©  Matthew Katzer 2018
Matthew KatzerSecuring Office 365https://doi.org/10.1007/978-1-4842-4230-8_4

4. Deploying Identity Management with EMS

Matthew Katzer1 
(1)
Hillsboro, OR, USA
 
Office 365 is a suite of technologies delivered as a software-as-a-service (SaaS) offering and reduces IT costs for businesses of any size. Windows Enterprise Mobility & Security (EMS) is a SaaS offering that enhances the security of your Office 365 deployment; The new Microsoft 365 Enterprise E5 suite incorporates Enterprise Mobility and Security E5 suite. My team deploys either the Microsoft 365 E5 suite or the EMS E3/E5 suite for account security. This improves the security of our clients and in doing so reduces our threat landscape. This chapter is about deploying the Azure identity and information protection capabilities included with the EMS E5 (a component in the Microsoft 365 E5) (see Figure 4-1 for an EMS E3/E5 comparison).
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig1_HTML.jpg
Figure 4-1

Enterprise Mobility & Security Suite E3/E5 comparison (license feature view)

There are many ways to look at the EMS suites and it is a very large topic. The approach that I used is to break this up into two different chapters, one on Information Protection and Identity Management, and the following chapter on Intune for mobile device management. Figure 4-2 shows the components of the Enterprise Mobility & Security suites.
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig2_HTML.jpg
Figure 4-2

EMS Suite components (courtesy of Microsoft)

What Is EMS?

EMS (Enterprise Mobility & Security) is a Microsoft security suite for mobile and desktop devices. EMS is designed to work with Windows 10 and to use Azure security to manage the device and user infrastructure. There are two capabilities of EMS that are extremely useful for companies: EMS protects and empowers workers to better perform the duties assigned to them, and EMS allows the CISO to manage the activity of the users and prevent bad actors from accessing the data. One of the latest features to be deployed in Azure AD is smart lockout . Smart Lockout locks out bad actors who are trying to guess your users’ passwords. The Azure intelligence is developed in such a way that the systems will recognize when a password is being breached and will force password authentication to happen.

There are different password programs and methods. We may think our passwords are unique, but in many cases, they are not and have already been compromised. When you deploy EMS subscriptions (or in this case, when you use one of the Microsoft 365 suites), you are protected by the constantly changing landscape of protecting your users’ accounts. This capability is included in the Azure Active Directory Premium P2 component of the EMS suite.

Looking at the business from a CISO point of view, a CISO now can deploy the sets of tools and services that protect the company assets. In Chapter 3, we configured the security score for both Office 365 and the Windows Security Center to manage our environment; now we are taking a deep dive to tightly configure our environment to manage the information that we communicate internally and externally in the organization. To get started, let’s look at the components of EMS and understand how we are going to deploy them in our business.

When we created our Office 365 account and validated the domain (see Chapter 7), that action created our Office 365 Azure Active Directory. We have the option to add Azure AD domain services or use our local active directory. You can add this at this step; however, there will be some Azure-configured services that must be set up correctly. These services consist of dedicated Azure subnets and additional configuration (a permanent configuration). Azure AD domain services is not the same as Azure joined devices and is a more involved topic beyond the scope of this book. In our deployment of the EMS security components we can either use the link to the on site active directory, or we can join workstations directory to Azure active directory. Either approach works for our discussion on the deployment of the EMS suite. The services that we are going to add are Azure AD Privileged Identity, Azure AD Identity Protection, and Azure Information Protection (see Figure 4-3). Log in to https://portal.azure.com with the global admin account. Select the dashboard and then select Create a resource, and select the resource described in the following sections. We will add each of the components of the EMS suite and configure them.
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig3_HTML.jpg
Figure 4-3

Adding the Azure services

Adding the Azure AD Privileged Identity Management

There are three Azure Ad services that we will configure in our Azure dashboard . We are going to walk through the steps of the initial configuration of these services. In some cases, the services have additional configuration or customization.

There are three services that we will be configuring for EMS:
  • Azure AD Privileged Identity Management

  • Azure AD Identity Protection

  • Azure Information Protection

EMS includes Intune. Intune is the Mobile Device Management component of EMS and will be focused on in Chapter 5. In Chapter 5, we will set up two types of Mobile Device Management: a Manage Application Management (MAM) and a full Mobile Device Management (MDM) deployment. Before we jump into device management, let’s focus on the information protection and identity management.

Let’s begin the process of configuring the different information and identity services for our EMS deployment.

Note

Azure Information Protection is briefly covered later in this chapter. My goal is to address the issues associated with identity management and device management and give you an overview of Azure Information Protection. Azure Information Protection is an important topic, but it is an orthogonal topic that is best covered as a stand-alone feature.

Step 1: Adding Azure AD Privileged Identity Management

Privileged Identity Management (PIM) is used to manage user accounts’ access to higher-level administrative functions. All of the new compliance audits require that IT administrators operate at the lowest level of permissions possible. Besides, this is just good business practice. Here, we are using PIM to manage administrator access to the global administrator account. The user accounts that require access are set up as password administrators. This is a lower-risk admin account since all users in our environment are running multifactor authentication. So, if we have a bad actor as an administrator, that person can only reset account passwords that have a lower privilege level, and since those users are running MFA, the exposure is minimal (users can reset their own passwords and requires a mobile number to confirm identity). All of the administrator accounts have a Microsoft 365 E5 subscription assigned to them. In the configuration that we are walking through, the administrator account that is used to set up the PIM service has Microsoft 365 E5. If you are setting up the service with an account without Microsoft 365 E5, you will generate an error on the configuration. The error is generated because you need a EMS E5 license component, e.g. the Azure AD Premium P2 license. This license is included with the MS 365 E5 or EMS E5, but not with the EMS E3.

