Index:

1. Security and Compliance center
2. Service Encryption
3. Advanced E-Discovery
4. Windows Virtual Desktop, RDMI & Windows 10 Multi-User

Security and Compliance center

Microsoft covers a big part protecting us from malicious tools and attackers, but there is still a part that we must do. And I can tell you that it is the most important part, like activating MFA, encrypting sensitive data etc. This slides covers what Microsoft does and what you have to do.

So about the part that we are responsible of, Microsoft provides us multiple tools. How do AIP and OME help with compliance? Check this slide.

There are certain scenario’s that you don’t want that Microsoft manages your key. Some regulatory reasons might require you to manage your key so the security is end-to-end. BYOK might be sufficient since you can store your own key in Azure Key Vault. If that isn’t even good enough you have the HYOK where you store it on-premises. Keep in mind that this option is much less flexible. You only have access to your secured documents as long as you can reach the on-premises key for decryption. Here is an overview of licensing.

Here is a great overview of BYOK. It makes clear that it is as flexible as the Microsoft-managed keys, but it does give you more overhead since you need to manage the key now.

Some good insights when using BYOK.

Service Encryption

Some good news, if we use the Microsoft-managed keys or BYOK, we will have service encryption in Exchange Online, starting to rollout in January 2019 (already available in SharePoint). Once we create a Data Encryption Policy (DEP), It will encrypt our data at storage level. This is required if you want to meet compliance.

Advanced E-Discovery

With the advanced E-Discovery set in Office 365 by using the analytics, we can further minimize the data. It will deduplicate data for example and only present us with relevant data. We are also presented now with a much better E-Discovery dashboard. We see what kind of data the hold holds, but we are also able to communicate with the persons in a specific hold, make searches in it etc. Great improvement!

Now creating a Legal Hold is doable, but not that easy. But it will be! Here is a great overview of how it is now and how it will be very soon.

So these are some great new features! For sure you will see a more in-depth bog when it’s available.

Windows Virtual Desktop, RDMI & Windows 10 Multi-User

Now also a little bit of info about Windows Virtual Desktop, as I can imagine you want to see some updates about this as well. One of the bigger announcements is Windows 10 Multi-User within Windows Virtual Desktop, so you will connect to shared hardware. If you spin up a Windows Virtual Desktop, you can decide how many users you want to connect to that VM which makes it a lot cheaper. There will be a Windows Desktop Calculator soon which gives some recommendations of this, based on the chosen size.

Automatic scaling will be available as well. You can auto scale based on two methods: Breath Mode and Depth Mode. The Breath Mode needs reserved instances so turning off a Virtual Desktop doesn’t help you. However, this can still be cheaper, that’s something you need to calculate. The Depth Mode is based on activity. If no users are logged in anymore in a Virtual Desktop, it will automatically turn off the VM and it will save you money. On the other hand if it’s too busy, it will spin up some new VM’s.

Windows Virtual Desktop will be available through the Azure Marketplace.

The post Microsoft Ignite day 5 appeared first on Erjen Rijnders.

Index:

1. Azure Blueprints
2. Intune Data Warehouse
3. Intune and Android Enterprise Management
4. Android Management API
5. Integrated Information Protection in external sharing SharePoint and OneDrive
6. Experiences with going password-less

Azure Blueprints

With Azure Blueprints, announced very recently, you will get a blueprint that if you spin up a new subscription, you deploy the same policies, templates, security etc. In larger organizations, this is very helpful, you have your exact company policies spinned up in minutes! To activate this, go to the Azure Portal > Policy > Blueprints – Blueprint Definitions.

Intune Data Warehouse

At some point, if you are using Intune, you will face the problems generating reports in Intune. Fortunately, we have Intune Data Warehouse. I visited a session today at the Ignite Expo where I saw some great reports so let’s see how we actually start using Intune Data Warehouse. Go into the Azure Portal > Intune and on the right, Click “Set up Intune Data Warehouse” and click “Download Power BI file”.

