In this session I reflect on what Azure AD brings to the table for small businesses an do an introduction of key services in each tier of the identity platform to improve your security posture, improve onboarding/offboarding and enhance productivity through governance.
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
What small businesses need to know about Azure AD premium
1. MICROSOFT 365
Virtual MARATHON
May 27 & 28, 2020
36 hours / 2 days
What small businesses need to know about
Azure AD premium
Miguel A. Tena
Office 365 Consultant, 2toLead
@mikeware_tena
Broughtto youby:
TheGlobalMicrosoft Community
M365VirtualMarathon.com| #M365VM
2. MICROSOFT 365
Virtual MARATHON
May 27 & 28, 2020
36 hours / 2 days
Mark Your Calendars:
March 23-25, 2021
MGM Grand Resort
Las Vegas, Nevada, USA
M365Conf.com
#M365CONF
TheSharePoint Conferenceis nowTheMicrosoft 365 CollaborationConference
Broughtto youby:
TheGlobalMicrosoft Community
M365VirtualMarathon.com| #M365VM
4. Miguel A. Tena
Office 365 Consultant, 2toLead / Digital Workplace Crusader
Participated in TAP for Office 12, immigrated to Canada in 2010.
Focused on M365, Identity, and SharePoint/Teams.
Born in Mexico City, “se habla Español”
LET ME INTRODUCE MYSELF…
Broughtto youby:
TheGlobalMicrosoft Community
M365VirtualMarathon.com| #M365VM
5. Visit the Vendors Booth, Sessions and Watch the Videos
Submit Your Answers to Enter the Raffle
You need at least 5 correct answers then submit for a chance to win one of 3
(One in each Americas, APAC, EMEA)
ARE YOU READY FOR A RAFFLE?
We are giving away 3 Oculus Quest All In One!
https://bit.ly/m365raffle
6. CONSIDER DONATING TO THE FOLLOWING CHARITY RELIEF FUNDS:
UNITED WAY OR INTERNATIONAL MEDICAL CORPS
THANK YOU FOR JOINING US!
10% OF FUNDS FROM SPONSORS GO TO SUPPORT COMMUNITY RELIEF
United Way: https://give.uwkc.org/M365VM
International Medical Corps: https://bit.ly/MedicalCorpsFund
9. In April 2020, nothing changed.
Broughtto youby:
TheGlobalMicrosoft Community
M365VirtualMarathon.com| #M365VM
10. Or did it…
Broughtto youby:
TheGlobalMicrosoft Community
M365VirtualMarathon.com| #M365VM
11. Or did it…
Broughtto youby:
TheGlobalMicrosoft Community
M365VirtualMarathon.com| #M365VM
12. May 27 & 28, 2020
Miguel Tena | EN
#M365VM
LET’S CHAT ABOUT…
What is Microsoft 365 Business? Is it right for my business?
What is Azure AD (Premium)?
Pain points of the “new normal”
Where can Azure AD Premium help my business?
Key next steps
Broughtto youby:
TheGlobalMicrosoft Community
M365VirtualMarathon.com| #M365VM
13. M365 = Productivity + Device Management + Security
Productivity = Office 365
Device Management = Intune
Azure Active Directory = Security
Business suite for < 300 seats (licenses)
What is Microsoft 365 Business? Is it right for my business?
14. Azure AD is your cloud-based identity and access management service.
If you have Office 365 or M365, you already have one.
Can help you secure:
External Resources: Azure, Office 365, 1000s of other SaaS Applications
Internal Resources: apps in your organization
What is Azure AD?
16. Remote work is exploding, but the pandemic only accelerated an
existing trend of the “gig” economy.
Global Talent Pool
Onboarding/Offboarding
Just enough access
Work from anywhere
Opportunities and Pain Points of the “new normal”
17. Safeguard corporate assets and information in a geo-dispersed
organization
Monitoring for information, security and device management
Auditing, compliance and security
Opportunities and Pain Points of the “new normal”
18. Reduce your time to productivity
Provision assets (corporate/BYOD)
Provision access (guest/Internal)
Opportunities and Pain Points of the “new normal”
19. Ensuring the right people have the right access to apps and information
Standardize for creation, naming and use of groups for improving productivity
and governance.
Support a remote workforce by simplifying tasks such as password resets,
access to company resources, etc.
Where can Azure AD Premium help my business?