Adding Azure AD Privileged Identity Manager is straightforward. Click the Identity icon and then click Create (see Figure 4-4).
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig4_HTML.jpg
Figure 4-4

Adding Azure AD Privileged Identity Management

During the process, the Azure services will create the necessary components in Azure. If the Azure service has been already created or is hidden, watch for the pop-up message (see Figure 4-5) in the left corner. Click the message, which will launch the service to be configured. If you miss this step, just repeat adding the service until you have successfully clicked the message.
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig5_HTML.jpg
Figure 4-5

Accessing the Azure AD Privileged Identity Management (PIM) service

PIM creates a new level of security controls for your administrators. Typically, organizations like to maintain control over administrator accounts. So, the user operates at a lower level of administrator. When a user needs to operate at a higher level, such as a global admin, they use PIM to request approval for the higher level of service. The increased credentials permissions are provided for only a limited time, and then the user account is reduced to the previous level. This is a compliance requirement and allows you to control the access of users and verify their access for the type of work they are performing.

Note

In Chapter 3, we touched briefly on Compliance Manager. We did not go into too much detail (Compliance Manager is a book in itself), but we provided some requirements for control. As an example, in NIST 800-35 there is a compliance requirement to use the minimal permissions to manage the environment. To meet this directive, you need to use a tool like PIM where the access to the global admin is activated for a limited period of time. This reduces the risk of a credential breach.

Step 2: Verifying Your Identity

Once you have selected the Azure service, the next step is to verify your identity. The Azure identity service will walk you through the steps to configure your user account and add the necessary information to Azure. The default configuration contains two forms of identification: e-mail address and mobile phone. Click “Verify my identity” and walk through the process of setting up MFA for your test account (see Figure 4-6). You will be prompted on a number of screens to verify your identity.
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig6_HTML.jpg
Figure 4-6

Verifying your identity

There are different ways you can verify your identity. I use the mobile app when I can. If you have not downloaded the mobile app from the mobile store, you will need to complete this step before you continue. Once you download the app, just select a new account and add the app. The Microsoft service will display a bar code, so scan the bar code to automatically configure the service (see Figure 4-7). Click Next and then enter the code. You will still be prompted to enter your cell number for access in case the mobile app fails (or you lose your phone).
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig7_HTML.jpg
Figure 4-7

Verifying your identity using the mobile app

Once you have completed the process, you will be redirected to the application to provide your consent. Click Consent to continue the configuration. You will be prompted to verify your actions before the PIM service will be configured. See Figure 4-8.
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig8_HTML.jpg
Figure 4-8

The identity is verified; next you need to consent to the use of the PIM tool

Step 3: Set Up PIM

The next step is to select the Active Directory role and sign up for access. This sets the user account as the security manager for the PIM process. Once you have PIM in place, the users’ access is managed. Configuring user access is described later in this chapter. At this point, the goal is to set up PIM so you can manage user access to the global admin account.

Select the Azure AD roles (see Figure 4-9). This will launch an investigation into your tenant and build the Azure AD roles for all users to access the Azure security services. Since you are a global administrator and you are the first user to use the services, the service will be configured around your credentials (see Figure 4-10).
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig9_HTML.jpg
Figure 4-9

Selecting the Azure AD directory roles for PIM

../images/429219_1_En_4_Chapter/429219_1_En_4_Fig10_HTML.jpg
Figure 4-10

Signing up for the security role as the primary administrator

Once you have completed the sign-up process, PIM is ready for additional users to access the service. The configured service should look like Figure 4-11.
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig11_HTML.jpg
Figure 4-11

Configured PIM service for future expansion

There is one last item that you need to complete, and that is pinning the configured PIM service to the Azure dashboard. So before you forget, look in the right corner, and click the pin to pin PIM to the Azure dashboard (see Figure 4-12).
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig12_HTML.jpg
Figure 4-12

Pinning PIM to the Azure dashboard

Step 4: Configure the Initial Role

After PIM is installed, the next step is to run the wizard and configure the user roles. The wizard looks for users with different permissions and allows you to assign them temporary administrator rights. The wizard is an important step to run to set up the baseline configuration (see Figure 4-13).
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig13_HTML.jpg
Figure 4-13

Running the PIM wizard to set up user roles

As an example, take a user who is a password administrator and wants to run as a global administrator. The user logs into Azure, accesses PIM, and requests the global administrator access. The role is assigned for a limited period of time (30 minutes in this example) to allow the user to perform the necessary actions. Global administrator rights are temporary. At the end of the time period, the user permission is restored to the nonglobal admin permissions.

PIM requires that the user have some administrator privilege level to use the service. We use a password administrator as the default administrator account (all our users have MFA deployed, so this has little impact on the user in the case of an issue with an authorized administrator). At this point, we will move to the next step and set up Identity Access Manager.

Adding the Azure AD Identity Protection

The next service we are adding is the Azure AD Identity Protection . This service manages access and detects whether there is an attack on Office 365 users. This service provides a layer of notification on attempted breaches to Office 365. Figure 4-14 shows the log files on my account and how the account was accessed by third parties.
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig14_HTML.jpg
Figure 4-14

Invalid access attempts to Office 365 account

Follow the next steps to configure Azure AD Identity Protection (see Figure 4-5). After completing these steps, we will install Azure AD Identity Protection.
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig15_HTML.jpg
Figure 4-15

Installed Azure AD Identity Protection

Step 1: Installing Azure AD Identity Protection

To install Azure AD Identity Protection, open the Azure dashboard at https://portal.azure.com , click “Create a resource,” click Identity, and click Azure AD Identity Protection(see Figure 4-16). This will start the installation of the Azure AD Identity Protection service. The Azure AD Identity Protection service is the service that monitors user access to Office 365 and Azure resources. Once you select the resource, then click Create and pin the resource to your Azure dashboard. This will create the Azure subsystems necessary to use the resource you selected.