If the data is processed, you can directly start creating custom reports in Power BI. It’s just that easy. I know this is not new, but really, we should start using this a lot more so that we can get in-depth reports about our devices in the organization.

Intune and Android Enterprise Management

In this session, some really great features are announced! Android Enterprise is evolving for sure. In Android Nougat (Android 7.0), we had the availability for Work Profiles in Android Enterprise, which we used a lot and worked great. Android Oreo (Android 8.0) took this even to a next level. Here you have a great overview of the new features each version.

Google discourages non-Work Profile as well because it requires Device Admin for the Intune App. that means that if we use the android App Managed mode, the user needs to give Device Admin rights to the Intune app and it needs to go through a lot of “Accept” screens as well. That scares of the user and we want the opposite. So you should use the “Work Profile” in Android Enterprise in my opinion if you use BYOD. You can separate apps from personal in this mode, you even create containerized apps which means that you could prohibit copying work information to personal owned apps.

Now if you have corporate owned devices, you have three options and later this year, you have four. The third is Dedicated mode (it’s basically a kiosk mode). With Kiosk Mode, the user has no flexibility at all. It can only open the apps provided by the company. This is, however, very functional in certain security related scenario’s. The last one, Fully Managed, will be available for preview this year. This gives you great user experience and manageability, integrated with the Androind Management API (see next chapter).

Android Management API

another great feature is that the Android Enterprise devices now communicate with the Android Management API. this means that Android and Intune can now provide updates and new functionalities at a speed that was never possible before.

I am getting a little bored if I read my blog again for readability if I keep saying: another great feature! But how do I say this else, here is another great feature, Managed Google Play! This provides mobile app management in Android Enterprise, including silent installs for required apps. We can also now control over what apps ends users can install in work context. In addition to this, we have the possibility to fully configure, for example the Outlook app, before it gets installed on the client device. The Managed Google Play will be available through the Intune Portal. No separate login necessary.

Google developed zero-touch with Intune. This is available with any Android Enterprise corp-owned deployment. This already works today with the dedicated device scenario and Android 8. This has some great feature updates however. If you go to https://partner.android.com, you can automatically assign a device to corporate policy and assigning a device to your company is going very smoothly. Check the screenshots below.

Integrated Information Protection in external sharing SharePoint and OneDrive

Wow, I never saw so many new features on such a relatively small part of a product. The session was 75 minutes but it didn’t bore me a minute! They received a big applause as well, so let’s start.

Smart People Picker and sharing

The first new feature we have this year is the Smart People Picker. If you share a link, you will be presented with suggestions of people that SharePoint thinks you want to share the document with. Machine learning is behind this so it will take some time to present you with the right results, but it will get there (if it’s not there already). This sharing experience will be exactly the same on mobile and the same experience is built in Microsoft Teams. Sharing capabilities supports branding now which is integrated with the Azure AD branding functionality. So if you already configured that, it will work right away, as soon as this feature is rolled-out globally.

Link Reminders

Another feature that we were actually missing (but didn’t realize I did miss it till now) is that if someone opens a link, we can get a confirmation email that the link is clicked. If you share a link, it’s possible that the receiver didn’t open the link yet. There is a 95% change that if the link isn’t opened in 7 days, it will never be opened. So now we can configure automatic reminders that tells you if the link is not opened yet. Another new feature is that you can set a custom message on the “request access” page if you are trying to access a specific site or document.

One-time passwords on link sharing

Link sharing has further improved security. You can configure a one-time password for opening a document. It’s great for reviewing and for making sure that the recipient can only watch it once. Also, we can set per site specific sharing setting. Currently, if you disable the “Anyone” sharing setting, it’s effective for your whole tenant. So now it’s possible to configure this per site.

Block file downloads

The next feature is in my opinion the best feature. We can block downloads on a file and make it read only. With this new “Information Protection” possibility, we can fully control our documents and still collaborate in that same document. If you enable this setting, the file cannot be downloaded, printed, copied etc. Before, this was only possible if we classify documents and apply encryption. There was no other way of keeping control of your files. Now it’s possible without Azure Information Protection.

