Tag: AzureADConnect

Azure AD Connect is the Microsoft tool designed to meet and accomplish your hybrid identity goals.

Secure your corporate information, not your devices!

Secure your corporate information, not your devices!

Introduction

I’ve seen multiple customers struggling with their corporate information. Most of the time this data is secured in a traditional way without flexibility to collaborate.

Result: People find other way to collaborate: Dropbox, OneDrive, Box, Mails, Private-mails, whatsapp,..

You don’t want your personal data published on the web. Why do we allow organizations to be less secure with OUR information?

Goal: If you are curious about your data at this moment, setup a fast pilot traject. In 24 hours you will have real insights in your organization.

Environment: Office 365, Fileservers :-), Box, Dropbox. Connect!

What’s your strategy for protecting and governing sensitive and business critical data?

  • Please comment if you managed to protect your data with a control mechanism. You have great insights and known your possible leakage.

Why should you work to protect information within corporate environments

  • Users are accidentally sharing information
  • žUsers copying sensitive data for future use
  • Organizations not knowing what they have and what’s exposed at this moment
  • Users negligently sharing improperly with internal or external people
  • Sensitive data has being accessed or stolen by unauthorized persons

Use Microsoft native solution to discover your crucial data!

  • Start with labeling of your information cross-platform to get actual insights!
  • Labeling doesn’t mean it should be actionable – it’s just a state of reporting!
  • later: classify, protect and monitor your sensitive data everywhere – cross platform.
Unified data classification

See your actual data in compliance center

Retention Label Usage

Pilot project – High-level startup

  • Deploy AIP Scanner in discovery mode and start with analysing your data
  • Configure MCAS & AIP scanner
  • Define and publish some labels and policies
  • Create DLP and pop-up rules based on specific labels
  • And now start!

Pilot project – results

  • Discovery of sensitive info in endpoints and servers and services
  • Let people start with manual Labeling of documents and emails. (with default, simple, understandable labels!)

More information?

Modern Desktop implementation – Behind the scenes

Modern Desktop implementation – Behind the scenes

Introduction & Vision

At Synergics we truly believe the mission of Microsoft to empower every person and every organization on the planet to achieve more. Every great implemented project start with a vision and with goals/milestones.

In the first project we delivered workshops to understand the transformation needs of the organization. we identified these digital outcomes below. (the description is basic, I know. But it’s another side-traject of this implementation)

  • Empower information workers and firstline workers so they can collaborate and communicate.
  • Simplified communication – Communicate through the full organization.
  • Increase agility for the IT-Organization – adaptability.
  • Futureproof design – Technical design, cloud first strategy.

You can read the reference-case in NL or FR! Microsoft Surface with Windows Autopilot ensure efficiency gains and easier IT management for the city of Lokeren. Reference Case.

Evolution to modern management – 100% CLOUD!

  • Less complexity
  • built-in automation
  • brand-new configuration & policies
  • higher security standards
  • self-service possibilities
  • 100% CLOUD!

To achieve more it’s important to give control to the people (empower), update your platform, easier roll-out’s of new devices etc.. (Scenario on the right, 100%…)

Traditional Co-Management Modern

New device setup experience with Autopilot

Imaging/cloning/etc of devices is taking a lot of crucial time – compared to Autopilot. This isn’t the easiest enabler because there are policies, GPO’s, in place. With Autopilot we deliver the roll-out of the Windows 10 Devices and sync back the Device-Object so on-premise resources can still be accessed in transition for future plans.

Autopilot Microsoft EndPoint Manager
  • – Old GPO’s can stay for some time.
  • – New possibilities of modern management becomes active.
Autopilot

Microsoft Windows update in waves & delivery optimization

It looks like a easy job but most of the time it’s a non-controlled mechanisms.

Windows 10 started in 2015 with builds as: 1511, 1607, 1703,1709, 1803,1809,1903,1909. As you see can in the screenshot, now we are transforming to 1903! and 1909 starting soon.

Compliance Policy
Device Compliance

Hybrid Identity – and password write-back

I was hoping to write cloud-identity but we still live in a world of on-premise infrastructure waiting to move to the cloud. For now we are creating and maintaining identities on-premise. We enable password-write-back so users are able to change their password.

Azure AD connect configuration

Intune mobile device management authority

Office 365 ProPlus distribution based on dynamic collections

It sounds very easy but I’ve seen a lot of customers fighting with licenses and automated processes.

  • When a user is in a M365 E3 dynamic collection because of the parameters Office ProPlus is automatically distributed.
  • When a user has no ProPlus acces, like a O365 F1 user, office 365 ProPlus will be removed.

Onedrive Known Folder Move (KFM)

There are two primary advantages of moving or redirecting Windows known folders (Desktop, Documents, Pictures, Screenshots, and Camera Roll) to OneDrive for Business for the users in your domain:

  • Your users can continue using the folders they’re familiar with. They don’t have to change their daily work habits to save files to OneDrive.
  •  Saving files to OneDrive backs up your users’ data in the cloud and gives them access to their files from any device.
  • This has value, value, value. Users can find their documents on their phones because of the automated move. When there workstations crashes, the data is still there..