Note

Azure resources are dependent on the EMS license type. In our case, we are using the Microsoft 365 E5 license for all configuration (which includes the EMS E5 subscription). If you do not have the Microsoft 365 E5 license in your tenant, you may not be able to fully configure the resources we are using.

../images/429219_1_En_4_Chapter/429219_1_En_4_Fig16_HTML.jpg
Figure 4-16

Installed Azure AD Identity Protection

Step 2: Setting Alerts in Azure Identity Protection

We are focusing on the settings and the configuration. At this point, we want to have alerts in place to let us know when an event happens and to take the appropriate action. After we set up the alerts, we will configure the user policies to manage those alerts. To configure the alert settings, click Alerts (see Figure 4-17) and follow the next steps. In this case, we are sending the alerts to the o365admin test account.
  1. 1.

    Click Alerts.

     
  2. 2.

    Set the alert to level Low.

     
  3. 3.

    Click Included and then + Add (to add a user for the alerts).

     
  4. 4.

    Select the user.

     
  5. 5.

    Click the Select button.

     
  6. 6.

    Click Done.

     
  7. 7.

    Click Save.

     
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig17_HTML.jpg
Figure 4-17

Setting Azure alerts to be sent to the selected user

Step 3: Setting Up a Weekly Digest in Azure Identity Protection

After you click Save, the next step is to set up the weekly digest. The weekly digest has similar configuration steps that we just completed: you enable the digest and select the user. After you select the user, the screen should look like Figure 4-18 before you click Save.
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig18_HTML.jpg
Figure 4-18

Setting the weekly digest in Azure Identity Protection

The Azure Identity Protection service will send you a weekly summary of the different activities so you can verify the access (Figure 4-19). What you are looking for are attack trends. The trends of the access by bad actors will give you a better understanding of the threats that you will need to defend yourself.
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig19_HTML.jpg
Figure 4-19

Weekly alert digest

Step 4: Configure the Risk Policy

There are three different configurations for a risk policy. Risk policy is actions taken on a user account to protect company information. A risk can be a password attack, or any type of activity that is nonstandard user behavior. Risk level is what the business assigns to different levels of attacks on an account that may become compromised (e.g. the credentials are stolen). To combat risk, you may force users to authenticate with MFA. Keep in mind that any action you take on risk policy is a global action and effects all users. After you have configured Office 365 and see the type of events that are happening, you can tighten the different risk policies to have better control over the Office 365 user access. The critical users that you want to worry about are the administrators. The administrators are the targeted users in Office 365.

Configuring risk policies for the administrators and making them subject to MFA is simple. You add the administrator users that you want subject to the MFA authentication and you enforce the MFA policy. In this example, we selected two users, set the controls to require MFA, and set enforced to on (see Figure 4-20).

Note

Before you start enabling the functionality, take your time and develop a plan for how you want to enforce risky behavior. Look at the data, and then enforce the controls. A lot of companies enable the features. The best practice is to set up a test group and apply the control to the test group, before you enable the control for all users (or administrators). Make sure you leave yourself a back door for testing.

../images/429219_1_En_4_Chapter/429219_1_En_4_Fig20_HTML.jpg
Figure 4-20

Forcing MFA on a set of users

At this point, you have configured the alerting activity for privilege access. You can now turn on additional security features to help manage user accounts. We recommend that you enable only a few test accounts to verify the functionality. Once you are satisfied, then you can roll this out in mass to all users. The next step is to configure Azure Information Protection.

Note

Testing accounts is easy. Just create a test group (set to include) to test out the new feature. Once you are satisfied with the process, you can either include all users or create a new static or dynamic group for the user accounts.

Azure Information Protection

Azure Information Protection allows you to control information, classify documents, and set the information characteristics of those documents that are added. We can also send out documents where the information cannot be shared externally to an organization, the document can be configured to block printing or being forwarded to a third party. We can also add controls in a document template (or the document metadata) to block theses activities. This is known as data loss prevention (DLP) rules on documents. This has been enhanced by Microsoft with other third-party services, so those services now understand documents that can be managed. As an example, you can define a set of documents (or rules on documents) that are restricted to internal use. This means when a document is sent externally to another user in a different company, the external user would be forced to login with credentials to access the document. Since the user is unknown to the company, the user would be blocked from accessing the document. As an example, in sales we want to send out proposals and statements of work and have those proposals expire after 30 days. We would use AIP to manage the document type so anyone who received the document would be blocked from reading the document in 30 days.

The following are the configuration steps required to set up Azure Information Protection:
  1. 1.

    Install and configure the Azure dashboard (select Protection Activation).

     
  2. 2.

    Define the labels for document management.

     
  3. 3.

    Configure the global document policy.

     
  4. 4.

    Download the Azure agent for Office applications for document classification.

     

Once you have taken these steps, you can send protected documents (or block them from distribution).

Document management is a large activity that can easily consume a lot of time. The best way to look at document management is to make it self-service. This model of self-service builds on the labels that the organization puts in place to manage information and train your users on how to classify documents.