Collaboration improvements

Collaboration is an important part of our job every day and I am happy to tell you that collaboration in SharePoint and OneDrive is extended big time. For example if you are working in a PowerPoint presentation and you like having someone else checking your slide, you just mention someone at the side of the slide like you are used to be now. Use the @name format and the person will be notified by email immediately. This works for Office apps on Windows soon and will come later this year for MacOS as well.

In Microsoft Teams, we also have a new functionality. If we are uploading new files, we have the possibility to notify team members that you uploaded files.

Admin control settings enhancements

For the admin, we have more settings now we can control.

Expiring links for external access

And last but not least, we can set expiring links for external access! I think this is a really good feature because I get the question a lot: how can I keep control of shared files externally. Of course there are ways like Cloud App Security, make a person responsible for checking shared links etc. But why not just let the link expire? For example after 6 months? Sounds totally reasonable to me. If there is access needed after that time, you can just re-share the link.

Experiences with going password-less

Well, this one gave some new insights about the password-less world. Microsoft wants to get rid of passwords with good reasons, but it’s not that easy. Microsoft presents you with 4 simple steps:

1. Implement Windows Hello For Business
2. Reduce user-visible password surface area
3. Transition into password-less deployment
4. Eliminate password from identity directory

And this is all assuming that you can even make it to step 4. The biggest problem is with your on-premises apps. It can be very hard to transform these apps to password-less sign in so keep that into account. The non-marketing way of achieving this is a lot harder.

The post Microsoft Ignite day 4 appeared first on Erjen Rijnders.

We have some great new features in Azure AD Conditional Access, they are really taking it to a next level. Conditional Access has now tight integration with Cloud App Security. It’s now possible to fully control and secure our data and information when you collaborate with a partner (B2B) or within your own tenant.

Index:

1. Azure AD Conditional Access
2. Cloud App Security integration with Windows Defender ATP
3. Microsoft Secure Score
4. Identity Protection
5. Intune Updates

As you might probably now, Cloud App Security has tight integration with SharePoint already but now we can control on file level if a download for example is allowed or not. Check this screenshot below from the Ignite presentation:

Another great update is that we can now enable Conditional Access App Control for Office applications. Before this was only possible with SAML-based apps. Based on the risk level of a user’s session, information can be accessed or blocked. Also risky OAuth applications can now be blocked with Cloud App Security. These updates make Cloud App Security even more powerful. If you aren’t using it right now, you should! It makes your organization a lot more secure.

Well, enough updates around Conditional Access right? It goes even further. We can not only control Exchange, but specific mailboxes within an account. The command runs as follows to enable this feature:

This command does not work yet and to be honest, I am not sure what it will actually do as I cannot test it yet. But I expect we will have some sub-commands in the near future to further control this.

Cloud App Security integration with Windows Defender ATP

Cloud App Security is now integrated with Windows Defender ATP! At first, we needed to install a Cloud App Security client which was too much because we had already so many clients installed. So they came up with the Cloud App Security broker which was an improvement on the client side, but then we needed to proxy all our traffic through it. We now we have the best solution, integration with Windows Defender ATP! I personally love this because configuring a separate gateway is no longer necessary. All traffic can be routed through Defender ATP (and the Defender client is installed by default with Windows 10). This is a great way of securing your information and it makes controlling your devices very easy. Here you can see information is being fed from Windows Defender ATP.

In Windows Defender ATP, you only have to enable this.

After enabling this setting, it will Cloud App Security feed traffic and device information from Windows Defender ATP.

Microsoft Secure Score

We have heard in almost every session that we should enable Microsoft Secure Score. I do agree that we should enable it on all our tenants (so I am telling you again now :)) and it is also enabled now through Azure Active Directory (you can go to https://securescore.microsoft.com/ as well). It looks like this:

It looks good and it will only show the score that you have access too. Like if you don’t have EM+S E5, you won’t see identity protection related security scores.

