Episode 187 – AAD Alternate Login ID and Sensitive by Default in SharePoint

Episode 187 – AAD Alternate Login ID and Sensitive by Default in SharePoint

In Episode 187, Ben and Scott discuss the newly announced preview for alternate login IDs in Azure Active Directory, enabling “sensitive by default” labels with DLP in SharePoint Online, and the GA of the new Microsoft Secure Score. (more…)

Episode 178 – Securing remote work using M365

Episode 178 – Securing remote work using M365

In Episode 178, Ben and Scott dive into what you should think about when securing Microsoft 365 at a high level and run down the areas you’ll want to focus on first.

- [Ben] Welcome to Episode 178 of the Microsoft Cloud IT pro podcast, recorded live on May 15 2020. This is a show about Microsoft 365 and Azure from the perspective of IT pros and end users. Where we discuss the topic or recent news and how it relates to you. Is this episode Scott and Ben take a high level approach and rundown what you should consider when securing your Microsoft 365 environment, based on recently published recommendations from Microsoft.

- [Scott] Mic check one, two, three.

- [Ben] Mic sir?

- [Scott] Sure.

- [Ben] Are we checking for Mic?

- [Scott] Why not, let's do it.

- [Ben] We're gonna get zoom bombed by mic.

- [Scott] That's how your weeks gone huh? I say my, I say mic check and you're gonna make mic jokes.

- [Ben] I'm gonna make mic jokes. You know what I got a lot of sleep last night after not sleeping the night before. So that may affect my sense of humor.

- [Scott] So either way you would have been grogging out of it. Love it.

- [Ben] Yeah, pretty much. However, I did make an upgrade to our home network today.

- [Scott] Oh, yeah?

- [Ben] Yes, I now have.

- [Scott] You renamed the WiFi from FBI surveillance fan to stay away there's COVID

- [Ben] No, but that would be kind of funny. I now have redundant internet coming to our house. It was even more nerdy than renaming the WiFi.

- [Scott] Oh, cool. So you run everything into a router that's gonna support that failover for you then?

- [Ben] Yep, I have a unifi USG, and it has a LAN. Well, so it has a LAN and WAN, and then a LAN slash WAN. So you can use it for whatever you want to. So right now it is set up as two LANs and I have a AT&T going into one way LAN, Comcast going into another LAN. And if one of them drops, it automatically fails over.

- [Scott] Perfect, can you bond those connections together and use them both at the same time? Or is just one strictly there for failover.

- [Ben] So technically, I could.

- [Scott] Technically.

- [Ben] Technically I could do.

- [Scott] I could have even more bandwidth. Like I can see you like the Infinity Gauntlet in your hand, you're just squeezing.

- [Ben] Yeah, I could do lots of things. So I did test it, I actually like reached over and just turned off my Comcast modem. And AT&T picked right up and turned it back on, it flipped over, I could see it in all the logs where it switches your primary way in connection, however, what I think I'm going to do. So Dan Patrick, over at CES Alliance wrote an article about this on the Build Five Nines site. And he and I were actually talking about this and trying to figure out some of the routing, I think I'm going to stick a bunch of my family and streaming devices on one way in connection, and keep the other one for work stuff now as all of that- [Scott] Gotcha.

- [Ben] All right?

- [Scott] Well, yeah, you might wanna just like separate them and keep them all on one and potentially do the failover thing, right? 'Cause then if you put one on one and one on the other, if one goes down then stuff.

- [Ben] So I think and I need to go through Dan's article and probably talk to him a little bit more about how he did it, is you can do both, where it still works as a failover. And you can have them on both VNet. So it's essentially like two VNets that, you can do policy based routing, but then it still will fail over when it fails over. I need to dig through all of it a little more.

- [Scott] Gotcha. Yeah, it's a little bit of a setup to do what he was doing. 'Cause yes, he was doing a couple things with like policy based routing on his USG user.

- [Ben] Yes, exactly. So I'm gonna go through that. I may try to do that because it would also help with my other problem is that Xfinity limits you to so much bandwidth a month.

- [Scott] Not right now, they don't.

- [Ben] Not right now they don't. But when they do go back, so I've been paying for extra because I have a tendency to go over my allocated bandwidth.

- [Scott] I do the same thing you do. Yeah, we're limited to one terabyte and. everybody says, how do you go through a terabyte? Well try having two kids at home who are streaming everything all the time? My job requires streaming like, what was I doing today? Oh, yeah, just doing some deployments and trying to test them locally meant downloading, not just a bunch of ISOs and doing installs, but full VHDs for environments. So those really don't like zip up and compress very well. So it's easy to blow through, 20 gigs in a small download. And then you kind of do that every day a couple times. And it adds up quick.

- [Ben] Yeah. So see, what you can do is you can get redundant internet. Because now you're paying almost the exact same amount. And it's like five or $10 more to have a second internet connection. Technically, now, instead of paying $50 for unlimited, I just have two of them, and I have a two terabytes which I don't know that I've ever gone over two terabytes.

- [Scott] Only if you split your traffic the right way.