To get started with the Azure Information Protection (AIP) service, we need to enable the service and activate the protection. We will complete these steps and set up a basic rule for AIP to process credit cards.. Let’s get started with the configuration process so we can protect our organizational documents. So we are on the same page, when I say documents, I am referring to any written communications (e-mails, pictures with text, work documents, PDFs, etc.). See Figure 4-21.
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig21_HTML.jpg
Figure 4-21

Azure Information Protection loaded and set up as a favorite on the dashboard

Step 1: Install Information Protection

The first step is to enable the AIP service in the Office 365/Azure tenant. To set up the service, go to the Azure dashboard and add the service to the dashboard. You can pin the AIP service, or you can add it to your favorites. See Figure 4-22.

Note

Earlier we used the term pin. In this case, we are not pinning the tool to the dashboard, but we are adding this to our favorites (under the star in Figure 4-21). To add to the favorites (the left side of the dashboard), all you need to do is to select “All services” and click the star to add the element to the dashboard. This process is detailed later in the chapter.

../images/429219_1_En_4_Chapter/429219_1_En_4_Fig22_HTML.jpg
Figure 4-22

Selecting Azure Information Protection

Once we have selected the service, we will create the service (see Figure 4-23). This is a simple process; just select the service under Identity and Azure Information Protection and then click Create to start the service. This will start the service and set up some of the background configuration that is required for your Office 365 account. Once you have enabled the service, you can add this to your dashboard by selecting All Services, finding the services, and then adding them to the favorites (by clicking the star next to the service). Microsoft is working to make this more of an automatic process that is tied to the subscription type.

Note

Classifying information is a large task. To address the classification, the best way to handle this is to configure the base parts of Azure Information Protection and enable data auto classification in the Office 365 Security & Compliance Center. Document classification needs to be created by the end user creating the document. The automated tools (such as the AIP scanner that scans documents located on file servers) need to be used to validate the document classifications that were created.

../images/429219_1_En_4_Chapter/429219_1_En_4_Fig23_HTML.jpg
Figure 4-23

Setting up Azure Information Protection for the first time

Once you have created the service, the next step is to set up the service (see Figure 4-24). In our service setup, we will be executing two steps. First, we will activate the service, and then we will come back to the service and set up new document classification and organization policies. We highlighted two areas in Figure 4-24: the protection activation and the labels. Click Activation to activate the service. Once you completed this step, the protection status will say “Protection status is activated.” After we have activated the service, our next action items will be to create a simple documentation classification (detection for credit card numbers) and then the policy to implement the document protection and classification.
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig24_HTML.jpg
Figure 4-24

Activating Azure Information Protection

Setting up a policy on credit cards is simple and has little effect on the organization. Do not get me wrong; protecting the organization from sending out credit card information in the e-mail is critical. We need to protect the organization from violations that will result in fines. Under the new California law (CCPA), this data breach could result in fines of up to $750 per record, on the assumption that the consumer was harmed. The changes that we see in the new laws (like CCPA) are over assumed harm. Under old laws, harm had to be proven by the consumer. Under the new laws, harm is assumed. Businesses need to prove that protected personal information was not distributed to unauthorized third parties. This is why the Azure Information Protection is so critical to businesses, and the distribution of information needs to be tracked.

As an example, we can create a credit card protection rule where we allow documents (that contain credit card information) only to be read internally but not e-mailed externally. If a user e-mails the document externally, our labeling will block external user access to the document. The document rules are managed in the Office 365 Security & Compliance Center.

Step 2: Define Additional Label Classification

The first step after you have enabled the service is to define an additional documentation label that can be used to govern your business. Once you have defined the labels, the labels are now part of the documentation classification in the Office 365 Security & Compliance Center administration center.

Our approach is to walk you through the label configuration process on how to set up a credit card for detection and analysis. Once we are completed with this, we will quickly review the automatic label generation process.

The first step in configuration is to review the label structure and create the necessary sublabels and behavior that we want to see on the Office 365 user. In our case, the document that contains credit cards will be marked Confidential. We are going to create a sublabel for this document, as shown in Figure 4-25. Right-click Confidential and select Add a sub-label.
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig25_HTML.jpg
Figure 4-25

Creating the first sublabel

This launches the Sub-label windows. Change the default settings as described next (see Figure 4-26).
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig26_HTML.jpg
Figure 4-26

Defining the sublabel functions to classify documents (steps 1–9)

There are 13 steps we need to follow to enable the credit card protection in our document. The steps are cumbersome because there are many different options that organizations need to follow based on their security polices (so there is no one-size-fits-all solution). The changes that we are making are numbered 1–8 (see Figure 4-26) and described here, and steps 9–13 are shown in Figure 4-27.
  1. 1.

    Turn on the service (enable it and define the label), in our example we used Credit Card as the name of the rule.

     
  2. 2.

    Select the label to protect the documents.

     
  3. 3.

    Select Azure Protection; this will launch the protection options.

     
  4. 4.

    Select Add permissions to the document. (If you want to restrict e-mail distribution, select set user define permissions).

     
  5. 5.

    Specify the users and groups who will access this document label; in our case, this is only users from our e-mail domain.

     
  6. 6.

    Define the type of access users will have (make them all reviewers). Click OK and Save to return to the main blade.

     
  7. 7.

    Set visual marketing’s (watermark) on the document.

     
  8. 8.

    Define a header for the document and a color (in this case red) .

     
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig27_HTML.jpg
Figure 4-27

Defining additional label parameters to classify documents (steps 9–13)

After we have made those changes, let’s make some additional changes on the document blade. These are numbered 9–13 in Figure 4-27. Click Save when completed.
  1. 9.

    Select a document to have a watermark and enter the watermark.

     
  2. 10.

    Display the watermark as a horizontal or diagonal in the document.

     
  3. 11.

    Select the condition for the protection (in this case we are using credit cards).

     
  4. 12.

    Select the industry type (aka financial).

