How to Create a Password-less Strategy with Microsoft Security

July 5, 2022

In today’s digital world, passwords have become a universal language to access applications and devices. Now, many organizations are looking to employ a password-less strategy.

As I wrote in a previous blog about protecting the user identity and data with Zero Trust and Microsoft Security, let us start with the basics and realize the number one asset under attack: the identity. Today, as organizations continue to plan and strategize the adoption of multi-factor authentication, users continue to authenticate with one-factor authentication via passwords. For some organizations, password policies tend to remain relaxed for the ease of user experience. Especially when logging in to their Windows 10/11 device, Microsoft 365, a third-party cloud app, or a legacy/line-of-business app leveraging Azure Active Directory or Active Directory Domain Services. While a relaxed policy allows more accessible user experiences, it will enable malicious actors to draw an opportunity of deploying simple attack strategies for compromising identities, including but not limited to brute-force attacks and dictionary attacks.

While some systems have built-in security capabilities to prevent simple attacks, let us not forget the sophisticated methods for compromising an identity: social engineering. With social engineering, malicious actors draw out the user with psychological techniques for extracting the necessary data and generating possible passwords to leverage with moderate to high accuracy; this includes baiting, spear phishing, scareware, and pretexting. Of course, a simple password is only scratching the surface. Consider organizations with end-users complaining about the complex password requirements and refusing to use the systems or apps or users who reuse the same password in all systems and apps. The question becomes, “How do you protect the identity with a strengthened security foundation and optimal user experience?”. The answer? Eliminate passwords by defining a password-less strategy.

Password-less login makes it easier for users to sign in securely. It helps support a Zero Trust security model where every access request is authenticated independently of any device state or network location.

While password-less authentication can simplify the user experience, it also supports a Zero Trust security model. Every access request is authenticated independently of any device state or network location. In addition to simplifying the user experience and supporting a Zero Trust approach to security, password-less login makes it easier for IT teams to implement modern identity solutions such as Azure Active Directory (Azure AD).

How do you define a password-less strategy?

As implied, “password-less” indicates methods by which users can log in to respective systems and apps without needing a password. While a password-less strategy may sound impossible, culture and adoption are the primary factors. Imagine the typical user in your organization logging into their Windows 10/11 device with biometrics and/or PIN, already establishing two-factor authentication, and seamlessly logging in to Outlook and Microsoft Teams. Also, imagine the same user using a personal device to log in to Microsoft 365 with only the Microsoft Authenticator app. Finally, consider the field user who needs to log in to an enterprise app that leverages Azure AD as an identity provider and requires two-factor authentication; see the previous example with Microsoft 365!

With that, here are some questions to consider when defining a password-less strategy:

  1. What is the business culture when it comes to leveraging passwords?
  2. How many passwords does a user need to remember?
  3. What is the average number of enterprise apps the typical end-user logs in to daily?
  4. Does our organization already leverage devices for biometrics and or PIN to log in?
  5. How many incidents and requests do your help desk receive for resetting passwords or unlocking accounts?
  6. How many incidents does our cybersecurity team receive for compromised identities due to passwords?

How You Can Build a Better Security Strategy with Password-less Authentication

In brief, Microsoft defined a password-less strategy for all organizations, ranging from small-to-medium to enterprises, and summarizes four (4) steps: 

  1. Developing password-replacement offerings
  2. Reducing the user-visible password surface area
  3. Transitioning into your password-less deployment
  4. Eliminating passwords from your directory services, such as Active Directory Domain Services

    Password Less Strategy

Developing password-replacement offerings

The first step in your password-less strategy journey is determining the best replacement offerings for your organization. Next, consider the technologies your end-users are leveraging today: Windows 10 and 11, Microsoft 365, Azure Virtual Desktop, cloud apps (e.g., Box), and any enterprise apps deployed on-premises. Also, consider what will be convenient to your end-users when logging in to systems and apps leveraging Azure AD or Active Directory for authentication purposes and forms-based passwords.

Let us take Windows 10 and 11 as an example. A replacement for a password-less strategy is Windows Hello for Business, utilizing biometrics (e.g., facial recognition or fingerprint scanning) or PIN. In addition, you can couple these features with a Bluetooth device for two-factor authentication.

Now, let us consider Microsoft 365. Suppose your organization already adopted multi-factor authentication via Microsoft Authenticator. You are just one step closer to enabling password-less authentication and logging into Microsoft 365 from a personal device without a password!

While developing your password-replacement offerings, this is the best opportunity for your organization to structure the journey by identifying the different personas throughout your organizational departments, including IT. Also another factor is identifying all applications and services that leverage a password. The number of personas, departments, and apps in your organization will determine how long it will take to establish a solid foundation for your password-less journey. Still, the best idea is, to begin with, a pilot!

Reducing the user-visible password surface area

As you progress through the pilot and confirm the feasibility of the password-less technologies, the next step is a deep engagement with the personas and departments on the usage of passwords and the comfort level of eliminating passwords for their apps and services. Once the deep dive is complete and understanding the overall use and frequency of passwords for each app and service, the journey continues with developing a mitigation plan. While the easy part is the apps and services already leveraging Active Directory and Azure AD for authentication purposes, the challenge is determining the effort level for applications requiring custom development or vendor support for additional authentication methods. However, once your mitigation plan is in place for all apps and services, engage with the pilot and remove all password capabilities, such as enforcing Windows Hello for Business or removing the password credential provider.