Identity Protection

Identity Protection does now have integration with Azure ATP. Azure ATP is a security service based on DNS checks. Risky sign-ins from these two products can now be viewed from a single panel. And of course, we can apply conditional access on this. If Azure ATP feeds Identity Protection with a risky sign-on, it can be blocked, based on your Conditional Access settings. Combining these two sources, you have a very powerful solution. You see all high risk devices and users and all items that needs attention are presented through one combined interface.

Intune updates

As you might know by now is that my main focus is within the “Information Protection” field which includes parts of Cloud App Security and Intune as well. So I wanted to post some updates around Intune, Windows Information Protection (which is part of Intune) and device management. That’s why I visited the session “What’s new in Windows 10 mobile device management (MDM)” . But right from the start I thought: Are we really going to do this for 75 minutes? I barely heard anything new and I love to share new stuff to the world. For example the presenter said that we should focus on co-management, 1 of 3 points she gave as a call-to-action. Isn’t this already possible for years now?

Also, we were presented slides like this:

Really? I want to see what’s NEW. Anyway, a little good news however, Kiosk mode control is now generally available and we will get better security baselines for Microsoft Intune. Maybe you have another opinion about this session, I would love to hear from you through comments below.

So this is basically it. We saw a lot of sessions but a lot of sessions presented content already covered in day 1 and 2. I don’t expect much more announcements in day 4 and 5. Maybe I will wrap them together in one blogpost, depending on the content of tomorrow.

But still, Ignite brought me definitely the sessions above expectations!

The post Microsoft Ignite day 3 appeared first on Erjen Rijnders.

Because this is such a great feature (within Microsoft Information Protection), I will dedicate a seperate blogpost about this, instead of processing this in the Ignite Day 2 blogpost (which you should still read by the way for an overview of selected updates).

All the labeling and encryption technologies throughout the Microsoft stack (currently Windows Information Protection, Office Information Protection and Azure Information Protection), will be manageable from one interface: https://admin.microsoft.com and will be called Microsoft Information Protection. At the end of this year, we should have it all. But not only that, we will also have native labeling and encryption with all Microsoft Office apps! So also on Mac, Android and iOS. That’s very cool right? Notice that if you want this native encryption without installing the AIP client, you should use Microsoft Information Protection. Those labels are cross-application compatible. Microsoft will bring out some sort of migration possibility from AIP to WIP by the way.

Index:

1. Unified labeling
2. Sensitivity Labels
3. Retention Labels
4. Conclusion

Sensitivity Labels

Microsoft is now using one unified way for labeling: Sensitivity label. This label is customizable as you are used to with Azure Information Protection. So let’s try it out how this new unified way of labeling works.

Go to https://protection.microsoft.com > Classification > Labels > Sensitivity > Create a label.

Name your label.

Here you have basically the same options as with Azure Information Protection in the Azure Portal.

Here starts a great unified feature, enable Windows Information Protection!

Again, a great unified feature, enable Office Information Protection.

Last but not least, enable auto labeling as you are used to configure with AIP in the Azure Portal.

After this, you should publish your label.

To me, this is really a step up. Now we still have some highly requested items, like add dynamic permissions in WIP but that will come for sure (since it’s already available in Office Message Encryption).

One caveat for now, this label is not synced yet to Exchange Online so you cannot use it with Exchange rules. Hopefully they will solve this very soon since they only made these new functionalities available yesterday.

Retention labels

But that is not all, we also have retention labels now which have some very cool features. Let’s check it out. Click on retention labels and click Create a label. You will be presented with some groundbreaking features: Trigger a disposition review!

If you select this option, you give the choice to an admin, he or she can decide if that specific document must be deleted or kept. Like if job interviews are still open, you might want to hold the CV’s a little longer. Really great feature. But wait, there is even a more great feature! We can delete content based on an event. That is exactly what we need.

You can customize your events by going to “Data Governance > Events”. For extensive documentation, I recommend you to should the Microsoft Docs which is a really good document.

Conclusion

Microsoft’s products are getting better and better. The tight integration is getting phenomenal. In this document we have seen the possibilities of Sensitivity Labels and Retention Labels. Both serve different purposes which you should check out for sure, especially regarding sensitive content.

