In the previous chapters, we have discussed the importance of securing and protecting a Microsoft 365 environment and shown you the various methods of protection that are available to you as an administrator. These include Multi-Factor Authentication, Conditional Access, Role-based access control, Azure AD Identity Protection, and Privileged Identity Management (PIM).
In this chapter, we will examine some additional features that you can use to protect user and device access within Office 365. We will show you how Privileged Access Management (PAM) enables the principle of just enough access (JEA) and grants permissions to users for functions at the task level, as opposed to a collection of tasks that are combined to make up a role (such as in PIM).
You will also learn the principles of the Customer Lockbox and how to turn Customer Lockbox requests on or off. Additionally, we will explain how to configure external sharing with Azure B2B while also demonstrating how this process differs from the external sharing capabilities of OneDrive and SharePoint Online.
We shall cover these topics in the following order:
PAM is a Microsoft 365 feature that provides more granular capabilities by granting users access to functions at a task level, as opposed to via roles. This is best explained by comparing PAM to PIM. We examined PIM earlier in this book in Chapter 4, Role Assignment and Privileged Identities in Microsoft 365, and explained how it can be used to grant JIT access to the administrative roles within Microsoft 365 (such as Global Administrator or Exchange Administrator). These roles are made up of a collection of functions. PAM differs in that it enables the principle of JEA instead, which means that access can be granted to specific individual functions instead of a collection of functions that make up a role. For example, with PAM, you can grant your users access to a single function, such as creating a new Exchange Online Transport rule.
Important note
At the time of writing this book, Privileged Access Management is limited only to functions available within Exchange Online. It is expected that functions from other services within Office 365 will be added to PAM in the coming months.
Let's take a look at how to enable PAM in a Microsoft 365 tenant and start using it, both from the Microsoft 365 Admin Center and from Windows PowerShell.
To enable PAM within your Microsoft 365 tenant, you need to have the Exchange Management Administrator role. You can enable and configure this feature by logging into the Microsoft 365 Admin Center at https://admin.microsoft.com/ and completing the following steps:
This page will now look as follows:
Enable-ElevatedAccessControl -AdminGroup '[email protected]'
Now that we have enabled the PAM feature, let's look at creating access policies.
Creating access policies for PAM
To create an access policy for PAM, we need to complete the following steps:
You have the following options to choose from for each of the available fields:
New-ElevatedAccessApprovalPolicy -Task 'ExchangeNew-MailboxSearch' -ApprovalType Manual -ApproverGroup '[email protected]'
The previous command creates a new policy with the following settings:
So, to recap, we have now enabled PAM in our Microsoft 365 tenant and created some example access policies. Next, let's look at submitting and approving PAM requests.
Now that we have PAM enabled and some access policies set up, users are able to submit privileged access requests that can then be approved by members of the approval group, which we set up earlier in this chapter.
Important note
At the time of writing this book, the ability for standard users to submit PAM requests from the Microsoft 365 Admin Center is oddly not yet available, and only users with existing admin role assignments are able to access the submission request page.
In order to submit and approve requests from the Microsoft 365 Admin Center, we need to complete the following steps:
The request will then appear in the list and be visible to approvers, who may then open and approve or deny the request for access.
Important note
Users should be able to submit PAM requests, and then get them approved or denied by the approvers by using Exchange Online PowerShell. As the functionality for this process is limited at the time of writing this book and cannot be accessed by users yet, we are not able to cover this process in detail. Please take a look at the Privileged Access Management link that's included in the References section at the end of this chapter for more details.
In this section, we have shown you how PAM can be used in Microsoft 365 to provide users with access to elevated privileges at the task level using the principle of JEA. Next, we will examine how the Customer Lockbox feature allows you to control the level of access that Microsoft support engineers will have to your environment when troubleshooting issues on your behalf.
On occasion, you may need to contact Microsoft for support in relation to your Office 365 tenant. This is usually achieved via the use of troubleshooting tools or other means.
However, on some occasions, it may be necessary for a Microsoft Engineer to request access to your tenant.
In order to ensure that this is carried out in a secure and controlled manner, Microsoft provide the Customer Lockbox feature, which, when enabled, will require any Microsoft support representatives to complete a request and approval process in order to gain access.
Important note
Customer Lockbox is only available for organizations with Microsoft 365 E5, Office 365 E5, Information Protection and Compliance, or Advanced Compliance add-on subscriptions. Customer Lockbox currently works only with Exchange Online, OneDrive, and SharePoint Online.
The Customer Lockbox feature can be enabled in the Microsoft 365 Admin Center by Office 365 Global Administrators (or by any user who has been assigned the Customer Lockbox access approver admin role). Once the feature has been activated, Microsoft is obliged to seek permission from an organization before accessing any content within their tenant.
Enabling the Customer Lockbox feature can be done by completing the following steps:
The Customer Lockbox feature is now enabled for the tenant. Next, we will examine the process of approving or denying a Customer Lockbox request from Microsoft.
Whenever Microsoft make a Customer Lockbox request for access to your tenant, Global Administrators can respond to this by completing the following steps:
All Customer Lockbox activity is recorded in the Office 365 audit log and can be accessed from the Microsoft 365 Security and Compliance Center at https://protection.office.com.