Transitioning into your password-less deployment

If all went well with the pilot and user acceptance testing was successful, the next milestone is taking the remaining personas and departments, deploying the password-less technologies, and eliminating the password surface area. Of course, aside from technology, this milestone requires extensive organizational change management and end-user adoption. 

As you transition the personas and departments into the password-less space, there are essential items to consider: 

  • Organizational change management
  • End-user adoption
  • Awareness campaigns
  • Training sessions
  • Education material

The purpose is to establish a positive atmosphere for promoting the password-less journey, and the benefits received.

During the transition, the IT organization will report and track all issues related to the password-less deployment transition, ensuring gaps do not exist in the deployment and resolution is met with all issues. After resolving issues and remediating gaps, the final step is configuring identities to disallow passwords and enforce the use of password-less technology.

Eliminating passwords from your directory services

As the transition to a password-less deployment is near completion, the final milestone is eliminating passwords from your directory services, such as Active Directory. Today, organizations can accomplish this by removing the password spaces, enforcing the use of password-less technology, and randomizing passwords for all identities, where possible.

Schedule your Free Cloud Security Assessment

Let our certified security experts help with your password-less journey. AIS is a Microsoft Gold Partner with mission-critical competencies and Advanced Specializations, including Cloud Security, Identity and Access Management, and Cloud Productivity. Begin your password-less journey today with an AIS Cloud Security Assessment to help identify and determine your roadmap for a password-less journey, and accomplish your objectives in a reasonable, cost-effective, and secured timeframe.

Whether you start with a Cloud Security Assessment, or if you’re ready to engage a partner to begin your journey to a password-less space, contact us to learn more about how AIS experts can help you.

Establishing Microsoft 365 Governance Framework

February 2, 2022
Microsoft 365 is the best-in-class enterprise communication and collaboration solution, allowing your organization to become highly productive within and outside of the organization. In brief, Microsoft 365 is compromised of various products and workloads, from utilizing Exchange for email and Microsoft Teams for instant messaging and telephony to SharePoint Online for developing your intranet and Yammer for inter-organizational social interaction. So, now that your organization utilizes Microsoft 365, the best-in-class enterprise communication and collaboration solution, what is your next step?

The Challenge

Microsoft 365 provides extensive usage of available products like Exchange, Microsoft Teams, SharePoint Online, and Power Apps. Your organization may want to give the best solution and user experience to the end-user community, becoming productive and competitive in your respective industry. However, as your organization continues to adopt and incorporate change by providing the available features in Microsoft 365, the end-user community will begin utilizing these features as soon as possible.

So, what’s going to happen now? For example, I give my child a brand-new toy or video game, and they are ecstatic. However, after a few days, once my child is done playing with the toy or video game, they toss it in a nearby spot and completely forget about it. However, as a parent, I teach my child to put the new toy or video game in a specific location each time they are done, properly dispose if the child doesn’t want the toy or video game, or write their name on it, in case they lose it. Overall, there is an essential factor that organizations tend to forget or lack before communicating new features and products available in Microsoft 365: governance.

BOOSTING COLLABORATION & SAVING MONEY WITH O365
AIS helped ACA Compliance Group migrate its entire 800-person company to Microsoft Teams & Planner in just 16 weeks, increasing productivity and reducing subscription costs.

Read More

The Solution

In brief, Microsoft 365 governance revolves around planning the protection of your assets, ensuring proper asset lifecycle management, and minimizing risk to your organization, in the case of data leakage, improper role and permission assignment, and ownerless content. Examples of Microsoft 365 governance controls are access reviews for certain assets, such as Microsoft 365 groups, teams, or SharePoint communication sites. Another example is leveraging Microsoft Information Protection and assigning sensitivity labels to Microsoft 365 groups for protection and classification. Another example is leveraging Azure AD PIM (Privileged Identity Management) for permanent or temporary role assignments and just-in-time access for specific tasks or objectives. A final example is establishing required controls and permissions for Azure AD app registration and consent.

The Objective

As you continue to adopt Microsoft 365 in your organization, begin planning and establishing a Microsoft 365 governance framework for all workloads utilized, such as Exchange, Microsoft Teams, Azure AD, Yammer, SharePoint, and more. As you establish the Microsoft 365 governance framework, collaborate with key members from adoption & change management, business stakeholders, and inter-organizational Microsoft 365 champions, ensure the overall end-user community is aware of the governance controls set for Microsoft 365. Also, keep in mind, your Microsoft 365 governance framework is a living, ever-evolving concept. Therefore, as you continue to utilize Microsoft 365 in your organization, keep your governance framework up-to-date and inform the same key members and stakeholders.

Quick Links

JOIN OUR GROWING TEAM
We're looking for top-tier talent to join our quickly growing team. Learn more about our benefits, culture, and open opportunities on our career site.