20. Single Sign on (SSO)
User (and group) management
Device Registration
Cloud Authentication
Azure AD Connect Sync
Self Service Password change for cloud
accounts
Password Protection (Global banned
password)
Azure AD Join for desktop SSO
Multi Factor Authentication
Basic reporting
Azure AD B2B
Core Services in Azure AD
21. Single Sign on (SSO)
User (and group) management
Device Registration
Cloud Authentication
Azure AD Connect Sync
Self Service Password change for cloud
accounts
Password Protection (Global banned
password)
Azure AD Join for desktop SSO
Multi Factor Authentication
Basic reporting
Azure AD B2B
Core Services in Azure AD
22. AZURE AD REGISTERED VS JOINED DEVICES
Join Model Ownership
Org sign in
to device
required?
Applies to: SSO Device Management
Azure AD
Registered User/Org No
BYOD, Mobile
Win 10, iOS,
Android, MacOS
Cloud Only Resources MDM (Intune)
Azure AD Joined Org Yes
Windows 10
Devices
Cloud + On-Premises
Resources
MDM, Co-managed with
Intune + Endpoint Config
Manager
Hybrid Azure AD
Joined Org Yes
Win 7-10, Win
Server 2008 R2 -
2019
Cloud + On-Premises
Resources
GPO, SCCM and/or Intune
23. Single Sign on (SSO)
User (and group) management
Device Registration
Cloud Authentication
Azure AD Connect Sync
Self Service Password change for
cloud accounts
Password Protection (Global banned
password)
Azure AD Join for desktop SSO
Multi Factor Authentication
Basic reporting
Azure AD B2B
Core Services in Azure AD
24. AD Connect Sync
Synchronize identities (users/groups) from your
on-premises Active Directory
Sign-in methods:
Password Hash sync (auth on cloud using
sync)
Passthrough Auth (auth happens on-prem
using agent)
Federated auth (ADFS)
AD Connect Health
Monitor Federation service health
Azure AD Connect
26. Single Sign on (SSO)
User (and group) management
Device Registration
Cloud Authentication
Azure AD Connect Sync
Self Service Password change for
cloud accounts
Password Protection (Global banned
password)
Azure AD Join for desktop SSO
Multi Factor Authentication
Basic reporting
Azure AD B2B
Core Services in Azure AD
28. Branding (login/logout)
Self Service Password reset for cloud accounts
Backed by SLA
Device write-back
I & AM for Office 365 apps - Azure AD
29. Branding (login/logout)
Self Service Password reset for cloud accounts
Backed by SLA
Device write-back
I & AM for Office 365 apps - Azure AD
30. Provide a personalized experience
Hint for avoiding being “phished”
Culture starts at the door. In remote work
environments, sign-in page is the doormat.
Apply your brand to your sign-in experience
31. Branding (login/logout)
Self-service password reset for cloud accounts
Backed by SLA
Device write-back
I & AM for Office 365 apps - Azure AD
32. Branding (login/logout)
Self Service Password reset for cloud accounts
Backed by SLA
Device write-back
I & AM for Office 365 apps - Azure AD
33. Branding (login/logout)
Self Service Password reset for cloud accounts
Backed by SLA
Device write-back (two-way)
I & AM for Office 365 apps - Azure AD
35. Password protection (custom banned password)
Password protection for Windows Server Active
Directory (global & custom banned password)
Self-service password reset/change/unlock with on-
premises write-back
Group access management
Microsoft Cloud App Discovery
Azure AD Join: MDM auto-enrolment & local admin
policy customization
Azure AD Join: self-service bitlocker recovery,
enterprise state roaming
Advanced security and usage reports
Azure AD Premium (P1 - Now Included!!!)
36. Password protection (custom banned password)
Password protection for Windows Server Active
Directory (global & custom banned password)
Azure AD Premium – Password Protection
37. • Users reset their expired or non-expired password without admin or helpdesk for support.
• Writeback allows management of on-premises passwords and lockout though the cloud.
• Activity reports for
• SSPR Registration
• Password Resets
Azure AD Premium – Self Service Password Management
38. Password protection (custom banned password)
Password protection for Windows Server Active
Directory (global & custom banned password)
Group access management
Microsoft Cloud App Discovery
Azure AD Join: MDM auto-enrolment & local admin
policy customization
Azure AD Join: self-service bitlocker recovery,
enterprise state roaming
Advanced security and usage reports
Azure AD Premium (P1 - Now Included!!!)
39. Provide access to:
Cloud Apps
On-premises apps (requires App Proxy)
Resources: role assignments in Azure,
Office 365, other SaaS apps, etc.
Groups synced from on-prem are managed
there.
Distribution lists and email enabled groups are
managed in Exchange admin center or M365
Admin portal.