Microsoft Defender Advanced threat protection

All devices are fully managed under the greatest MDATP. (also see the quadrant)

  • Multi-layered protection: Microsoft Defender ATP provides multi-layered protection (built into the endpoint and cloud-powered) from file-based malware, malicious scripts, memory-based attacks, and other advanced threats
  • Threat Analytics: Contextual threat reports provide SecOps with near real-time visibility on how threats impact their organizations
  • A new approach to Threat and Vulnerability Management: Real-time discovery, prioritization based-on business context and dynamic threat landscape, and built-in remediation process speed up mitigation of vulnerabilities and misconfiguration
  • Built-in, cloud-powered protections: Real-time threat detection and protection with built-in advanced capabilities protect against broad-scale and targeted attacks like phishing and malware campaigns
  • Automated security, SecureScore and +10 more features!
Microsoft Defender ATP

Enterprise state roaming (ESR)

With Windows 10, Azure AD users gain the ability to securely synchronize their user settings and application settings data to the cloud. Enterprise State Roaming provides users with a unified experience across their Windows devices and reduces the time needed for configuring a new device. Enterprise State Roaming operates similar to the standard consumer settings sync that was first introduced in Windows 8. Additionally, Enterprise State Roaming offers:

  • Separation of corporate and consumer data – Organizations are in control of their data, and there is no mixing of corporate data in a consumer cloud account or consumer data in an enterprise cloud account.
  • Enhanced security – Data is automatically encrypted before leaving the user’s Windows 10 device by using Azure Rights Management (Azure RMS), and data stays encrypted at rest in the cloud. All content stays encrypted at rest in the cloud, except for the namespaces, like settings names and Windows app names.
  • Better management and monitoring – Provides control and visibility over who syncs settings in your organization and on which devices through the Azure AD portal integration.
  • Even next to KFM! Even more great for data loss etc..

Future achievements..

  • Everything starts with the value of Microsoft 365 E3 of E5.
  • Analytics and data. My-analytics, Workplace Analytics?
  • Security Operations – Advanced hunting?
  • Proactive services – thousand scenario’s possible..
  • Automation in processes with Power Automate?
  • Deep integration with third-party applications?
Modern Device Management
Office 365 ATP Recommended Configuration Analyzer – Best Practices!

Office 365 ATP Recommended Configuration Analyzer – Best Practices!

Office 365 Advanced Threat Protection is growing and evolving over time. Writing documentation takes time – automation doesn’t. Automatically export your O365 ATP settings in one HTML file to see the scores and recommendations.

Solution: ORCA! Orca is a report that you can run in your environment which can highlight known configuration issues and improvements which can impact your experience with Office 365 Advanced Threat Protection (ATP).

Start from Exchange Online Powershell

Start up your Exchange Online Powershell Module from:

PowerShell Module Exchange Online

Installation of ORCA

  • Install-Module ORCA
Install Orca

Run ORCA

  • Get-ORCAReport
OrcaReport

Results

The results are logged in a log in your userprofile. And will be populated in a really great HTML overview.

High-level overview of the Office 365 ATP ORCA Report

Configuration Analyzer Report

Recommendation example

Compliant Level
Safe Links

What’s in scope?

  • Configuration in EOP which can impact ATP
  • Safe Links configuration
  • Safe Attachments configuration
  • Antiphish and antispoof policies.

Coming Soon!

  • At MS Ignite session’s Microsoft announced a new best-practice portal in Office 365’s admin console. This session can be found here: 79719(BRK2104)
Best Practive Analyzer

Bring it all together

  • Export and compare multiple customer-scenario’s. This will help you determine the differences.
  • Modern Security mechanisms as Office 365 ATP are continues improving and need continues attention and recurrent validations. (each month!)
  • In 2018, the percentage of inbound emails that were Phishing messages grew 250%. That trend has continued to grow with increased level of targeting and sophistication! Still super important!
  • Focus on user education and training. In addition to advanced security tools for detection, investigation and response still 40% is user-related.
  • More and more control an reporting will come to the Office 365 portal!
  • AND NOW since you have the report in a easy way. ACT and enable best-practices!
Protect apps with Microsoft Cloud App Security Conditional Access App Control

Protect apps with Microsoft Cloud App Security Conditional Access App Control

A lot of companies are struggling with data leakage when it comes to their exchange online environment. Easy fix! Enable: Microsoft Cloud App Security Conditional Access App Control! First, check the 7 seconds demo. It explains the unnecessary words!

Scenario:

  • You have all your devices enabled in Microsoft’s endpoint manager aka Intune
  • You are able to have an inventory and control of your hardware assets (CIS Control 1)
  • You are using Office 365 or Microsoft 365.
  • You don’t want users to download their e-mail attachments on a non-company owned device. (other scenario’s possible!)

Protect apps with Microsoft Cloud App Security Conditional Access App Control

It sounds so complex and i strongly believe this is making the implementations way to complex. So now the 2 Practical steps for the configuration.

Step 1: Choose the cloud application – select the condition!

  • Select cloud apps or actions: Microsoft Exchange
  • Select a condition – IF your device is marked as compliant. Based on a intune policy that is able to CHECK if the device is compliant. Users are able to just go their way on Exchange Online.
device State Preview

Step 2: select the Access Controls

  • IF not they are not able to download attachments to their environment. Block downloads. That’s it!
Conditional Access App Control

By natively integrating with Azure AD, any app that is configured with SAML or Open ID Connect can be self-onboarded.

In addition, the following apps are featured by Cloud App Security and are already onboarded and ready to use in any tenant: More apps: Here

  • Exchange Online
  • OneDrive for Business
  • Power BI
  • SharePoint Online
  • Microsoft Teams

Conclusions

  • It’s not because you block attachment downloads in Exchange or OneDrive from non-company owned devices that your organization is good to go! This practical example shows the flexibility to get conditions in your organizations which can prevent leakage of data in e-mail systems.
  • Blocking exchange download could shift that your organization will become aware they are still sending crucial information by mail which should be found in Microsoft Teams or SharePoint Online.
  • Microsoft Information protection could play a big role in this configuration but this enablement can be a first step in security maturity growth.
  • More options? YES: Notification when someone is downloading +10 documents, leaked credentials, impossible travel, File shared with unauthorized domain, New risky app, …