Important note
Further information on auditing Customer Lockbox activity is included in the References section at the end of this chapter.
In this section, we have introduced you to the Customer Lockbox feature of Office 365, which allows Global Administrators to enable a setting that requires Microsoft support engineers to request approval for access to your environment in order to troubleshoot issues related to Exchange Online, OneDrive, and SharePoint Online.
In the next section, we will show you how it is possible to protect the collaboration components within your Office 365 environment by configuring policies to protect and secure your SharePoint Online Team Sites and document libraries, as well as OneDrive document libraries.
With more and more documents being stored in the cloud, it is important, as a Microsoft 365 Administrator, to ensure that access to files and folders in services such as SharePoint Online and OneDrive are effectively protected.
There are some simple settings within the SharePoint Online Admin Center that you can configure to apply access control settings for your users, which will help to ensure that only authorized personnel are able to access the content that is hosted in your Microsoft 365 tenant.
In order to configure these settings, we need to take the following steps:
It is highly recommended that Microsoft 365 Administrators review these settings where they have users accessing content within SharePoint Online and OneDrive.
Organizational needs and policies will, of course, differ, but it is good practice to use these settings as a baseline to protect access to your Office 365 documents and data.
Important note
The access control settings described here are a good starting point for protecting and securing access to your data within Microsoft 365. In order to apply more advanced protection, consider configuring Conditional Access Policies and Azure AD Identity Protection, as described in the earlier chapters of this book.
In this section, we have shown you some quick and easy ways to protect your files and folders stored in SharePoint Online and OneDrive Sites and Document Libraries.
We showed you how the access control settings in the SharePoint Online Admin Center can be used to apply policies for unmanaged devices, idle session timeout settings, and allow access only from specified IP address ranges. We also showed you how to allow or block apps that do not use modern authentication.
In the final section of this chapter, we will examine the principles of allowing external user access to your Microsoft 365 environment by using Azure Active Directory B2B collaboration.
With Azure AD B2B, Microsoft 365 administrators have the ability to enable and control cross-organization collaboration. This allows you to invite external users to access apps and resources within your Office 365 environment, while also requiring these external users to comply with the security principles that you have defined for your organization, such as Multi-Factor Authentication or Conditional Access.
There are some licensing requirements that relate to Azure AD B2B, and you can allow up to five guest users per Azure AD license.
Inviting external users is a very straightforward process, and is shown in the following steps:
The guest user will then be required to set a password, select a region, and provide their date of birth. They will also receive a further verification email with a code they will need to enter.
The user is now logged into your organization's Office 365 environment and will be able to access any apps or resources you have assigned to them. In this example, we have not assigned the user to any apps yet, but this can easily be done via group memberships:
When we select the user, we can see that they retain their own identity. However, we can also apply our organizational requirements to them in order for them to be able to access the apps and resources within our environment:
Azure B2B is a simple yet powerful way to allow external parties access to the apps and resources in your Microsoft 365 environment, all while retaining control of what they are allowed to do and the security principles they must adhere to in order to gain access.
Important note
SharePoint Online and OneDrive have slightly different invitation mechanisms for external/guest users. The options for external access can be found in the SharePoint Admin Center, under the Sharing section.
In this chapter, we examined the principles of securing access to your Microsoft 365 environment by using features such as privileged access management to grant users just enough access to specific tasks within Microsoft 365, instead of assigning them to roles that have additional capabilities.
We also showed you how the Customer Lockbox is used to ensure that Microsoft support engineers must specifically request permission to access your tenant, and that their activities will be recorded in an audit log. In addition, we demonstrated how access controls can easily be applied for SharePoint and OneDrive via the SharePoint Admin Center, as well as how Azure B2B sharing allows you to invite external users into your organization to access your apps and resources in a secure and controlled manner.
In the next chapter, we will introduce you to Azure Information Protection, which is a powerful Azure AD Premium feature that allows Microsoft 365 administrators to configure labels and policies in the Azure portal and synchronize these to the Microsoft 365 Admin Center using unified labeling.
Users are then able to apply label classifications to emails and documents in order to protect them and ensure that only authorized recipients can access the content.
a. True
b. False
a. 3
b. 5
c. 10
d. 15
a. 1 hour
b. 2 hours
c. 4 hours
d. 6 hours
e. 1 day
a. Task
b. Role Group
c. Role
d. Task Group
a. Unmanaged devices
b. Unmanaged users
c. Idle session timeout
d. Network Location
e. Apps that don't use modern authentication
a. Settings | Services and Add-ins
b. Settings | Domains
c. Settings | Security and Privacy
d. Settings | Organization Profile
a. Invite User
b. Delegate User
c. Create User
d. Synchronize User
e. Add existing user to a group
a. True
b. False
a. Microsoft 365 E5
b. Microsoft 365 E3
c. Office 365 E3
d. Office 365 E5
e. Office 365 Business Premium
a. True
b. False
Please refer to the following links for more information regarding what was covered in this chapter:
3.129.70.157