Azure AD Premium - Group access management
40. Direct assignment
Group assignment
Rule-based assignment
(aka Dynamic groups)
External authority
On-premises AD or other SaaS apps
manage group membership
Azure AD Premium – Types of Rights Assignment
41. Enable remote users to (SSO) access on-premises
(internal network) resources from a remote client.
Instead of VPN, uses a Proxy Service in Azure and a
connector on premises.
Can be used with:
Web Applications that use Integrated
Windows Auth, form based or header-based
access
Web APIs
Applications hosted behind a Remote
Desktop Gateway
Rich client apps using ADAL.
Azure AD Premium – Application Proxy
42. Password protection (custom banned password)
Password protection for Windows Server Active
Directory (global & custom banned password)
Group access management
Microsoft Cloud App Discovery
Azure AD Join: MDM auto-enrolment & local admin
policy customization
Azure AD Join: self-service bitlocker recovery,
enterprise state roaming
Advanced security and usage reports
Azure AD Premium (P1 - Now Included!!!)
43. Monitor and assess usage of Cloud Applications
your workforce uses.
Detect shadow IT, risky usage and suspicious
activities.
Apply governance for sanctioned/unsanctioned
apps.
It analyzes traffic logs and can report on over
16k known apps.
Integration with major proxy/firewall (Zcaler,
Juniper, etc.) and Microsoft Defender ATP
Can enforce access to applications using
Conditional Access Policies
Azure AD Premium – Cloud App Discovery
44. Password protection (custom banned password)
Password protection for Windows Server Active
Directory (global & custom banned password)
Group access management
Microsoft Cloud App Discovery
Azure AD Join: MDM auto-enrolment & local admin
policy customization
Azure AD Join: self-service bitlocker recovery,
enterprise state roaming
Advanced security and usage reports
Azure AD Premium (P1 - Now Included!!!)
45. MDM auto-enrolment & local admin policy
customization
Enforce enrolment to your MDM (Intune) to manage device and
set up policies
Configure local admins to support Help Desk and IT personnel
to access devices
Self-service bitlocker recovery
Users can retrieve their bitlocker key without requiring help
desk/IT Support
Enterprise state roaming
Ability to take settings (apps/themes/etc.) across devices
Azure AD Premium – Azure AD Join
46. Password protection (custom banned password)
Password protection for Windows Server Active
Directory (global & custom banned password)
Group access management
Microsoft Cloud App Discovery
Azure AD Join: MDM auto-enrolment & local admin
policy customization
Azure AD Join: self-service bitlocker recovery,
enterprise state roaming
Advanced security and usage reports
Azure AD Premium (P1 - Now Included!!!)
47. Security Reports
Users flagged for risk
user accounts that might be compromised
Risky sign-ins
Sign-in attempts by others than the owner of
account
Advanced security and usage reports
All types of Azure AD licenses provide some level of reporting. Premium licenses allow for additional details
and/or control.
48. Activity Reports
Audit logs
History of every task performed in your
tenant.
Sign-ins
Correlate tasks with who has executed them
Advanced security and usage reports
49. Dynamic groups
Group creation permission delegation
Group naming policy
Group expiration
Usage guidelines
Default classification
Azure AD Premium - Advanced Group access management
50. Dynamic groups
Group creation permission delegation
Group naming policy
Group expiration
Usage guidelines
Default classification
Azure AD Premium - Advanced Group access management
51. Allow users in the organization to create and manage groups.
This is usually on for everyone by default.
To prevent group sprawl, can be restricted to a few members.
Users allowed to create groups require Premium licenses.
Group creation permission delegation
52. Dynamic groups
Group creation permission delegation
Group naming policy
Group expiration
Usage guidelines
Default classification
Azure AD Premium - Advanced Group access management
53. Prefix-suffix naming policies
Fixed
group_[GroupName]
User attributes
I.E. O365G [Department] [GroupName]
Supported: [Department], [Company], [Office],
[StateOrProvince], [CountryOrRegion], [Title].
Blocked words
List of phrases to be blocked in group names and
aliases
I.E: CEO, projectX.
Group Naming Policy
54. Groups can be set to expire after a certain period of
inactivity
Active groups are automatically renews based on
activities in:
SharePoint (view, edit, move, share or upload)
Outlook (Join, read/write group message from group
space, Like message in OWA)
Teams: Visit a Teams Channel
Owners of groups near expiration receive email
notifications 30/15/1 day prior to expiry and can renew
group by just clicking on the email.