- [Ben] Right, so that comes back into some of those policy based, if I can split all my streaming over one, and all my work over another, I might be able to get away with dropping my unlimited internet and putting that money towards my redundant internet.

- [Scott] Interesting. I guess that works if you live in one of those magical places, so people internationally are laughing at us 'cause they're like, what do you mean magical place? Well, one of those magical places where you can have two internet providers. The neighborhood I live in is one of those magical places where it is Comcast or Bust.

- [Ben] I'm sorry.

- [Scott] Oh, well, I could get AT&T like DSL, but it's really, really, really slow. It's not worth it. I miss my days at firehouse, let's put it that way.

- [Ben] Fair enough. I like my Comcast, so I have the Comcast one gig. That's my plain one. And that also helps you go over your internet in a hurry when you can transfer data at a gigabit per second. You can blow through a terabyte really quickly. And then my AT&T is like 50 Megs, so that is most definitely my backup. And I don't know if it'll work for streaming we'll have to see. But that is my non Cloud related not news for the week.

- [Scott] Good for you. I'm glad You're geeking out in all the right ways over there.

- [Ben] Yes, I do. Outlook add-ins are a great way to improve productivity and save time in the workplace. And Sperry Software has all the add-ins you'll ever need. The Save as PDF add-in is a best seller, and is great for project backups legal discovery and more. This add-in saves the email and attachments as PDF files. It's easy to download, easy to install, and Sperry Software's unparalleled Customer service is always ready to help. Download a free trial at SperrySoftware.com, S-P-E-R-R-Y-S-O-F-T-W-A-R-E.com, and see for yourself how great Save as PDF is. Listeners can get 20% off their order today by entering the code, Cloud IT. That's Cloud IT, C-L-O-U-D-I-T, all one word at checkout. Sperry Software work in email, not on email. So should we get on to our topic or do you have any not news you wanna talk about? Any Build sessions we should pay attention to now that schedules out?

- [Scott] So I haven't looked at the schedule for Build, but I did go through my Build attendee box and hang my lanyard up with all my other lanyards. I think there's gonna be in general, I think Build will be a little bit more developer oriented this year. It looks like it has less kind of market texture sessions. Like certainly there's the keynote and things in the beginning. But there's a pretty wide variety of sessions out there, wait, I think I saw in the catalog, they even have a couple of sessions on, like, dedicated to Rust. They're going in a certain way. If you are signed up for build, awesome, go take a look at the catalog. If you are not signed up for Build, go register and put that in and or go view any of the videos or things afterwards. It looks like they're limiting session registrations. So some sessions are filling up, which I find funny.

- [Ben] You know what I just realized, Build's gonna be over by the time people hear this, I think.

- [Scott] Yeah, well, well they can go watch the video soon.

- [Ben] Go watch the videos.

- [Scott] They will all be recorded.

- [Ben] Yes, if you're listening to this sorry you missed Build go find videos.

- [Scott] It'll come back around again. It'll be there someday.

- [Ben] Yes exactly. I did not get a Build box, I was not on the, I was not quick enough, I was too slow. Because it looks like they only sent those out to like the first few thousand attendees. I don't know how many the first few thousand is, but I was most definitely not in the box list. And I think I've seen some others that were not in the box list as well.

- [Scott] Gotcha. Yeah, I was so it was a, what was it? It was like a bamboo lunch box. It was some stickers, some socks, a lanyard and kind of a welcome to, oh welcome to Build card so.

- [Ben] Got it.

- [Scott] So it was a nice thing to get. But it's not like you're missing out on a free surface go or something like that.

- [Ben] Well, I kind of wanted the socks. But other than that, I'm fine. However, if you are listening to this, and you missed out on the Build bikes and you want swag, let us know via Twitter or Facebook or some way, go to the podcast, leave a comment. Because we have a ton of stickers that we don't have anywhere to give out because life has been canceled. And we will send you stickers because I have like 500 of them in my office and nowhere to go with them. So it does not Build swag, but we have swag, if you want it, let us know we'll send it to you. Shameless self promotion of the podcast and our stickers.

- [Scott] Gotta do what you got to do.

- [Ben] Hey, it is what it is. All right, so our topic today, we previewed this topic last week. We said we would talk about it, so we probably should.

- [Scott] Okay.

- [Scott] Let's do it.

- [Ben] It's Friday afternoon. It's been a lot of time inside our practical guide. So this is all coming from one article that you sent me that I have not read yet because I am way behind on my RSS blog reading, or I just didn't see this. But this is a practical guide to securing remote work using Microsoft 365 business premium. So last week, we had kind of talked about, hey, Microsoft 365 business premium is not as bad as those business plans used to be, it's probably worth going out looking into, definitely a better service than it used to be with some of the changes, improvements, services they've added. And now there's this practical guide that gives you a whole bunch of recommendations, configurations, things to do to help secure that, especially in this world of remote work. So we said, we'll kind of talk through this if you wanna go out and buy Microsoft 365 business premium, you have under 300 users, and you wanna know the best way to secure it. Here is some practical guidance from an article and from the mouths of Scott and Ben, and we'll see if we agree with this whole article. You know, I think guidance is good. You always have to pick what you're going to implement there. I see a lot of folks who get very frustrated when service providers like Microsoft come in, and not sometimes only say, here's some guidance for you, but they potentially implement that guidance automatically. So maybe like turning on MFA for your accounts or things like that.

