft Intune
Data Protection• Information protection• Connection to on-premises assets• Watch the information protection demo
Enabled via Azure Rights Management Service:
Device Management, Access Control, Information Protection
A comprehensive identity and access management cloud solution.
It combines directory services, advanced identity governance, application access management and a rich standards-based platform for developers
It is available in 3 editions: Free, Basic and Premium (Premium in
EMS)
What is Azure Active Directory?
Identity as the control plane
Preintegrated SaaS apps in the application gallery
A holiday resort is using
multiple social media and
online travel sites to
promote their offers and
stay in touch with travelers.
Due to the seasonality of
their business, their staff
changes a lot during a year,
including many interns
during high season. All of
them require easy access
to these websites.
67
Using the management
portal in Azure Active
Directory Premium, the
company easily enables
new staff members to
access all of the required
social media and travel
sites.
1
With single sign-on, the team
members access any of the sites
quickly and easily with their same,
consistent company login.
The team is able to be more
productive, eliminating time spent
managing multiple passwords.
2
Example:
Then when the off-season begins, the temporary employees’ logins
are deactivated and their access to the sites is immediately shut
off.
If they had been using their own separate logins, they could access
and make unauthorized posts to these sites. Instead, the company
is protected and easily able to manage access for seasonal staff.
3
Mobile application management
PC managementMobile device management
Intune helps organizations provide their employees with access to corporate applications, data, and
resources from virtually anywhere on almost any device, while helping to keep corporate information secure.
User IT
Enroll• Provide a self-service Company
Portal for users to enroll devices
• Deliver custom terms and
conditions at enrollment
• Bulk enroll devices using Apple
Configurator or service account
• Restrict access to Exchange
email if a device is not enrolled
Retire• Revoke access to corporate
resources
• Perform selective wipe
• Audit lost and stolen devices
Provision• Deploy certificates, email, VPN,
and WiFi profiles
• Deploy device security policy
settings
• Install mandatory apps
• Deploy app restriction policies
• Deploy data protection policies
Manage and Protect• Restrict access to corporate
resources if policies are violated
(e.g., jailbroken device)
• Protect corporate data by
restricting actions such as
copy/cut/paste/save outside of
managed app ecosystem
• Report on device and app
compliance
User IT
Maximize mobile productivity and protect corporate
resources with Office mobile apps
Extend these capabilities to existing line-of-business
apps using the Intune app wrapper
Enable secure viewing of content using the Managed
Browser, PDF Viewer, AV Player, and Image Viewer apps
Managed apps
Personal appsPersonal apps
Managed apps
ITUser
Personal apps
Managed apps
Maximize productivity while preventing leakage of company
data by restricting actions such as copy/cut/paste/save in
your managed app ecosystem
User
Personal apps
Managed apps Company Portal
Are you sure you want to wipe
corporate data and applications
from the user’s device?
OK Cancel
Perform selective wipe via self-service company portal or admin console
Remove managed apps and data
Keep personal apps and data intact
ITIT
Customer Example:
The sales team at a small
construction company is
always on the go, and they
often use personal mobile
devices for work.
The company wants
to ensure company data
and apps on employee
devices is protected—
especially when one
of their sales reps leaves
to join a competitor.
A sales rep has a cell phone
with company emails, contacts,
and Office applications
combined with personal data,
apps, and family photos.
1
Selective Data Wipe
The sales rep leaves the company
to join a competitor. Using “selective wipe”
IT can remotely remove the company
information—including customer data and
business apps—from the employee’s phone
without touching or losing his personal data.
3
With Microsoft Intune, the company
can manage and protect all of the
mobile devices and apps used at work.
Intune works with Office to prevent
the employee from copying sensitive
data from company apps and pasting
it into personal ones.
2
Copy
and
paste
7
6
Help customers protect their information, wherever it goes.
Enable information sharing, while keeping data
protected.
Help protect
information sent
in email by
preventing
viewing, editing,
and forwarding.
Restrict editing,
copying, and
printing files
to specific
people and
groups.
Microsoft Azure Rights Management Service (RMS)
Enable customers
to easily apply
rights
management
protection to
information and
files.
78
Manage rightsEncrypt data Enforce policy
Protect data to secure mobility
Azure Active Directory RMS
Share internally Share externally
Customer Example:
8
1
A mortgage company
works with customers
over phone and email to
process loan applications.
The company needs
to make sure sensitive
customer information
stays protected, wherever
it goes.
To process a loan application, a
mortgage broker requests a
social security number and credit
card details from a customer via
email. The customer emails her
personal data to the broker.
1 With Microsoft Azure Rights
Management Service (RMS), the data
in the email is protected, so editing,
copying, and printing the customer’s
information is restricted to the broker
and his immediate team.
2
The broker then sends an email containing the
customer’s personal data to the loan processing team.
Using Azure RMS, the email is restricted from
forwarding or editing.
So the broker can benefit from the convenience of
email, while knowing that data stays protected after
he clicks the “send” button.