View Careers

How to Choose: Azure Virtual Desktop or Windows 365?

November 18, 2021
As your organization continues the digital transformation journey, Microsoft offers a highly beneficial service for protecting and containerizing corporate data and assets for the remote workforce, such as employees, consultants, or contractors: Desktop-as-a-Service. In brief, Desktop-as-a-Service provides a virtual desktop infrastructure, eliminating the need to manage the actual infrastructure! Specifically, the customer is responsible for app deployments, custom images, virtual machine sizing and deployment, directory services integration, and data center network connectivity (e.g., site-to-site VPN, SD-WAN, ExpressRoute, etc.). Today, Microsoft offers two solutions for Desktop-as-a-Service: Azure Virtual Desktop (formerly Windows Virtual Desktop) and Windows 365. Now, comes the business decision: which one?

Azure Virtual Desktop

Azure Virtual Desktop allows your organization to deploy persistent and non-persistent virtual desktops, whether direct or automatic assignment, along with complete compute elasticity. Also, Azure Virtual Desktop enables your organization to deploy multi-session hosts and publish RemoteApps, depending on organizational requirements.
Consider several configuration steps:

  • Host pool settings (e.g., allow USB redirecting, RDP settings)
  • Out-of-the-box or custom images
  • Application groups
  • User profile storage
  • Load-balancing between non-persistent virtual desktops
  • Device management

Also, there are key decisions to consider when utilizing Azure Virtual Desktop, such as disaster recovery and business continuity. Finally, while your organization must understand the consumed compute operational costs in Azure, keep in mind the licensing costs for the Windows desktop OS (e.g., perpetual or subscription-based). Overall, the proper planning and execution make Azure Virtual Desktop a beneficial and flexible solution for your organization.

REHOST ON AZURE
Our rehost migration approach helps initiate your cloud journey on Microsoft technologies to accelerate cloud transformation.

Contact Us

Windows 365

Windows 365 offers an end-to-end solution for persistent virtual desktops, deployed and managed via Microsoft Endpoint Manager (formerly Microsoft Intune). In brief, some of the prerequisites include network connectivity to Active Directory on-premises (Azure AD Join coming soon!), identity and device synchronization via Azure AD Connect, Azure subscription, Azure virtual network, and DNS resolution to Active Directory on-premises. In addition, there are some configuration steps to consider, such as a custom or out-of-the-box images, provisioning policies, and user settings. Finally, a pivotal decision to consider and understand is the licensing types for Windows 365, dependent upon the compute resource size requirement (e.g., vCPU, RAM, and storage). Overall, while there may be a lack of computing elasticity and disaster recovery flexibility, Windows 365 is a perfect solution to quickly deploy virtual desktops to the remote workforce at a fixed cost, regardless of actual compute resource usage.

How Do You Decide?

Azure Virtual Desktop and Windows 365 provide various options to meet specific organizational needs.

Ultimately, deciding on Azure Virtual Desktop and Windows 365 is dependent upon several factors:

  • Operational versus fixed costs
  • Disaster recovery and business continuity expectations
  • Compute elasticity and auto-scaling
  • Device management roadmap
  • IT administration functions

Below are common scenarios and possible solutions between Azure Virtual Desktop, Windows 365, or both!

Scenario and Solution table

Conclusion

I hope this blog has been helpful When choosing between Azure Virtual Desktop and Windows 365 for Desktop-as-a-Service.

Defend Microsoft Teams with Nine Microsoft 365 Policies

April 7, 2021
Did you know Microsoft Teams Admin Center is not the only place to configure Teams Security? Since Microsoft Teams is strongly wired with SharePoint, OneDrive, and Exchange, Teams takes advantage of Microsoft 365 Security-Protection-compliance policies. As a customer of Microsoft 365, we own our data residing in the Microsoft 365 Tenant; therefore, as an Enterprise Administrator, configuring advanced security and compliance capabilities is an essential part of the planning phase of Microsoft 365 workloads deployment, which includes Microsoft Teams. How these security offerings are inter-related with Microsoft Teams and other services is depicted in the following screen:

Microsoft 365 Tenant

Now, let us have a light dive on Teams specifics nine Microsoft 365 policies (at the time that this article was written) meant to secure and protect Teams and its content apart from policies that are available in Microsoft Teams Admin center as follows:

  1. Safe attachment policy – Protects users from opening or sharing a malicious file in Teams, including SharePoint and OneDrive.
  2. Safe links policy – Safeguards users from accessing malicious links in emails, documents, and Teams conversations.
  3. Conditional access policy – Provides users access control based on group membership, users, locations, devices, and applications.
  4. Data encryption policy – Provides an additional security layer for encrypting the content at the application level to align with organization compliance obligations.
  5. Information barrier policy – Helps to control communication in Teams between specific users for compliance reasons.
  6. Communication compliance policy – Helps detect and act upon unprofessional messages within the Microsoft Teams that may put your organization at risk.
  7. Sensitivity label policy – Allows users to apply sensitivity labels when creating or editing teams to secure the Teams’ content.
  8. Data loss prevention policy – Draws a boundary within internal or external users to protect sensitive information relevant to your business.
  9. Retention policy – Helps to retain or delete a Teams chat as per the organization policies, legal requirements, or industry standards.