- [Ben] Or security defaults.

- [Scott] Or security defaults, what used to be baselines, yes, all those kinds of things. I think it's nice. Well, it's easy to fall into the trap of saying they keep turning this stuff on. So I'm just gonna ignore it and kind of go to the side, versus hey, they keep turning this stuff on, do I need to use all of it? Or should I maybe actually be using just some of it? Like, let me take a look at some of the things they're doing and see what needs to happen along the way, because your situation is gonna be different than mine. So when we break down some of the features, it's very much and it depends, or situational kind of choice for us to see where we wanna land out.

- [Ben] Right. So this article kind of walks you through, and this article does that a little bit too. It helps you think through some of it. So the first part has some these steps and actually enabling it. There's seven steps that it walks through in terms of, like setting up your tenant identity protection, email protection, information protection, Team security devices and remote access. But then as you go down, it also says so as you go through these phases, different companies, different SMBs, in this case, because we're gonna be primarily looking at under 300 users due to the license constraints. Fallen to typically two common scenarios, although there's probably people that fall somewhere in the middle of this, they want certain features, they don't want others maybe compliance. But they have a normal scenario, which they consider a typical business that wants to enable secure, remote work, balance, kind of ease of use with security, and then a high risk for somebody that is really trying to maximize security, maybe they have HIPAA compliance needs or other regulatory requirements, that cause them to need to be significantly more secure, than they are, normally or than they are by default. So it gives different settings and different things to think about in these two different scenarios. And like you said, you could fall somewhere in the middle, you don't necessarily need all of these, it's gonna guide you through what Microsoft might think you need, given one of those two scenarios.

- [Scott] And these aren't the only two scenarios that are out there. So I would also encourage anyone who's interested in security guidance for Office 365, or Microsoft 365. Maybe you're listening to this and saying, well, it's great that they enable these features for Microsoft 365 business premium, but I might not have all these features just with my Office 365 E3 or E1 or F1, whatever it is. They actually do publish way, they publish deeper guidance, and I wanna say it's way better. But it's much deeper guidance out there, for different types of organizations. So one of the ones that I like to go to for security guidance is one that's for political campaigns. So if you think about political campaigns, they're typically going to have not the most computer savvy types of folks who are gonna be your most high risk targets. Their job isn't to use computers, their job is to be politicians. And, you know, hopefully, most forward a little bit.

- [Ben] The ways we could go with this discussion right now.

- [Scott] I understand that, but I look at things like that. Like, it doesn't matter if you're a politician, or you are someone who works in the HR department at your organization, like you're probably not a computing expert there either. And especially with the tools that we give you with email, and SharePoint, and Exchange, and Teams on the back end, and Yammer and all these other things. So I think a lot of those guides are super helpful as well, so I'll make sure I put a link to, to that guidance out there. Like I think everybody should look at the one that's guidance for political campaigns and non-profits. Like take those two and and go through them and take a look at what's in there. And I bet no matter what your organization is, even if you're not a political campaign, like if you are an enterprise, a small business, a medium business, you will find some actionable guidance in there.

- [Ben] Yeah, well, I think that's a boat, a lot of SMBs find themselves in. And I've had some clients too, that are not the 300. But their five, 10, 15 employees, kind of like you said, they're not all computer savvy. They're not necessarily focused on security. Some of them may even be dealing with HIPAA stuff, you think about like a small dentist office or doctor's office or something like that, that these are gonna be really good guides for them to go through or to have someone sit down and go through with them, to really help secure their Office 365 environment, especially given the current state of things with everybody working remotely working from home, maybe working on their own devices at home, there's a lot of things to still think about and consider for those types of companies.

- [Scott] Just a few.

- [Ben] So should we start working their way kind of through this article and talk through some of the things that they recommend?

- [Scott] Yeah, let's do it.

- [Ben] All right, so the first area, setting up your tenant, most people have probably already gone through this, they have one set up, if they don't, these are things you can think about setting up, or settings that if you do have it, you may wanna go in and think about going in Configure. So these are gonna be tasks that you're typically done, when you set up a new tenant, things that you think about them. Again, you might go through and change them. So this one when it comes to recommended settings for normal versus high risk, there actually is no difference. All of these sections are going to give you a table, and at the top, they have the task, and then a column for normal and high and then underneath they have explanation of what you should do. So setting up the tenant, at least when it comes to just that initial setup, it talks about deciding between like hybrid and Cloud only. This one is really gonna depend not so much on if you should set it up or not. But if you have on Prem AD or not. I would argue, no matter who you are, if you have on Prem ID, or on Prem AD, you should be setting up hybrid, you should be using Azure AD Connect in sinking your tenant or your users up there. If you don't have a current AD on Prem environment, and you don't ever have plans for one or need one. There's no reason to do hybrid. So this one essentially says do hybrid, do Azure AD Connect. Yeah, as long as you have an on Prem AD controller, do it, do a password hash synchronization, enable Single Sign On, use your user principal name for your primary attribute, set up password right back, so you can do your password resets in the Cloud. If you're gonna migrate email, you can think about that. And then set up your DNS based on what you're gonna use it for. That one is pretty straightforward in terms of setting up your time. And I think I don't have a whole lot on that, that I would say, think about other than do you have an on Prem domain controller or not?