The post Microsoft Information Protection: Unified labeling! appeared first on Erjen Rijnders.

1. Azure Active Directory: New features and roadmap
2. New features security and compliance center
3. Windows Server 2019
4. Windows Information Protection

Azure Active Directory: New features and roadmap

During the session of Alex Simons “Azure Active Directory: New features and roadmap”, he showed the great functionality of iOS smartwatch authenticator, but the request didn’t came through. Really funny, but he actually forgot his phone on stage so it was obvious it didn’t came through.

However, we saw great new features in Azure AD. They are encouraging us to move from AD FS to Azure AD. Microsoft itself has already migrated 18.000 apps from AD FS to Azure AD (but still 3.000 to go Alex said).

Azure AD is really going to focus on passwordless sign on. Also, B2B and B2C will see great improvements. It’s going to be very simple to collaborate for example with a company that doesn’t even use Azure AD at all.

And we get hardware OAUTH tokens support in Azure AD! For those who really need this for security reasons, it’s going to be possible. Before, it was only possible with the on-premises MFA server but not anymore!

New features security and compliance center

As announced yesterday already, we no longer have Azure Information Protection, but Microsoft Information Protection. In this session we saw more in-depth new features of the security and compliance center which will be rolled out the coming months.  A great new look of the security and compliance portal.

I am really sorry about the picture below, I was too far away for getting a sharp picture, I will update them as soon as I have better material. But I think you can get an impression.

This compliance center will have tight integration with https://security.microsoft.com. It’s focusing more and more on “Assess, protect, respond, visibility and control”. With just a few simple clicks, you are able to remediate security after an attack. Sounds like a sales pitch, but I have seen it live and it just works.

Another great feature is that we will soon have “label analytics”! finally. We can see for example which labels are applied manually, which are pending, how many labels you have applied etc.

More info about “Assess, protect, respond, visibility and control” how Microsoft does it, here is an exact copy of text of the presentation:

Assess
Perform ongoing risk assessments with a compliance score across Microsoft cloud services.
Protect
Automatically classify and protect sensitive data across devices, apps and cloud services.
Respond
Efficiently respond to regulatory requests leveraging AI to find the right, most relevant data.
Visibility
Understand the security state and risks across resources.
Control
Define consistent security policies and enable controls.
Guidance
Elevate security through built-in intelligence and recommendations.

Windows Server 2019

Some great new features are announced! The best I heard so far is that we can now connect Windows Server 2019 to Azure Update Management. This way, we will have one unified, native updating way throughout our devices.

Also, Azure password protection is now hybrid available on Windows Server 2019. And of course, the Windows Admin Center (released before) is tightly integrated in Windows Server 2019. Within WAC, we can now manage Azure Network Adapter, Azure Site Recovery and Azure back-up.

Windows Information Protection

I have seen very great feature updates around Windows Information Protection! Instead of summing it up here, I dedicated a seperate blogpost about this. Read it here!

The post Microsoft Ignite day 2 appeared first on Erjen Rijnders.

1. Keynote
2. Transform your workplace with Microsoft 365
3. Microsoft 365 admin center
4. Windows 10 Virtual Desktop
5. What happened with RDMI?
6. Advanced Threat Protection for MySQL
7. Whats new in OME and AIP
8. Integrate Teams with a SharePoint library
9. Microsoft Threat Protection announced
10. Microsoft Information Protection
11. Microsoft Secure Score

Keynote

With about 30.000 people in one very big room, Satya kicked off with a welcome and received a big applause. Satya started sharing current customer success stories, mainly focused on AI. His question after the success stories: How are we evolving this and how do we keep innovating? The answer is, the Microsoft open data initiative! Together with Adobe and SAP, these three companies exchange data. Data becomes more and more important and in this way, Microsoft can create a great experience for us as customers. There will be one data model for all Azure applications so that our data will no longer be in silos. Well, I must say, that’s exciting news! Hopefully we will see this in action soon.