3
ITUser
Enterprise
Mobility Suite
Identify and authorize user
Apply device policies
Apply application policies
Apply content policies
Active Directory Premium
Rights Management
EMS IT Manageability benefits for O365 customers
Cloud and hybrid identity management
Mobile device management
Information protection
Enterprise Mobility
Suite
RMS Protection via RMS for
O365
• Protection for content stored in
Office (on prem or O365)• Access to RMS SDK• Bring your own Key
RMS for O365 +
• Protection for on-premises
Windows Server file shares
• Protection for multiple file types,
such as PDF and CAD
Basic Mobile Device
Management via MDM for O365
• Device Settings Management
• Selective Wipe
• Built into O365 Mgmt Console
MDM for O365 +
• PC Management
• Mobile App Management
(prevent cut/copy/past/save as
from corporate apps to personal
apps)
• Secure content viewers
• Certificate Provisioning
• System Center integration
Basic Identity Mgmt via Azure
AD for O365:
• Single Sign on for O365
• Basic Multifactor Authentication
(MFA) for O365
Azure AD for O365 +
• Single Sign on for all cloud apps
• Advanced MFA for all workloads
• Self Service group management
and password reset with write
back to on prem directory
• Advanced security reports
• FIM (Server + CAL)
Cloud identity management
Why Microsoft?
Mobile device & app management
Information protection
Azure Active Directory Premium Microsoft Intune Azure Rights Management Service
Ping Identity
Okta
Centrify
Salesforce Identity AirWatch MobileIron
Good
KaseyaSymantec Seclore
FasooAdobe LiveCycle
EMS: One Vendor, One Contract, One SKU
Why Microsoft?
Other Options in the Market
Manufacturer Authorized Training Insures
Learning Content Matches Software
Offering the most Microsoft Official courses in Maryland –
Accepting Software Assurance Training Vouchers!
100% of Baltimore area VMware training in our classrooms
100% of Baltimore area Oracle training in our classrooms
All courses offered locally and online
eLearning
Expert InstructorsConsistently 19 percentage points higher than
national average for Microsoft Certified Trainers
Tailored Curriculum
Combine chapters from multiple courses
Add company specific content
Develop hands-on labs using your data
Organizational Focus
and Insight Specific to your culture and objectives
Convenient Training Small or large groups, in one location or many
Your Teams – Local and Remote
Offsite Locations Distraction-free learning
Flexible Scheduling
and Delivery
Formats
Instructor Led Training (ILT)
Live Virtual Training (LVT)Attend our ILT sessions from home or work.
Project Based Training (PBT)
Informal Coaching
Dual monitors display digital curriculum and labs
simultaneously
Mobile Curriculum and Classrooms
Integration of Video
Your Teams – Local and Remote
Our ProcessAccount Manager
• Understand your needs
Tools• Assess skill levels
Instructor• Develop content
Register• Easy registration
Attend• Your site, our site and live virtually from your home or office
Evaluate• Give course feedback using independent evaluation tool
Report• Attendance and evaluation reports
Reinforce• Post-class support
Our Process
Customized Training Curriculum
ManagementCorporate/
DevelopmentAccounting Topics
3.5 6.17 5 Teaching Time in Hours
5 5 5 Introduction to SharePoint 2010
Navigating a SharePoint Site
5 5 5 Navigating the Home Page and the SharePoint Site
Navigating the Site Content Tree
Navigating the Ribbon Interface
Browsing Lists on a SharePoint Site
Browsing Document Libraries
5 5 5 Using the Recycle Bin
Working with Lists
30 40 40 Discovering Default Lists in a Site
Adding and Editing List Items
Deleting and Restoring a List Item
Attaching Files to List Items
Sorting and Filtering a List
X Setting up Alerts
Working with Libraries
35 45 35 Creating a New Document
SCAN Documents
S: DRIVE
Editing Documents
Adding Documents
X X Co-authoring
5 5 5 Creating a Picture Library and Adding Pictures
10 15 15 Checking Documents In and Out
10 10 Working with Version History - Major
10 Working with Version History - Major/Minor
X 10 10 Using Alerts
5 5 5 Deleting and Restoring Documents
Working with List Settings
X 15 X Configuring Content Approval and Versioning
Training plans
customized for
each audience in
your organization
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Jan
uary
-12
Fe
bru
ary
-12
Ma
rch-1
2
Ap
ril-12
Ma
y-1
2
Jun
e-1
2
July
-12
Au
gust-
12
Se
pte
mb
er-
12
Octo
ber-
12
Novem
ber-
12
Decem
ber-
12
Jan
uary
-13
Fe
bru
ary
-13
Ma
rch-1
3
Ap
ril-13
Ma
y-1
3
Jun
e-1
3
July
-13
Au
gust-
13
Se
pte
mb
er-
13
Octo
ber-
13
Novem
ber-
13
Decem
ber-
13
Jan
uary
-14
Fe
bru
ary
-14
Ma
rch-1
4
Ap
ril-14
Ma
y-1
4
Jun
e-1
4
July
-14
Au
gust-
14
Se
pte
mb
er-
14
Octo
ber-
14
Novem
ber-
14
Decem
ber-
14
Jan
uary
-15
Fe
bru
ary
-15
Ma
rch-1
5
Ap
ril-15
Ma
y-1
5
Jun
e-1
5
July
-15
Au
gust-
15
Se
pte
mb
er-
15
Octo
ber-
15
Novem
ber-
15
System Source Learning Center Instructor Top Box Graph
System Source MS Overall CPLS Overall 3 per. Mov. Avg. (System Source MS Overall) 3 per. Mov. Avg. (CPLS Overall)
Consistently
19 points
higher!
Course Name Length
MS20346C Managing Office 365 Identities and Services 5 Days
Microsoft Office 365: Web Apps (with Skype for Business) 1 Day
Microsoft Office 2016 and 365 Private Courses
Any one-day Access, Excel, Word, PowerPoint, Outlook or Office 365
Web Apps course:
Only $143 per student for a class of 10
Save $153-$258 per student
Reserve your dates by 2/29 to secure discounted pricing!
Learning Center Offer
Evaluations
Door Prizes
Lunch!
THANK YOU!