- [Scott] Yeah, I think one consideration there is lots of people tend to read Microsoft's documentation, and especially in areas like hybrid identity. So you'll walk down that path, you'll say, great, I have on Prem AD, I'm gonna do AD Connect. And I'm never gonna do Cloud Identities for anything. Just make sure you leave yourself that Cloud Identity for a break class account, or like emergency access to your environment. So don't lock yourself all the way out of your tenant, by doing something crazy along the way. But most of it's pretty straightforward. And AD Connect is about as next, next, next of an implementation that you can get these days. So especially if you just need it in its default state to get you up and go, and get your on Prem identity, into Azure Active Directory, and then being able to consume those entities, so those users and groups directly within your M365 services or your Azure services, or other services.

- [Ben] And the other thing I would say is, so this gets kind of goofy. I don't know if this gets outside of SMB or not. But as you get further down through this article, it does talk about like Windows Virtual Desktop, for doing remote access RDP into those terminals using the virtual desktop. If you think you're going to go that route, which is like way down in the document, you may actually want to set up an AD Controller , or an AD server in Azure. So just because you may be Cloud only, doesn't mean you don't want that Domain controller up in Azure, especially if you are going to do Windows Virtual Desktop because right now some type of domain controller either Azure AD Domain Services, or a standard domain controller is required. Truth be told, a standard AD controller is cheaper and it was. And is required.

- [Ben] And is required, while you can do it with Azure AD Directory services. But that one gets more expensive. And it's not quite as straightforward when it comes to setting things up, in my opinion as, just throw up a domain controller and sync. Through domain controller, cheap VM and Azure, sync it up to Azure AD with Azure AD Connect. And then you could do Windows, Virtual Desktop and some other things as well.

- [Scott] Yeah, your possibilities certainly start to open up.

- [Ben] Yeah, I actually have that running in my environment.

- [Scott] Once you give yourself some of that flexibility.

- [Ben] I'm just one person and I have it set up so I can play with stuff, test stuff out, use it for different things. So kind of once you have that setup it taught goes through some of the identity protection. This gets into what you said planned for admin access, who's that admin gonna be? Like you said, do a Cloud account. Don't do all synced accounts. Set up some dedicated admin accounts. Don't make all your users admins. The one difference they have here is going security defaults versus conditional access for normal versus high risk. I would do conditional access for everybody. I don't like security defaults and 100% transparency.

- [Scott] If you're licensed for conditional access, it's going to give you the most flexibility. And flexibility in this case is gonna be really, really key to getting getting you going. And kind of being agile as you approach your implementation of zero trust and identity security within there.

- [Ben] And if you're talking Microsoft 365 premium, you're gonna have conditional access, because it's now included with all your Microsoft 365 business premium subscriptions. So I've seen people saying, hey, I wanna do MFA. Why is it only letting me do the app? And a lot of people didn't realize or didn't catch that when security defaults became the new default, that doesn't allow MFA with anything except the authenticator app from Microsoft. So that in itself is a reason to go to conditional access because how many times does the app network, you're in a spot where your phone's not giving you a push notification, if you just wanna be able to log in with a text message, or you need to give somebody else the text message, for some reason to be able to log in as you and take a look at something. Not a best security practice, but let's face it, it happens where you need to give somebody the code so they can log in with your account for whatever reason, they're getting a text message, you wanna be able to pull a code off their phone, all of that you can do with conditional access security defaults, you're locked into that app.

- [Scott] Yeah, we'll just leave it as friends don't let friends do security defaults, if they have better options.

- [Ben] Yes, absolutely.

- [Scott] I think the thing there is really you're talking about kind of a range of functionality and the options that are in front of you. So depending on your licensing, should you wanna put yourself in a better posture, there is an option out there for you. It's just, it's like everything else. It has constraints and considerations. So are those gonna drive the right behaviors, or allow you to continue to do business the way you wanna do business? If the answer is no, then don't implement.

- [Ben] Yep, absolutely.

- [Scott] That's part about Cloud. Being really straightforward and self aware as you assess features.

- [Ben] Did you just use Cloud and straightforward in the same sentence?

- [Scott] I did.

- [Ben] It used to be.

- [Scott] Oh, come on, it still is.

- [Ben] Once upon a time. Okay, so what about email protection? Any thoughts on this one?