     
  5. 13.

    Select the credit card condition, in this case we are using card number as a condition.

     

The basic label has been created. Save the changes on each of the blades. The next step is to apply the new document classification to all documents. There are additional document selection parameters. I recommend you leave these at the defaults and change them later after you have tested the document in production.

Looking at Figure 4-27, we notice the following:
  • The new document classification called Credit Card has been added.

  • The document policy requires that the document be marked.

  • The document policy also states that the document is protected.

At this point, we have set up a new document classification label called Credit Card (see Figure 4-28). Let’s apply the changes throughout the Office 365 tenant.
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig28_HTML.jpg
Figure 4-28

Defining additional label parameters to classify documents (steps 9–13)

Step 3: Applying the Document Classification Globally

So far, we created a new document classification called Credit Card. This document has a subtype of Confidential, and we have restricted access to the document to users in our company with the e-mail address getoffice365security.com (remember step 5 in Figure 4-26). The restriction that we placed on the document is as a reviewer. Next, let’s select Policies (under Classification in Figure 4-29) and then select Global (there should be only one policy in place unless you added a policy).
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig29_HTML.jpg
Figure 4-29

Adding the Credit Card policy to the global policy

In Figure 4-29, we need to add the new document classification to our global default policy. This simply requires adding the document classification type. In Figure 4-29, once you are in the global document classification, the next step is to add the document and select Credit Card. This will immediately begin the document classification process. The next step is to download the right management protection tool.

Note

The best way to deploy document classification is by training the end user to classify the documents when they are created. You can also deploy the automated AIP scanner that scans documents located on file servers to collect data and classify documents that have not been uploaded to Office 365.

Step 4: Downloading the Document Classification Tool

Documents are automatically classified based on the process that we defined in step 3. The document classification tool allows users to classify documents according to our company standards. There is so much information that we have created; the only way that we can truly become compliant is that we train the users in document classification. Granted, not all users think the same, which is why we create special rules and procedures to keep our users in check (so to speak). From a compliance management perspective, if you rely only on automated tools, you will not catch everything. You need the users’ help.

Once you have downloaded the client, install the client (see Figure 4-30) and start Word (or PowerPoint, etc.). This will display the document classification menu (see Figure 4-31).
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig30_HTML.jpg
Figure 4-30

Downloading the client from the Azure Information Protection dashboard

../images/429219_1_En_4_Chapter/429219_1_En_4_Fig31_HTML.jpg
Figure 4-31

Installing the Azure Information Protection client management tool

After you have installed the AIP client, you will need to sign up for the Azure Rights Management Service (RMS) to make sure the document is tracked. Open Word, and select Track and Protect under the AIP icon in the toolbar. Then click Protect, then Track and Revoke (see Figure 4-32). This is the process you will use to mange access to documents you distribute. This is in addition to any label controls that were created globally on documents.
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig32_HTML.jpg
Figure 4-32

Word 2016 with the Azure Information Protection client installed

Keep in mind that the user needs to control the flow of information that is sent externally and manage the documentation workflow. As an IT administrator, you can set polices on documents from a global sense, but it will be the individual users who need to manage the document they distribute to their customers. As an example, say we have a sales document that we use and distribute to potential clients. As a salesperson, I will manage my own information based on client needs. You cannot do this action globally; otherwise, you will affect sales in the organization.

Note

The AIP client is the same client as the document scanner for servers. This client tool runs as a background process and can be used to process the document on your server. In this example, we downloaded the document scanner for the end user to use. If this was a server and we wanted to run the AIP scanner, we download the same tool, install it on the server, and run a set of PowerShell commands to process documents. The document scanner requires that the account used to install on the server is the same account with the correct permission (and license) for Azure Information Protection services. See the “References” section for links where you can learn more about the AIP scanner.

Step 5: Enabling the RMS Tracking Service

Clicking Track and Revoke will launch the Azure RMS tracking service. You will need to sign in or sign up for the service (see Figure 4-33). This allows you to track documents worldwide (once the document is classified). You can revoke access and grant access.
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig33_HTML.jpg
Figure 4-33

Signing up for document tracking for an external e-mail document

Once you have completed the sign-up process, download the clients for the different devices that you are using (see Figure 4-34). This way you will have a 360-degree view of all documents and be able to track and revoke rights from users.
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig34_HTML.jpg
Figure 4-34

Application availability for reading protected documents

Step 6: Test the Document Classification Service

Testing the service is easy. Search the Web for a demo credit card number. The best way to test this is to create a Word document with the information. The AIP systems will prompt you for permission to send the document (see Figure 4-35). If you drop the e-mail into a document, the e-mail will be sent but will be encrypted per company policies.
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig35_HTML.jpg
Figure 4-35

Documents are auto-encrypted before being sent

The e-mail encryption is automatically handled, but what about a user trying to send a Word document with protected information (Figure 4-36)? The service works the same way. The e-mail in Figure 4-37 is the document as received by the end user.
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig36_HTML.jpg
Figure 4-36

Sample Word document used in our test with protected information

I sent the Word document using the share function, and when Outlook finished loading, I was prompted to sign in to the Azure information service. If my system was Azure, then there would be no login prompt. If I was an external user and not permitted to read the document, I would be blocked from document access.
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig37_HTML.jpg
Figure 4-37

Document protection with a credit card number

Step 7: Configure the Data Loss Prevention Rules

The DLP rules allow you to automatically classify e-mail based on content and leverage AIP client for special features (such as Do Not Forward and other actions). In the use of AIP, we customize our e-mail portal and define labels for our document classes. AIP will process the document and recommend a classification based on the document content (see Figure 4-38). Define the document class, and the users will help you with the document classification. Keep the document classification and types to a minimum number for the best results.
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig38_HTML.jpg
Figure 4-38

AIP automatically classifying documents

Additional Configuration

There are many ways to configure Enterprise Mobility & Security (EMS) for your environment. In this section, I have detailed some of the additional customization that you can do. I wanted to provide you with the information on the service customization but handle that in a different section so you would not be distracted from deploying the service. Once you have the service in place, you can change the service to match your business needs.