This was a quick glance on Microsoft Teams’ security, protection, and compliance capabilities through Microsoft 365 policies. However, for more information, please look upon Microsoft Technical Community blog here  where I have added further details on each above policies.

A Bird’s Eye View of Microsoft 365 Policies

February 9, 2021
Cloud Application development has blown up to the point that it has increased the vital need for enterprise mobility and security solutions to manage people, devices, apps, and data for all organizations’ sizes. Additionally, the pandemic has led to businesses’ need to increasingly offer remote working options that facilitate employees to use their personal or company-owned devices. Therefore, enterprise mobility management and security solutions will have a long-term impact in the future.

Governance and compliance regulations are the biggest challenges when choosing a suitable and sturdy solution. This is where Microsoft’s Enterprise Mobility and Security solution acts to provide a more significant transformation of the workloads with identity and access management, endpoint management, information protection, and security through various Microsoft 365 policies configurations. This article explains how these policies are scattered under Enterprise Mobility and Security solution as follows.

Microsoft 365 policies are continuously evolving to protect organization resources such as devices, apps, identities, and data. I categorize these policies into three significant blocks and refer to them as a whole as Microsoft 365 Policies Framework – MSPC. Let us walk through the unique features of all these components.

Microsoft Figure 1 MSPC

Management

The Management aspect of the Enterprise Mobility and Security solution provides easy and secure access of devices or apps to users with Microsoft 365 licenses when collaborating with people inside or outside the organizations, regardless of any locations or types of devices. It comes with a centralized place to Secure, deploy, and manage all users, apps, and devices called Microsoft Endpoint Manager.
Microsoft Endpoint Manager is designed to help administrators use Configuration Manager and Intune together with cloud-only or hybrid setup for devices and apps management. This management process comes with Microsoft Intune, which includes Mobile Device Management (MDM) and Mobile Application Management (MAM) providers with different policies to configure and control the devices and apps once they are enrolled as follows. MDM controls employees’ corporate and personal devices, while MAM manages data and privacy within the apps and devices.

Microsoft Endpoint Manager

MDM Policies

  1. Device Configuration Profiles: Devices profiles policies let you configure settings and then push these settings to devices in your organization. We can apply these settings to both devices and users. If settings are configured for devices, it remains with the device, regardless of who is signed in. If settings are configured for users, then it goes with the user when signed into their devices.
  2. Device Compliance policies: This policy provides rules and settings that users and devices must meet to be compliant with organization standards for the devices, such as OS platform or security feature in the device. When a compliance policy is deployed to a user, all the user’s devices are checked for compliance. And as an Administrator, you can remotely lock/retire the devices if a device is not compliant for the user or notify them.
  3. Device Conditional Access Policies: To enforce the access requirements of users, based on specific conditions such as unfamiliar sign-in, User or group, IP Location, Users with devices of particular platforms, conditional access policies are used. When these conditions are matched, conditional access policies direct users to perform certain actions such as password changes, multi-factor authentication, or as an administrator, you can block access or grant access.

MAM Policies

  1. App Configuration policy: It provides the ability to publish configuration settings for iOS/iPad and Android apps. For example, As an Administrator, you can change custom port numbers, Language settings, Security settings, Branding settings such as a company logo of the applications removes the user’s involvement to configure the application on their own.
  2. App Protection Policy: App protection policy is applied to the app, such as desktop/Mobile apps for any managed or unmanaged devices. This policy is used to ensure an organization’s data safety, making the app a managed app. It provides a rule that is enforced when the user attempts to access or move “corporate” data or a set of prohibited or monitored actions when the user is inside the app. For example, As an Administrator, you can restrict copy-paste action between certain apps or print organization data.
  3. Office App Policy: Many policies are meant for Office apps only to add to Microsoft Intune and apply to groups of end-users. For example, blocking add-ins in Excel, disabling the shortcut keys in Word, clearing cache on close, or even hyperlink color in documents. Currently, there are 2093 policies to apply across multiple platforms for office applications.

Try Quick Test Here

Security & Protection

“Security and Protection” is a crucial component of Microsoft 365 policies, configurable from the portals such as Microsoft Security Center, Microsoft Cloud App Security Center, Microsoft Defender Security Center, Microsoft Defender for Identity, and Azure Portal. These portals help detect, prevent, investigate, and respond across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

Security and Protection M365 Framework

Microsoft Defender for Office 365

It is a place where you can see risky users. Incident reports such as impossible travel activity, security score with recommended actions, and the ability to create an advanced custom query to identify security breach activity against schema such as generated alerts/apps/identities/devices/threat activities. It safeguards the organization against malicious threats posed by email messages, links (URLs), and collaboration tools. Moreover, you can also create threat protections policies explained as follows:

  • Anti-malware policy: As an Administrator, you can quarantine the message for your review if malware is detected in an attachment. Thereby, you can block attachment types in an email that may harm the computer.
  • Anti-phishing Policy: This policy allows to configure anti-phishing protection settings for a specific group of users over emails to avoid malicious attacks based on impersonation to steal sensitive information from the messages. As an administrator, you can configure an action if a malicious email is found, such as redirecting the message to decision-makers or quarantine the message or delete the message.
  • Safe attachment policy: It is an extra layer of security on top of the Exchange online protection for the inbound messages as well as files residing in the SharePoint, OneDrive, and teams. Using this policy, administrators can investigate malicious attachments or files that could destroy user data/steal information.
  • Domain Keys Identified Mail: This policy configuration helps protect both senders and recipients from hackers to forge email in transit.