- [Scott] I think for most customers, like if you're looking at M365, hopefully you're looking at migrating the majority of your email traffic and mailboxes, and underlying workloads that are supported by those up to Exchange Online. I think you get everything into Exchange Online and it just makes your life easier. Whether it's storage, having access to potentially EOP or other types of filtering technologies that are up there. You can do like Native Office 365 quarantined, you can still use other third party quarantine services if you want to, like if proof points your thing, then go ahead and do that. It's still super flexible for you. But I think it just gives you a lot more agility when it comes to kind of if anything, even outside the security just mailbox management, 'cause you're not managing those on Prem exchange environments anymore and worrying about how much space did I consume? I'm I backing everything up the right way? Did we actually test our backups and restore, and all that just kind of falls to Microsoft, which gives you some more time in your day to do the important things. You just have to be aware again, of kind of like quirks of Office 365. And maybe the way like Microsoft automatically trusts other Office 365 tenants. So you might see weird spam and weird places, maybe you've got to configure some additional transport rules, but that's all pretty doable, and really, honestly well baked and well known at this point.

- [Ben] Yeah, and this one does have a lot of different settings that they have different recommendations for based on your normal and high risk. Some of their normal ones, I would take the high risk approach when it comes to some, some of those things like your DKIM and your SPF. I like my email secure. I feel like when you talk to different companies, that's the way most people get in, whether it's ransomware or getting user information or getting bank accounts. It is usually not because they guess your password. Well, that does happen. It is usually somehow through email that I feel like you hear about these breaches starting or that's where the information initially comes out. So my opinion when it comes to email is, I would probably go with some of the high risk scenario settings or all of the high risk scenario settings no matter what boat you're in, because that does tend to be a point of data leakage.

- [Scott] I think one thing to consider there is, lots of people look at maybe some defaults that are here. So like enable a transport rule to block auto forwarded email. Like, all right, that gets you a little bit of the way there. But let's be honest, transport rules are way more powerful than that. I recommend if you're looking, Microsoft doesn't give like great recommendations for default transport rules or like things you should think about implementing on top of that. Thankfully, we have fun folks on the internet, like SwiftOnSecurity, who have authored like GitHub repos that are full of just really awesome anti-phishing exchange transport rules, that you can go and implement. And you do that plus quarantine. And you're in just an awesome place for kind of cutting down on all the noise that comes through in your life and hopefully making everything better for those users along the way. Right, the more that you can filter out and be sure that it's gone, the less you need to be in front of your users all the time going don't get phished.

- [Ben] Yep absolutely. Yeah, there's spend a lot of time on the email security is kind of what would come out of that. We'll put some links to some of that in the show notes as well. As IT professionals in the Cloud era, sometimes that feels like we don't speak the same language as the rest of the organization. So when stakeholders from finance or other departments start asking about a specific project or teams Azure costs, they don't always realize how much work is involved in obtaining that information. Sifting through cluttered CSVs and a complex mess of metadata, in order to manually create custom views and reports. It's a real headache. On top of helping you understand and reduce your organization's overall Azure spend, ShareGate Overcast, lets you group resources into meaningful cost hubs and map them to real world business scenarios. This way you can track costs in the way that makes most sense with your corporate structure, whether it's by product, business unit, Team or otherwise. It's a flexible, intuitive and business friendly way of tracking Azure infrastructure costs. And it's only available in ShareGate Overcast. Find out more on sharegate.com slash IT Pro. So the other area that's kind of along the same lines with email security is your information governance, especially if you're starting to put documents up in SharePoint, you have documents in your Team's files, which newsflash is also SharePoint, if people have missed that. So if you have files in SharePoint, even through emails, that information governance policies, some of the recommendations here, apply to all of the content. Some of its applies to Teams conversations, to, like we said files, data in SharePoint, emails going out. This is when you're gonna start looking at setting up some of that data loss prevention. And they do have recommended default policies for data loss prevention. And if you do need to go to that other level where you need to start putting things like HIPAA in place, or GLBA, or CCPA, although CCPA doesn't really apply to data loss prevention. PII, all of that type of stuff. There are a lot of pre-configured data classification types that are out there in Office 365, that you can configure to help that data from leaking out. So this isn't about a hacker getting in, or somebody sending you a hacking email as much as it is making sure you're not compromising information that you hold, whether it be on employees, or patients or anybody else. But protecting that with some of the data loss prevention, you have email encryption, so you can send encrypted email based on subject lines, based on auto detected information using something like sensitivity labels in Office 365. There's retention policies that can get put in place if you're in one of those companies where a law office or CPA where certain data has to be retained for seven years, or if you as a company didn't retain your financial data for seven years, and you wanna put those retention policies on data, you can set up retention policies, sensitivity labels, again, to classify data as a certain type of information, whether using some of that default sensitivity labels or creating your own, to really help categorize content that's within your Office 365 environment. And then apply policies to it to help ensure that, that data is being handled properly.