That said, Microsoft is also focusing more and more on selling an experience instead of a product (what we do as consultants for years already to our customers to be honest), but Microsoft will have more focus on this as well. Satya said that we need to transform our businesses industries, adopting the latest and greatest technologies, or
we will not survive. Also trust and collaboration is key aspect of success, Satya said.

It was an inspiring keynote, although not as inspiring as before and less announcements were given but still, great start of Microsoft Ignite!

Transform your workplace with Microsoft 365

The second session (more like a subkeynote) I attended was “Transform your workplace with Microsoft 365”. Ron Markezich came on stage thanking us for our partnership.

They key announcement in this session is a new Microsoft product: Microsoft Ideas. It brings a lot of AI into your daily work. Like in PowerPoint, it suggests the design of a slide. Like if you type Seattle, it gives you images of Seattle. But also, it checks for consistency throughout PowerPoint. In Excel, this same product gives you suggestions on a whole other level. Like you fill in some countries, it suggests you to add columns with the inhabitants etc.

In Word, it’s even cooler in my opinion. When you are working together in the same document, you can add tasks for another and even create tasks for yourself. For example, you type “@To Do”, you add a task for yourself. Giving a description, like “Keynote”, Microsoft Ideas gives you relevant documents which you can add in the document.

This is all possible, connecting with the Microsoft Graph API. Many applications are connected to this API which makes this possible. This product is going to be rolled out at PowerPoint first, later across more Office applications.

Microsoft 365 admin center

During this session, we saw Brad Anderson show the Microsoft 365 Admin Center! https://admin.microsoft.com gives you all the management within Microsoft 365, no longer go to protection.office.com, security.microsoft.com, compliance.microsoft.com etc. It looks promising.

Windows 10 Virtual Desktop

So many have waited for this (and we still have to wait a bit longer because the public preview will come end of this year), but it’s officially announced, the Windows 10 Virtual Desktop! No more planning, deploying, updating etc. It’s all managed by Microsoft. And the Virtual Desktops has built-in security and compliance.

As I mentioned, the public preview is available later this year, but it’s possible to join the public preview now by registering.

What happened with RDMI?

Well, not sure to be honest. No one mentioned it @Ignite, it looks like RDMI is now called Windows Virtual Desktops.

UPDATE: It is confirmed at Ignite 2018 that RDMI is now Windows Virtual Desktop.

Advanced Threat Protection for MySQL

Advanced Threat Protection for MySQL is out! Configure it using the Azure Portal, check here for detailed information:

https://azure.microsoft.com/en-us/blog/advanced-threat-protection-for-azure-database-for-mysql-in-preview/

Whats new in OME and AIP

100 million users are using OME since they announced it a year ago. We (@Sigmax) have used it a lot for our customers and a lack of functionality is the integration with Data Loss Prevention. But not anymore! It’s fully integrated. Also, we have OME reporting now. We can check the encrypted emails sent and also revoke an encrypted email finally! Another great feature is that we can now further customize the encrypted e-mail.

Integrate Teams with a SharePoint library

If you have implemented the SharePoint philosophy and you start using Teams, well, that philosophy is turned up-side-down inevitably because you have no control where Teams stores your data. Not anymore! You can now integrate a SharePoint library with Microsoft Teams.

Microsoft Threat Protection announced

Before, we had Windows ATP, Azure ATP and Office ATP. Now we have it all together in one product: Microsoft Threat Protection (looks like we need to go to https://security.microsoft.com, in contrast what was announced in the Microsoft 365 admin center but we will see).

Microsoft Information Protection

We no longer have Azure Information Protection, but Microsoft Information Protection. The great thing is that we now have a unified way of labeling. We can use the same labels for Office Message Encryption and Data Loss Prevention which is great.

Labeling is now also available in Office for mac!

Microsoft Secure Score

Now integrated with Office 365 and EMS! If you were using it before, you will now see a lot more scores. Go to https://securescore.microsoft.com/ to check your security score!

The post Microsoft Ignite day 1: keynote and sessions appeared first on Erjen Rijnders.