Further, you can also configure 29 default alert policies that help identify Exchange admin permissions abuse, malware activity, potential external and internal threats, and information governance risks.

Microsoft Cloud App Security (MCAS)

Cloud App Security portal is a comprehensive solution to investigate on-premises logs and cloud content such as files/user accounts. It provides a rich visibility control over data and sophisticated analytics to identify and resolve cyber threats across all cloud services. The whole office 365 usage logs are ingested in cloud app security for better visibility and alert configurations. Office 365 usage log activities are available based on conditional access and app configuration in the Cloud app security. At present, there are 75 inbuilt configurable alert policies to generate email notifications for specified users on suspicious activities. You can also investigate all security configuration gaps across multi-cloud platform such as AWS/Azure/Google. In the CAS portal, you can view recommended actions to improve the identity security posture, for example, stopping clear text credentials exposure. Additionally, as an Administrator, you can create policies as follows:

  1. Access policy: It generates an alert or grant access based on a match of certain devices/apps/users.
  2. Activity policy: It helps notify the concerned user on mass download, multiple failed user log-on/log on from risky machine/browser. It also allows to create an alert based on any usage activity occurred in Microsoft 365.For example, Notify decision makers by configuring an alert in the Activity policy, when DLP policy in Power Platform has changed.
  3. App discovery policy: It helps generate alerts when new apps are discovered in your organization.
  4. Cloud discovery anomaly detection policy: It creates an alert based on compliance, security, or general risk factors such as HIPAA, ISO 27001, data center, domain, GDPR, etc. and unusual increases in cloud application usage such as downloaded data, uploaded data, transactions, and users are considered for each cloud application. For example, trigger alert for the top three suspicious activities per 2,000 users per week.
  5. File policy: It generates an alert if the File is shared with a personal email or unauthorized domain. Based on this alert, the Administrator can further remove a user or apply a protection label or put the user in quarantine.
  6. Oauth app policy: This policy helps generate an alert if the app matches specific permission levels or permission requests. As an Administrator, you can also revoke permissions for the app user who authorized it. For example, you can automatically be alerted when apps require a high permission level and were authorized by more than 30 users.
  7. Session policy: Session policy provides real-time monitoring and control over user activity in the cloud apps. For example, As an Administrator, create a session policy to monitor Power BI activities.

Microsoft Defender for Endpoint (MDE)

Microsoft Defender for Endpoint is a complete solution to help enterprise networks monitor and respond to threat activity. It continuously discovers the threats and detects a vulnerability, and suggests remediation. It provides security configuration posture of organizations devices across OS, Application, Network, Accounts, and Security Controls. These activities are observed via the sensor installed in the domain controller. You can view a dashboard that summarizes threat activities such as the latest and positively impacted threats or threat impacts over the organization.

With Microsoft Defender for Endpoint, As an Administrator, you can assess your organization’s impact, review security resilience and posture – for example, charts that provide an overview of how resilient your organization is against a given threat. It also suggests the recommended actions that can help you increase your organizational resilience against the threat and eventually, the security posture.

Microsoft Defender for Identity (MDI)

Microsoft Defender for Identity is one of the Microsoft Defender suit components used to detect and investigate advanced threats, compromised user accounts, and malicious insider actions directed in the organization based on on-premises active directory activities.

MDI monitors and analyzes user activities and information across the enterprise network. It learns about user behavior by identifying user permissions and detects suspicious activities to provide deep insights. It helps to reveal the advanced threat activities, compromised user accounts, and insider threats facing your organization. It also helps to provide hybrid attacks on ADFS.

Azure Portal for Identity Protection

The Azure portal allows configuring policies for identity protections that help Automate the detection and remediation of identity-based risks such as leaked credentials, authentication by a different user, or unfamiliar activities such as accessing an anonymous app IP address, impossible travel, etc. These are the default policies that administrators can configure.

  1. Azure AD MFA registration policy: This policy act as a self-remediation method for risk events within Identity Protection. It is a process where a user is prompted at the sign-in process for an additional identification form. This could be to enter a code on their cellphone or to provide a fingerprint scan. It is also used to roll out Azure AD Multi-Factor Authentication (MFA) via Conditional Access policy.
  2. Sign-in risk policy: This policy block/allow access or allow access but require multi-factor authentication to users based on the user risk level. This risk level is analyzed from each sign-in, both real-time and offline. It is based on the sign-in activity only and analyses the probability that the user may not have performed the sign-in.
  3. User risk policy: This policy block/allow access or allow access but require a password reset to users based on the user risk level. This risk level is analyzed from each sign-in, both real-time and offline. It detects the probability that a user account has been compromised by detecting risk events that are atypical behavior of a user.