- [Scott] There's way more to dig into on that one. I always think some of the compliance features that come up along the way, with, particularly once you get into like Microsoft information protection, it looks just like a race car zooming off into the distance, and you're kind of standing there going like, whoa, I can't see any, I can't see it anymore. And it's also an area that's rapidly changing. So the one thing I think, like when it comes to Information Governance, it's always a good idea to just do the kiss thing. Like, really keep it simple. Start small, and if you see something you don't understand or you don't know about, or you don't think it's helpful, like, just skip that for now. That's okay. Not a problem. Easy enough, you can always come back and do it later, or you can wait until there's more guidance out there. I think today, if you went and read, like the documentation for how to implement, like auto classification with sensitivity labels, you go cross eyed and just banging your head against the desk for a while. And good luck if you can actually get it done.

- [Ben] Yeah, and maybe it's my background. But even going through this, I would consider this one of all of their recommendations. The most complex and the most time consuming to properly set up and configure. Like if I had to go implement this for a company, this would probably be the first one of all of these, that I would go look for somebody that's an expert in information, government and or information governance, taxonomies, content management to help me with, because this is, this topic if you like more than other tends to involve different things with legal departments, with HR departments, understanding laws and regulations, and all of that. This is not a simple topic, in my mind, or as simple as all of the other security topics discussed. And like you said, just if you're gonna do it, definitely start simple and keep it simple. Even if it's just starting by encrypting email and giving users the option to throw something into the subject, confidential, whatever, and encrypt email with a certain information in it.

- [Scott] Yeah, I think it's a hard area to get into. Like I said, like the guidance there is rough in the Docs. And if you think about a customer implementation thing for just about all these other areas, we could say, hey, if you have enough seats, go and do fast track or something like that, like there would be somebody at Microsoft who could help you even from a first party vendor perspective, for all the time that MIP and information protection and all these features have been out, Microsoft still has not GA'd a compliance offering within FastTrack. Like they're getting ready to do it now. But it's been out for a few years, like in the field as a feature. So I think even from that side, you know, finding something outside of Docs or actual information, you're gonna be stuck with either blogs or consultants. And if that's not your thing, then just wait a while. It'll come eventually. Hopefully.

- [Ben] And if you love it.

- [Scott] I'm just hoping it will.

- [Ben] If you wanna get a little bit more of a complete story, I would say it is by no means a in depth, but we did have that podcast interview we did back at Ignite September, where we kind of talked through, kind of the roadmap 'cause this product has changed names. Its functionality has evolved. We have a whole podcast just on the whole AIP, MIP, whatever the first letter is, IP, roadmap story where this is all going, how it's all evolved. And a few more details about some of this stuff. So we'll link to that one in the show notes as well. As article keeps going, Scott. Well, there's a lot more there. you still got Teams, you got Device Management, you've got access to other apps.

- [Ben] Access to other apps, we should at least do Teams and Device Management, we're gonna lose our reputation for a nice 30 minute podcast. But security is important. Configuring team security. So some of this ties into your information governance, because you're gonna have the DLP and it ties into SharePoint security. But there's also different things you want to think about with Team security. And there's a couple I wanna call out on this list in particular, or one is that, third party Cloud Storage. This is one a lot of people don't realize is that, by default in your Team's environment, if users go to files and add storage, they can add Google Drive box, Dropbox, and Citrix ShareFile. And I think I saw ignite is coming, not ignite the conference, but ignite like e.g. NYT I think.

- [Scott] Yes yep, that's gonna be a new one.

- [Ben] Those are all coming. And anybody in your organization by default can add those to a Team sign up with an account. And all of a sudden, you could start ending up with files in one of these third party services. And not necessarily be aware of it, mic stuff does give you the option to go in and turn all of these third party Cloud Storage options solutions off within your Team's environment so users can't add them. That is one that they're recommended settings for a normal scenario is to leave it as default let people do that. I would argue that that one should maybe even be off by default, because now all of a sudden you start having that information, data leakage into other services, especially if you're trying to get into the whole Office 365 ecosystem, do the DLP, setup the security, that's a big one in my opinion, in this list of recommendations.

- [Scott] I'm with you there, I don't think you enable that one by default, especially if you don't understand what Cloud Storage Services are being used with in your organization. Now if there is any question where you can't walk in and say, yes, people are using Dropbox or Google Drive, or anything else, then you don't wanna just let them arbitrarily add that to Teams, and then have that option there where they can easily have ex filtration of your company's data out to those services. It's not that you still can't have that because obviously, they can open a web browser, they can drag and drop into Google Drive for whatever it is, but you're at least making them go through the extra hurdle of doing that until you can implement some of those other solutions, maybe like a cas-bee, or something like that.

- [Ben] Yep, couple other ones you may wanna think about is Guest Access, if you're gonna allow, allow your users to invite guests into your Team's environment. Teams environments to users, are users allowed to create teams on their own. If you're doing Office or Microsoft 365 business premium, you're gonna have the MS, which means you have AD premium, which means you can go limit group creation, which would in turn limit Team's creation, so not anybody could do that. External chat if you're gonna allow users to chat with other Teams users, external users, external Skype commercial users. And then you do have a bunch of policies, you can go configure as well around what people are allowed to do in Teams, in terms of what types of messages they can use, what types of ad-inns they're allowed to use. Different settings there, but I think some of the users create Teams, third party Cloud Storage, and possibly external chat are some of the bigger ones there that you probably wanna think about going in and configure when you're getting going.