Password Smart Lock Protection

A password lock box is an easy configuration to complete. The EMS licenses provide you with access to Azure Active Directory. To configure smart lock passwords, all that is needed is for the systems to be trusted (azure AD joined or hybrid joined) and to have the service enable the features in Azure Active Directory. As an example (see Figure 4-39), we logged into https://portal.azure.com and selected Azure Active Directory. Once we selected Azure Active Directory, we clicked “Authentication methods” and enabled the service. In our example, we blocked some common password that users often use.
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig39_HTML.jpg
Figure 4-39

Enabling smart lock in Azure Active Directory

Looking at Figure 4-39, you will notice that there are some additional configuration options such as the number of failed attempts (called lockout threshold) and the lockout duration. In our example, we allow up to ten attempts, and then we lock the user access for 60 seconds. Every business is different, and the lockouts will be shorter depending on the organization risk and compliance regulation.

Adding Applications to the Favorites List on the Azure Dashboard

In Figure 4-40, I have highlighted two areas to look at: favorites and all resources. To add an application (or blade) to the favorites, all that is needed is to select the application and add the element. The process is simple; select All Services from the sidebar. Find the service you are looking for (in this case, the Azure Information Protection application is located under Identity); then click the star (and turn it yellow).

Once the resource has been selected, it will show up at the bottom of the sidebar. You can drag and drop the resource on the sidebar to the position that makes sense to you. You can easily build a dashboard. Likewise, you can use the same process to remove the dashboard icons.
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig40_HTML.jpg
Figure 4-40

Adding three applications to the Azure favorites in the sidebar

Adding Office 365 E-mail Encryption

Adding e-mail encryption is easy to do in Office 365. This is a requirement for any type of compliance management. In this section, we will show how to add e-mail encryption and customize the e-mail portal that is presented to clients. Customization is key to ensure that secured e-mail messages that you send to your client are easily recognizable as coming from your organization. In our example, we customized our e-mail encryption with our contact information, logo, and description of who to contact about the e-mail in case there are any questions. This is important because phishing attacks target a large number of different Office 365 users. If you want to reduce your threat level, you need to customize your e-mail encryption portal when you add e-mail encryption.

In Figure 4-41, the e-mail message has two interesting properties. First, we include the organization logo in the e-mail, and since we are requiring that the user click an e-mail, we also include information about the e-mail contents. The objective is to customize the e-mail communications so that third parties can easily see that the e-mail message is from your organization. The areas that you can customize are outlined in the user’s Outlook client and later after they click the encrypted e-mail message.
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig41_HTML.jpg
Figure 4-41

Sample encrypted e-mail

When a user clicks a secure e-mail that has been configured, they see the configured e-mail portal (see Figure 4-42). The user can enter their ID, or they can request a passcode to be e-mailed to them. Either approach works and is simple to use.

E-mail encryption is a good way to exchange information between users. Once you have sent and encrypted e-mail to the other user, the user can edit the e-mail and return the information to you. The encryption on the e-mail is unique and is maintained in isolation from other encrypted e-mail.
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig42_HTML.jpg
Figure 4-42

Configured e-mail portal with additional contact information

To start, you need to purchase an Office 365 plan that includes e-mail encryption. This is included in all Office E3/E5 subscriptions and in the Microsoft 365 E3/E5 suites. We are using the Microsoft E5 suite. To set up e-mail encryption service, follow these steps:
  1. 1.

    Activate the Office 365 Rights Management service (should already be completed).

     
  2. 2.

    Enable the encryption service in Azure Active Directory (should already be completed).

     
  3. 3.

    Configure the Automatic Encryption transport rules (optional).

     
  4. 4.

    Customize the e-mail encryption service for your business.

     
  5. 5.

    Download the AIP client to allow users to classify and encrypt e-mails.

     

Let’s walk through the steps to configure e-mail encryption.

Step 1: Setting Up the Office 365 Rights Management Service

Office 365 encryption is easy to set up and configure. The first step to use encryption is to enable the Office 365 Rights Management service. Once you have enabled the Rights Management service, you select the various rules that you want the Rights Management service to use in automatic processing communications external to your organization, as well as manual configuration of a confidential service.

Log on to Office 365 and enable the Rights Management service (only global administrators can activate this). Click Settings, click “Services & add-ins,” and then click Azure Information Protection (see Figure 4-43).
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig43_HTML.jpg
Figure 4-43

Enabling Azure Information Protection

After you click Azure Information Protection, select “Manage Microsoft Azure Information Protection settings.” This will redirect you to an admin screen that shows the settings of the service. This will show you the status (see Figure 4-44). If the service is not activated, then activate the services. Keep in mind it will take 30 minutes to fully activate the services.
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig44_HTML.jpg
Figure 4-44

Verifying that the service is activated

Step 2: Enable Azure Information Protection

Next, click “advanced features.” This will take you to the Azure Information Protection application; then select “Protection activation.” This will enable the encryption service. This should be already enabled from the earlier steps (see Figure 4-45).
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig45_HTML.jpg
Figure 4-45