Try Quick Test Here

Compliance

Microsoft compliance manager helps to manage risks and protect data from aligning with industry standards. It also provides visibility on the current level of enterprise compliance posture and suggests recommended actions to improve. It is majorly used to classify and protect sensitive information and generates alerts if any compliance issues are detected. You can enable the auditing for entire Microsoft 365 workloads. There are three central policies that you can configure from the compliance manager as explained follows:

M365 Policies Framework Compliance

  1. Data loss prevention policy: DLP policy for Microsoft 365 workloads to help identify and protect the organization’s sensitive information. For example, as an administrator, you want to prevent users from sending email messages that contain specific credit card numbers or sensitive information about projects/businesses.
  2. Retention policy: with increasing data every day, governing data is a crucial task to comply with industry regulations and internal policies, reduce the security breach and improve productivity. As an administrator, you can retain the content forever or for a specified time or delete the content after a specified time by creating a retention policy.
  3. Audit log alert policy: As an administrator, you can create alerts based on user activities that match the alert policy’s condition. For example, you can create an alert when the user modifies the Power Platform’s DLP policy. There is almost 500+ activities based on which you can generate the alert and notify respective users.

Try Quick Test Here

In essence, Enterprise Mobility and Security is a foundation to keep organization assets safe, whether in the cloud, on-premises, or in a hybrid setup. Properly setting up this ecosystem of policies require a driven mindset and strong command of different tools and features. I hope this article helps to spark more ideas and interest to move forward to build a deeper understanding of mobility and security aspects and ultimately lead to more robust security postures.

To get started with Microsoft Mobility and Security learning, I suggest subscribing to the Microsoft 365 Development program and building the test environment to configure various Mobility and Security scenarios via Microsoft 365 policies. This would also provide experience towards earning “Microsoft 365 Certified Enterprise Administrator” certification. See the links below to get started:

Step 1:

Step 2:

Step 3:

Step 4:

Introduction to SharePoint Syntex: A New Office 365 Service

January 22, 2021
Microsoft has recently released a new office 365 service called SharePoint Syntex. SharePoint Syntex adds Artificial Intelligence (AI) capabilities to SharePoint document libraries. SharePoint Syntex is the first product to be released from Microsoft project Cortex. SharePoint Syntex provides us with out of the box capabilities to build no-code AI models and apply them to document libraries. SharePoint Syntex is now available for Office 365 commercial customers. You can integrate this service into your Office 365 tenant. There is also a free trial available for one month.

SharePoint contains collections of documents with hidden knowledge inside. SharePoint Syntex helps us extract information from these documents that is important to us using built-in AI models. We can use this metadata to process the documents automatically. Since we do not have to extract the document’s metadata anymore manually, it saves time and money. There is no need to call the external APIs anymore to extract the metadata from document libraries’ documents; SharePoint Syntex brings us two no-code AI models: The Document Understanding model and the Form Processing Model. Below is the example whiteboard diagram of SharePoint Syntex high-level explanation.

AI model Diagram

Document Understanding Models:

Document understanding models work best with unstructured documents (which have more text) such as contracts, resumes, letters, email messages, health records. You can create a document understanding model using the SharePoint Content Center site (Model creation interface) and then apply it to SharePoint document libraries in your Office 365 tenant. The document understanding model comes in two models:

  • Classifier: Identify and classify the documents (Examples: resumes, contracts, letters) uploaded to document libraries.
  • Extractor: Optionally add the extractor to your model to extract the keywords from essential documents. For example, you may extract critical metadata from your document like “Person Name,” “Organization Name” “Contract Start Date” and add them as column values in a document library, and you can use these metadata to process your document further automatically. Example: If “Contract Start Date” is more significant than today, send an email to a group of people.

To train the Classifier and Extractor, documents must have common text to identify using phrases or patterns. Example: If we want to create a model’s explanation for “Resumes,” we can add phrases like “Name,” “Degree,” “Address,” “Programmer,” “Network Engineer,” “Software Engineer” in the model explanation phrase list, which helps the model to identify the document type as “Resume.” Beyond the classification and extraction of keywords, you can also apply a retention label to document understanding models. These cannot be deleted from the document library for the specified time period. Below diagram shows the key steps we can perform from the SharePoint Content Center Site:

Figure 2 Document Understanding

Form Processing Model

The form processing model works best with structured documents like forms, purchase orders, and invoices. Unlike the document understanding model, Form processing can be created directly from SharePoint document libraries, using Microsoft PowerApps AI Builder and Flow. Using the Form Processing model, we can extract the key-value pairs and table data from structure or semi-structured documents and add them as column values in SharePoint libraries.

The below diagram shows the key steps to create and publish the Form Processing model.