- [Scott] Yeah, I think they're the most light touch too. When you get into the messaging policies, there's so many of them. And I think it's easy to get lost in kind of the sea of configuration options that's available to you. And then once you go down the path of customizing messaging policies and meeting policies and settings and things like that around them. All of a sudden, you're off the beaten path. So you might not get Microsoft's defaults in the future. You have to pay attention when new defaults come, or those features that you want, don't want, which accounts do you apply them to? It's a lot more operational overhead for you.

- [Ben] Exactly. And then if you are using Teams, and there's involved with files, there's the whole SharePoint, to think about too, with the files in SharePoint. Device security, this one is also can be very complicated depending on what you wanna do with devices. I think there's some simpler things you can do there, especially with some of the main policies that we've talked about before. It's been a while, but there's a lot of things you can do around managing devices, without, sounds funny, managing devices without actually managing devices, and more managing the data and the apps that are on those devices.

- [Scott] Yeah, well, I mean, we've talked about that in past, I think it's all about your posture and, are you BYOD like, it was like how do you view that for your organization? And where do you wanna be, heavy handed or not heavy handed within there?

- [Ben] Yep, sorry. And it's not MAM anymore. If you don't look for MAM, look for app protection policies. And if you want the acronym for app protection policies, that's app.

- [Scott] Yes, why would it be called the same thing that all the other vendors call it? That would be too easy?

- [Ben] Yeah, I mean, you do have Intune. So if you do wanna do the whole full blown Device Management, you can use Intune. You can do Device Management. Most of the time, like we said, that app protection policies and conditional access, combined can do a lot to really help secure your data when it comes to different devices, mobile devices, that type of stuff. So that's always where I start with clients. When I start looking at that is that app, those app protection policies and conditional access?

- [Scott] Yeah, I mean, they're easy to get going with, like they're nice, they're consumable, and to a certain degree, you can like next, next, next, your way through a lot of those?

- [Ben] Yep, absolutely. And then the last step they have in here is securing access to other apps. I would say this one also gets a little bit more complex, they start talking about split tunneling your VPN, setting up single sign on with third party apps, standing up Windows, virtual desktop. These are gonna be a little bit more complicated. Some things may be a little bit more costly, something like Windows Virtual Desktop, while the licenses are free for Windows and the apps, you still gonna have to go start setting up Azure, paying for VMs, that type of stuff. I will say though, that Windows Virtual Desktop in terms of a configuration and standard up, is relatively simple. I've done it in about four or five hours. I actually have one set up right now that I was gonna use for a demo that I have like, five different test users, they can all log in, they can get into different desktops, use Office 365, use Teams. It's a nice solution if you're a small business looking for a VDI type solution.

- [Scott] Yeah I mean it's turnkey, and if you're getting into it today, you're getting into the new version of it, so you don't have to migrate, which is nice.

- [Ben] Yes, if you can actually like configure it in the UI, instead of having stuff that's only visible within PowerShell.

- [Scott] Well isn't that nice.

- [Ben] I like night gooeys. But yeah the Azure AD Single sign-on with those small business plans, you're going to have that option. You're gonna start, there's usually some configuration that goes in there, and sometimes it's also how you're licensed with those third-party apps, and if those third-party apps support Azure AD single sign-on, a lot of them do, I think there's over 3,000 Cloud apps or other apps that are listed in Azure that support Single sign-on, but some of those you do have to like upgrade to higher licensing levels for those other Cloud apps in order for them to support Single sign-on. So it's not just I have Azure Ad Single sign-on capability, so I can go do this with all the other apps, it's do those other apps support it, I'm I licensed for it in those other apps as well.

- [Scott] Yes, yeah it's a little bit of a rabbit hole for that one.

- [Ben] Yep, So that hits all of the topics in this article, again definitely go check it out if you're looking to enhance your security posture, you wanna know are you following some of the recommendations, let us know if you have any questions about us, 'cause that was a high level overview of all of them. And with that, we didn't do too bad Scott?

- [Scott] No you did good. I don't know how I did. But you did great.

- [Ben] You did fine. I don't think I have anything else. We can rap it up at 45-ish minutes.

- [Scott] Excellent. Thanks Ben.

- [Ben] All right. Thank you Scott, go enjoy your day, enjoy your weekend. As always stay healthy, and we'll talk to you next week.

- [Scott] Have a good one.

- [Ben] If you enjoyed the podcast, go leave us a 5-star rating in iTunes. It helps to get the word out so more IT pros can learn about Office 365 and Azure. If you have any questions you want us to address on the show, or feedback about the show, feel free to reach out via our website, Twitter or Facebook. Thanks again for listening, and have a great day.