Verifying Azure Protection is activated

Step 3: (Optional) Configure the Automatic Encryption Rules for HIPAA and PII

You can configure DLP rules in the Office 365 Security & Compliance Center. To configure the rules, go to the Office 365 admin center, and select Security & Compliance Center. Once in the Security &Compliance Center, select Data Loss Prevention and Policy. We are going to create a new policy, so click Create Policy (see Figure 4-46). In our case, we are going to select the “Medical and health” option for our policy and US Health Insurance Act (HIPAA) .
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig46_HTML.jpg
Figure 4-46

Creating the custom HIPAA policy

Click Next and name your policy (leave as default); see Figure 4-47.
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig47_HTML.jpg
Figure 4-47

Naming your policy

Click Next and choose the locations (leave as default); see Figure 4-48.
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig48_HTML.jpg
Figure 4-48

Selecting all locations for content management

Click Next to restrict the encryption to e-mail only (see Figure 4-49). In this example, we are only setting up HIPAAA rules for Exchange e-mails that are sent externally.
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig49_HTML.jpg
Figure 4-49

Selecting Exchange only (we are using this for e-mail encryption)

Click Next to customize the content you want to protect. In this case, we are looking only at HIPAA information. In Figure 4-50, if you click Edit, you can define the accuracy of the content match. As an example, for PII information (such as Social Security numbers), you have a range that starts at 75 percent.

It is important that you check your business rules in your organization on the PII information and what risk factor you want to have. If you set it too high, then all e-mail will be encrypted. If you set too low, then you will have no e-mail encrypted. The recommended setting is the default at 75 percent, but this is really an organization decision on PII/HIPAA information distribution.
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig50_HTML.jpg
Figure 4-50

Enabling the default rules

Click Next to automatically encrypt the content (see Figure 4-51). In one of the previous steps, we excluded OneDrive and SharePoint. This is the reason why. We are encrypting the e-mail that is being sent externally from the organization.
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig51_HTML.jpg
Figure 4-51

Restricting access and encrypting the e-mail (or blocking if that is your business rule)

Click Next; then choose your label that is appropriate for this content (see Figure 4-52).

Labels are becoming more important to organizations. Data needs to be typed and configured. In Figure 4-52, we have different labels that we have already configured. We recommend that you look at the documents in your organization and define a tighter granularity for documents. Minimize the creation of new labels as much as possible. A lot of labels, adds complexity and confuses the end users (who will be doing most of the work on classification). Make the label classification process a simple process. This will make your job much easier to manage the document configurations.
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig52_HTML.jpg
Figure 4-52

Selecting the label that reflects the type of content

Once you have configured the rules, you can test the policy or have it implemented. In this case, we will implement the policy. I recommend that you put the policy in test mode until you have the Outlook Message Encryption (OME) environment configured with your company headers and portal customization. See Figure 4-53.
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig53_HTML.jpg
Figure 4-53

Enabling the policy for execution

Click Next to review your settings. If everything looks correct, then click Create. This will create the encryption rules for you in your Office 365 tenant. This process of rule creation will take a few minutes. Once the rules are completed, they will show up in the Office 365 Security & Compliance Center’s DLP portal.

Step 4: Customize the E-mail Encryption Service for Your Business

There are four customizations you can make to set up an encrypted e-mail: adding your logo, customizing the encryption message, customizing the encryption center, and adding instructions to the encrypted e-mail. These configuration changes are made in PowerShell and are described here.
  • Adding your logo

    In Figure 4-54, we branded the encrypted e-mail to use our KAMIND IT logo. To add your logo to Office 365 encryption, run the PowerShell commands shown here. Your customized logo will be displayed to the recipient.
    #Load the JPG file to the user tenant
    Set-OMEConfiguration -Identity "OME configuration" -Image (Get-Content "C:customerskamindkamind_new_2014_v3.jpg" -Encoding byte)
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig54_HTML.jpg
Figure 4-54

Customization of the encrypted e-mail portal

  • Adding your customized text

  • In Figure 4-54 we added customized text to display information for KAMIND IT. To add your customized text, execute the PowerShell command shown here:
    #Load the JPG file to the user tenant
    Set-OMEConfiguration -Identity "OME configuration" -DisclaimerText "This message contains confidential information and is intended for the recipient. If your e-Mail account is not set up to read encrypted e-Mail, you can add this feature by adding security credentials to your existing e-Mail using the Microsoft website at http://account.live.com. If you have any questions, please call KAMIND IT at (503) 726-5933."
  • Customizing the encrypted e-mail portal

  • In Figure 4-55, we added customized text to display the branded portal and our KAMIND message. To add your customize text, execute the PowerShell command shown here:
    #Set the Customize text and Portal Text
    Set-OMEConfiguration -Identity "OME configuration" -EmailText "Encrypted message from [email protected]" -PortalText "KAMIND IT Inc. Secure E-Mail Portal – www.kamind.com (503) 741-8922"
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig55_HTML.jpg
Figure 4-55

Portal customization

The complete PowerShell customization is as follows. The customized portal content from Figure 4-55 is highlighted in bold.
Set-ExecutionPolicy RemoteSigned
$LiveCred = Get-Credential
Import-module msonline
Connect-MSOLService –Credential $LiveCred –Verbose
#Createthe PS session
$Session = New-PSSession -ConfigurationName Microsoft.Exchange-ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic –AllowRedirection
Import-PSSession $Session -AllowClobber
#Load the JPG file to the user tenant
#Set-OMEConfiguration -Identity "OME configuration" -Image (Get-Content "C:customerskamindkaminditLogo.gif" -Encoding byte)
#Set encryption text
Set-OMEConfiguration -Identity "OME configuration" -EmailText "Encrypted message from KAMIND IT Inc. via Office 365 Message Encryption Service" -PortalText "KAMIND IT Inc. Secure E-Mail Portal - www.kamind.com - (503) 726-5933"
# Sample message
#Set-OMEConfiguration -Identity "OME configuration" -DisclaimerText "This message contains confidential information and is intended for the recipient. If you are not recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited."
Set-OMEConfiguration -Identity "OME configuration" -DisclaimerText "This message contains confidential information and is intended for the recipient. If your e-Mail account is not set up to read encrypted e-Mail, you can add this feature by adding security credentials to your existing e-Mail using the Microsoft website at http://account.live.com. If you have any questions, please call KAMIND at (503) 726-5933."
#Display the configuration that was just setup
Get-OMEConfiguration
Remove-PSSession $Session