Create a Form Processing Model

SharePoint Library Form ProcessingConclusion

SharePoint Syntex can help organizations to automate the business processes since it automatically extracts metadata (information) from the documents. We can use metadata to process documents further, using Flow or any other workflow tools. Now, we have meaningful metadata available on document libraries, which improves the search results. It helps manage the compliance risk since the AI model can also apply a retention label to documents, not deleted from libraries for a specific period. We are getting these features with no code AI Models! This year, Microsoft Project Cortex is also coming up with many new AI features (Topic cards, Topic Pages, Knowledge Centers) in Office 365, which will automatically help us turn content into knowledge.

Referenced for getting started

Important Microsoft 365 Announcements from Microsoft Build and Their Impact

May 26, 2020
The pandemic has changed the way Microsoft has had to deliver new product enhancements, but it hasn’t slowed down the respective productive teams from unveiling significant changes to Microsoft 365. Last week, the Microsoft Build conference became the showcase for several Microsoft 365 announcements, and now that it is complete, we can summarize and reflect on how these announcements will change the way we use the platform.

In this post we will look at the highlight announcements and discuss how these changes can impact your usage of Microsoft 365, whether you’re an administrator, user, or implementer.

Microsoft Lists

There is no doubt that one of the biggest announcements last week was Microsoft Lists. What this effectively continues is the trend of Microsoft taking the pieces of SharePoint and building them out across Microsoft 365.

The biggest change is that now Microsoft Lists are their own application inside of Microsoft 365 with its own landing page. It takes what we already had in modern SharePoint lists and made them available outside of just a SharePoint context. Now these lists, which are really small applications, can be outside of SharePoint or can be created inside of a Group connected SharePoint Team Site (but unfortunately it doesn’t seem to be available to create in Communication sites, although you can still get much of the functionality as a SharePoint list in that site design).

Microsoft Lists

These lists have the functionality we are used to like custom formatting, integration with Power Apps/Power Automate, rich filtering, and editing experiences, and more. There are some good enhancements such as a gallery (or “card”) view, a modern monthly calendar view, conditional metadata show/hide based on criteria, a conversational notification creation interface, and a lot more. Also, there are now prebuilt templates for various list types, and all of this is seamlessly available to be surfaced inside of Microsoft Teams.

The richness of Microsoft Lists will allow users to build rather complex applications with a very straight forward yet powerful interface, and when you want to do something more complex, the Power Platform will allow you to enhance them even further.

Here are Microsoft resources explaining the announcement in greater detail:

Enhancements to Microsoft Teams

While Microsoft Lists may have been the biggest single addition to Microsoft 365 last week, there remains no mystery that Microsoft Teams continues to be the darling of Microsoft 365. To that end, there are several changes that make Teams an ever more compelling product, and that is especially true as the pandemic pushes more organizations to embrace distributed work.

ACCELERATED TEAMS ENABLEMENT
AIS' Accelerated Teams solution quickly deploys Microsoft Teams within days to support your remote workforce using Teams and staying productive.

Learn More

There have been recent changes such as a new 3×3 video grid when in a call, “raise a hand” to ask a question and changes to the pre-join experience that allows you to set settings easier. These weren’t announced directly at BUILD, but these are important changes worth mentioning. To get an overview, see this video on Microsoft Mechanics: Microsoft Teams Updates | May 2020 and Beyond. One seemingly small but important change is that now when using the search box in Teams, it can now default to your current context such as a chat, which will have a very big discoverability improvement.

Regarding developer announcements at Build, several new changes were announced:

  • New interface inside of tenant administration to build Teams templates where you can set pre-defined channels and tabs/apps.
  • New Visual Studio and Visual Studio Code extensions to build apps for Teams.
  • Single-button deployment of Power Apps applications into Teams.
  • New Power Automate triggers for Teams.
  • Customizable application notifications using the Microsoft Graph.

The biggest takeaway from all these announcements is that Microsoft wants to provide as many avenues to quickly extend Teams whether that’s a more traditional programmatic solution using the Visual Studio family of products or using the Power Platform to enable a new class of power users that are familiar with those products.

Read more about these announcements at the Microsoft Teams blog: What’s New in Microsoft Teams | Build Edition 2020.

Project Cortex Release Date and Taxonomy APIs

While Project Cortex was announced at the Ignite Conference last year, we now know that Project Cortex will enter general availability in early summer this year, which may be no more than a month or two away. While the impact of Project Cortex will have on our Microsoft 365 implementations remains to be seen, it certainly has the promise to change the dynamic of how we do information management in Microsoft 365.

The interesting announcement that came out for developers were new APIs to complete CRUD operations on the Term Store through the Microsoft Graph. This has never been possible before, and it will be interesting to see how customers will integrate this functionality. What is clear is that if you have been ignoring either the Microsoft Graph or Managed Metadata, the time is to investigate how these opportunities can maximize your Microsoft 365 investment.

Microsoft Graph Connectors Entering Targeted Release

Like Project Cortex, this is not a new announcement, but the fact that these are now going to be more broadly available in the targeted release channel in the near future is an exciting development. Essentially, these connectors allow your organization to surface external data sources into search using the Microsoft Graph. If you’re interested in seeing the range of connectors available, check out the Microsoft Graph Connectors gallery.

Implement Today

If you are interested in more Microsoft 365 Announcements, Microsoft has released its Build conference book of news that summarizes all the announcements across all their product lines.