Episode 154 – Azure AD Security with Ramiro Calderon and Stefan van der Wiele

Episode 154 – Azure AD Security with Ramiro Calderon and Stefan van der Wiele

In Episode 154, Ben and Scott sit down at Microsoft Ignite with Ramiro Calderon, Principal Program Manager – Azure Active Directory, and Stefan van der Wiele, Senior Program Manager – Azure Active Directory, to talk about Azure Active Directory and how as the core of authentication for Office 365, Azure, and Microsoft you can configure your tenancies in a secure and usable way.


  • Sperry Software – Powerful Outlook Add-ins developed to make your email life easy even if you’re too busy to manage your inbox
  • ShareGate – ShareGate’s industry-leading products help IT professionals worldwide migrate their business to the Office 365 or SharePoint, automate their Office 365 governance, and understand their Azure usage & costs
  • Opsgility – Your Cloud enablement partner to help guide your organization through all phases of Cloud migration and adoption
  • Office365AdminPortal.com – Providing admins the knowledge and tools to run Office 365 successfully
  • Intelligink – We focus on the Microsoft Cloud so you can focus on your business

Show Notes

Other Episodes from Microsoft Ignite

About the sponsors

SperrySoftwareLogo Sperry Software, Inc focuses primarily on Microsoft Outlook and more recently Microsoft Office 365, where a plethora of tools and plugins that work with email have been developed. These tools can be extended for almost any situation where email is involved, including automating workflows (e.g., automatically save emails as PDF or automatically archive emails that are over 30 days old), modifying potentially bad user behaviors (e.g., alert the user to suspected phishing emails or prompt the user if they are going to inadvertently reply to all), and increased email security (e.g., prompt the user with a customizable warning if they are about to send an email outside the organization). Get started today by visiting www.SperrySoftware.com/CloudIT
Everyone on your team is unique…so is SkillMeUp.com. Only Skill Me Up provides the bridge from fundamentals to certification paths to advanced skills to accelerate digital transformation with 1 subscription with 5 ways to learn. Start your free pilot today and supercharge your IT and Microsoft Azure skills. https://skillmeup.com/pilot/?src=Pod
sharegate_logo_2018_600x300 Every business will eventually have to move to the cloud and adapt to it. That’s a fact. ShareGate helps with that. Our industry-leading products help IT professionals worldwide migrate their business to the Office 365 or SharePoint, automate their Office 365 governance, and understand their Azure usage & costs. Visit https://sharegate.com/ to learn more.
Intelligink.com Logo Intelligink utilizes their skill and passion for the Microsoft cloud to empower their customers with the freedom to focus on their core business. They partner with them to implement and administer their cloud technology deployments and solutions. Visit Intelligink.com for more info.
Episode 126 – Privileged Accounts In Azure AD The Right Way

Episode 126 – Privileged Accounts In Azure AD The Right Way

In Episode 126, Ben and Scott dive into a listener question about how to handle privileged accounts in Azure Active Directory and its associated workloads such as Office 365.


  • ShareGate – ShareGate helps you uncomplicate your cloud. Our industry-leading products help IT professionals worldwide migrate their business to the Office 365 or SharePoint, automate their Office 365 governance, and understand their Azure usage & costs
  • Mover.io – Scan, Plan, Migrate, Report. Migrations that don’t suck – with Mover!
  • Opsgility – Your Cloud enablement partner to help guide your organization through all phases of Cloud migration and adoption
  • Office365AdminPortal.com – Providing admins the knowledge and tools to run Office 365 successfully
  • Intelligink – We focus on the Microsoft Cloud so you can focus on your business

Show Notes

Previous Episodes

About the sponsors

ShareGate Logo Every business will eventually have to move to the cloud and adapt to it. That’s a fact. ShareGate helps with that. Our industry-leading products help IT professionals worldwide migrate their business to the Office 365 or SharePoint, automate their Office 365 governance, and understand their Azure usage & costs. Visit https://sharegate.com/ to learn more.nfo.
Mover.io logo Mover is a cloud migration company that specializes in moving your company’s files from file servers or cloud storage like Box, Dropbox, and Google, into Office 365. Their patented technology makes Mover the fastest OneDrive file migrator in the world. Moving dozens of terabytes of data a day is a breeze.

Scan, Plan, Migrate, Report. Migrations that don’t suck – with Mover! Visit mover.io for more info.

Opsgility Logo As the leading global brand for enabling the Microsoft Cloud, Opsgility’s global Microsoft MVP and multi-certified Cloud Solutions Architect team has authored over twenty MOC Courses, the Microsoft Press Book Implementing Azure Solutions 70-533 and numerous Microsoft Cloud Practice Playbooks for Microsoft Partners. And for a limited time, you can get your team certified in the most exciting cloud business today with a 25% discount off instructor-led training prep courses for Azure and Microsoft 365! Visit https://opsgility.com/MicrosoftCloud to learn more.
Intelligink Logo Intelligink utilizes their skill and passion for the Microsoft cloud to empower their customers with the freedom to focus on their core business. They partner with them to implement and administer their cloud technology deployments and solutions. Visit Intelligink.com for more info.