Step 5: Download the AIP Client

We have already downloaded the AIP client and installed it in Outlook. There is no additional configuration necessary. For the installation instructions, please review the previous section on Azure rights management. That is all that is required to set up Office 365 e-mail encryption and to customize the portal for our clients to use. Once you have set up the e-mail encryption portal, you can extend the service to other parts of AIP. As an example, you can set up documents with metadata policy strings that the DLP rules can process to determine the best way to control information that is being sent externally. As an example, strategic plans may have a “Company Confidential” description placed in the metadata. The DLP rules can be configured to find the information and block the distribution of documents externally from the company.

Configuring Manual Encryption for Confidential Documents (Legacy)

You should create all DLP rules in the Compliance & Security Center. However, there are times when you need to go to the Exchange admin center to create DLP rules. In this case, we will create a manual encryption rule for e-mail. The manual encryption feature allows users to manually encrypt documents that are e-mailed with a sensitivity of Confidential. In Figure 4-56, we created a new e-mail, selected the options tag, and changed the message sensitivity to Confidential. The configuration notes in this step enable the manual sending of an e-mail (and all documents attached) as Confidential.
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig56_HTML.jpg
Figure 4-56

Sending the encrypted e-mail

To configure these policies, you need to be a global administrator, and the configuration will be made in the Exchange admin center of Office 365. We are going to add a custom Exchange transport mailbox rule. The mailbox rule simply states that if an e-mail has Sensitivity set to Confidential, then encrypt the e-mail. The user has the ability to manually set the document sensitivity. Likewise, you can create transport rules to disable encryption. Let’s walk through the creation of a custom transport rule in the Office 365 Exchange administration center.

Step 1: Create a New Rule in the Exchange Admin Center

To create a new rule in Exchange admin center, select the plus sign (See Figure 4-57 ) to create the rule. The next step is to configure the rules characteristics.
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig57_HTML.jpg
Figure 4-57

Setting a manual encryption rule to set encryption on an e-mail

Step 2: Enter the Name for the Rule ManualEncryptEmail, and Select the Conditions of the Rule

The exchange steps for the legacy configuration are easy to set up and configure. Follow these steps:
  1. 1.

    Click the blue link “More options” to expand the encryption options (see Figure 4-58).

     
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig58_HTML.jpg
Figure 4-58

Creating the rule in the Exchange admin center

Step 3: Add the Encryption Rule Actions

Define where the recipient is located (outside of the organization) and set the message header sensitivity to include Confidential. In “Do the following,” select “Apply Office 365 Message Encryption to message” (see Figure 4-59).
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig59_HTML.jpg
Figure 4-59

Setting overrides

The final rule should look like Figure 4-60.
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig60_HTML.jpg
Figure 4-60

Fully configured rule to Manually Encrypt email based on message sensitivity

Step 4: Test the E-mail, and Use Outlook to Send an E-mail

Open Outlook and send a test encrypted message. Select the optional options on the message (icon below Low Importance), change Sensitivity to Confidential, and send the message as shown in Figure 4-61.
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig61_HTML.jpg
Figure 4-61

Creating a secure e-mail with a custom transport rule

The e-mail received by the client will look like Figure 4-62. Click the e-mail to read it and unencode it. In our example, we sent the e-mail with the option “Do Not Forward” (see red “do not enter” icon).
../images/429219_1_En_4_Chapter/429219_1_En_4_Fig62_HTML.jpg
Figure 4-62

Outlook client receiving encrypted e-mail

The secret on using encrypted email is to make sure your portal is branded with your business logo. You need to train your customers visually on what is an accepted email from your organization. The customized portal helps your customer recognize messages that come from your organization.

Summary

This chapter focused on Identity Management and Information Protection. These tools are powerful and provide you with the necessary flexibility to configure your Office 365 services. As a bonus, I walked you through the configuration of Exchange encryption. We spent some time setting up e-mail encryptions and customizing the service portal. As Microsoft develops the Security & Compliance Center, these capabilities will be upgraded and enhanced. At this point our baseline is completed and data is being logged for security analysis. 

Next Steps

This chapter was focusing on completing the basic configuration for security with Office 365 and Azure. In Chapter 2, we built out the necessary data collection repositories in Azure under Log Analytics. In Chapter 3, we expand the capabilities and added data from Windows device endpoints (Windows 10, Windows servers and Linux devices) to give us the 360 view of activities in our tenant. In this chapter, we built out the remaining identity services for EMS. The next step is to leverage all of the services we enabled in our MAM and MDM deployment. Once this is completed, we have a secure environment where our corporate data and devices are protected. Our next stop - Mobile Device Management!

References

We covered a lot of information in this chapter. My goal was to give you an overview of the various components to give you a head start on the configuration of protection management and security. If you follow the steps, you will be able extend the capabilities of your security deployment. The following are good reference links that will assist you in reaching the next level of securing your Office 365 and Azure environment.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.135.249.37