There are great announcements last week but digesting them can be daunting. Let AIS help you understand their impact on your organization and help ensure your investment in Microsoft 365 is being maximized. Contact us today to start the conversation.

Microsoft Teams Adoption Boosts Collaboration for ACA Compliance Group

November 27, 2019
ACA Compliance Group needed help streamlining the communications landscape and its fast-growing workforce to collaborate more effectively. AIS recommended starting small with Microsoft Teams adoption and utilizing Microsoft Planner to gain advocates, realize quick wins, and gather insights to guide the larger rollout.

Starting Their Cloud Transformation Journey

The cloud brings many advantages to both companies and their employees, including unlimited access and seamless collaboration. However, to unleash the full power of cloud-based collaboration, a company must select the right collaboration technology that fits their business needs and ensures employees adopt the technology and changes in practices and processes. This ultimately benefits the business through increased productivity and satisfaction.

In early 2019, an international compliance firm with around 800 employees contacted AIS to help migrate multiple email accounts into a single Office 365 (O365) Exchange account. They invited AIS to continue their cloud journey and help them:

  • Understand their existing business processes and pain points across multiple time zones, countries, departments, and teams.
  • Provide their employees with a secure, reliable, and integrated solution to effective communication and collaboration.
  • Increase employee productivity by improving file and knowledge sharing and problem-solving.
  • Reduce cost from licensing fees for products duplicating features already available through the company’s enterprise O365 license.

Kicking Off a Customer Immersion Experience

First, AIS provided a Microsoft Customer Immersion Experience (CIE) demonstration, which served as the foundational step to introduce all O365 tools. After receiving stakeholder feedback, needs, and concerns, we collaboratively determined the best order for rolling out the O365 applications. The client selected to move forward with Microsoft Teams adoption as the first step to implementing collaboration software in the organization.

Pilots for Microsoft Teams Adoption

Next, we conducted a pilot with two departments to quickly bring benefits to the organization without a large cost investment and to gather insights that would inform the overall Teams adoption plan and strategy for the entire organization. We confirmed with pilot study employees that they saw and welcomed the benefits that Microsoft Teams provides, including:

  • Reduced internal emails.
  • Seamless communication and collaboration among (remote) teams/departments.
  • Increased productivity, efficiency, and transparency.
  • Centralized and accessible location for files, documents, and resources in Teams.

The pilot study also found that adopting Microsoft Teams in the organization would require a paradigm shift. Many employees were used to email communication, including sending attachments back and forth that was hard to track. In addition, while some departments had sophisticated collaboration tools, a common collaboration tool across the company did not exist. For web conferencing, for example, different departments preferred different tools, such as GoToMeeting and WebEx, and most of them incurred subscription fees. Employees had to install multiple tools on their computers to collaborate across departmental boundaries.

QUESTIONS ABOUT TEAMS ADOPTION PROCESS?

Contact Us

Embracing Benefits of Microsoft Teams with Organizational Change Management (OCM)

To help employees understand the benefits of Teams, embrace the new tool, and willingly navigate the associated changes. For the organization-wide deployment and Microsoft Teams adoption, we formed a project team with different roles, including: a Project Manager, Change Manager, UX researcher, Business Analyst, and Cloud Engineer. Organizational Change Management (OCM), User Experience (UX), and business analysis were as critical as technical aspects of the cloud implementation.

Building on each other’s expertise, the project team worked collaboratively and closely with technical and business leaders at the company to:

  • Guide communication efforts to drive awareness of the project and support it.
  • Identify levers that would drive or hinder adoption and plan ways to promote or mitigate.
  • Equip department leaders with champions and facilitate end-user Teams adoption best practices.
  • Guide end users on how to thrive using Teams through best practices and relevant business processes.
  • Provide data analytics and insights to support target adoption rates and customize training.
  • Use an agile approach to resolve both technical issues and people’s pain points, including using Teams for private chats, channel messages, and meetings.
  • Develop a governance plan that addressed technical and business evolution, accounting for the employee experience.

Cutting Costs & Boosting Collaboration

At the end of the 16-week engagement, AIS helped the client achieve its goals of enhanced collaboration, cost savings, and 90% Teams use with positive employee feedback. The company was well-positioned to achieve 100% by the agreed-upon target date.

Our OCM approach significantly contributed to our project success, which is grounded in the Prosci ADKAR® framework, a leading framework for change management based on 20 years of research. As Prosci described on their website, “ADKAR is an acronym that represents the five tangible and concrete outcomes that people need to achieve for lasting change”:

  • Awareness of the need for change
  • Desire to support the change
  • Knowledge of how to change
  • Ability to demonstrate skills and behaviors
  • Reinforcement to make the change stick

The OCM designed was to provide busy executives, leaders, and end-users with key support and insights for action to achieve each outcome necessary for Teams adoption efficiently and effectively.

If you would like to participate in a CIE demonstration or learn more about adopting cloud-based collaboration tools and practices in your company, we are here to help!

READ MORE ABOUT OUR SUCCESS WITH
ACA COMPLIANCE GROUP

CLICK HERE