Group Expiration
55. Dynamic groups
Group creation permission delegation
Group naming policy
Group expiration
Usage guidelines
Default classification
Azure AD Premium - Advanced Group access management
56. Provide guidelines for using groups on group creation.
Can be defined for Guests and internal users.
Link is shown on any area where groups can be created.
Usage Guidelines
57. Dynamic groups
Group creation permission delegation
Group naming policy
Group expiration
Usage guidelines
Default classification
Azure AD Premium - Advanced Group access management
58. Define your Information classification for groups
For example:
Top Secret
Confidential
Operational
Public
Set a Default Classification for new groups
Default Group Classification
59. Conditional Access based on group, location and device status
Azure Information Protection integration
SharePoint limited access
Terms of Use (set up terms of use for specific access)
Multi-factor authentication with conditional access
Third-party identity governance partners integration
Azure AD Premium - Conditional Access
60. Conditional Access based on group, location and device status
Azure Information Protection integration
SharePoint limited access
Terms of Use (set up terms of use for specific access)
Multi-factor authentication with conditional access
Third-party identity governance partners integration
Azure AD Premium - Conditional Access
62. Conditional Access based on group, location and device status
Azure Information Protection integration
SharePoint limited access
Terms of Use (set up terms of use for specific access)
Multi-factor authentication with conditional access
Third-party identity governance partners integration
Azure AD Premium - Conditional Access
63. Classify and secure information based on labels.
Enforce certain rules such as forwarding,
printing, etc.
Integrates with Conditional Access to ensure
content of a specific label is accessed based on
specific conditions.
Azure Information Protection
64. Conditional Access based on group, location and device status
Azure Information Protection integration
SharePoint limited access
Terms of Use (set up terms of use for specific access)
Multi-factor authentication with conditional access
Third-party identity governance partners integration
Azure AD Premium - Conditional Access
65. Using Conditional Access, you can set up rules that
prevent access to SharePoint sites and OneDrive from
users in certain groups, or conditions.
The access can be limited globally, or per-site basis.
Advanced scenarios for types of actions such as
restricting editing, browse only view of files, limit file
previews, etc.
SharePoint limited access
66. Conditional Access based on group, location and device status
Azure Information Protection integration
SharePoint limited access
Terms of Use (set up terms of use for specific access)
Multi-factor authentication with conditional access
Third-party identity governance partners integration
Azure AD Premium - Conditional Access
67. Present legal disclaimers or terms of use for legal
or compliance.
Track who has accepted/declined Terms of use
Associate by group or conditional access policy
Terms of use
71. Ensure you have M365 Business.
Leverage key resources to get started:
Microsoft Tech Community
Microsoft Docs
Partners
Have a plan, no need to light everything up on day one.
Consider change management/adoption
Key next steps
72. MICROSOFT 365
Virtual MARATHON
May 27 & 28, 2020
36 hours / 2 days
THANK YOU FOR JOINING US!
DO YOU HAVE ANY QUESTIONS?
Let’s Connect!
@mikeware_tena
Broughtto youby:
TheGlobalMicrosoft Community
M365VirtualMarathon.com| #M365VM
Device write-back (device objects two-way synchronization between on-premises directories and Azure)
What Azure AD license do you need to access a security report?
All editions of Azure AD provide you with users flagged for risk and risky sign-ins reports. However, the level of report granularity varies between the editions:
In the Azure Active Directory Free and Basic editions, you get a list of users flagged for risk and risky sign-ins.
The Azure Active Directory Premium 1 edition extends this model by also enabling you to examine some of the underlying risk detections that have been detected for each report.
The Azure Active Directory Premium 2 edition provides you with the most detailed information about the underlying risk detections and it also enables you to configure security policies that automatically respond to configured risk levels.
What Azure AD license do you need to access a security report?
All editions of Azure AD provide you with users flagged for risk and risky sign-ins reports. However, the level of report granularity varies between the editions:
In the Azure Active Directory Free and Basic editions, you get a list of users flagged for risk and risky sign-ins.
The Azure Active Directory Premium 1 edition extends this model by also enabling you to examine some of the underlying risk detections that have been detected for each report.
The Azure Active Directory Premium 2 edition provides you with the most detailed information about the underlying risk detections and it also enables you to configure security policies that automatically respond to configured risk levels.
Device write-back (device objects two-way synchronization between on-premises directories and Azure)
Device write-back (device objects two-way synchronization between on-premises directories and Azure)
Device write-back (device objects two-way synchronization between on-premises directories and Azure)
Device write-back (device objects two-way synchronization between on-premises directories and Azure)