Cloud Application development has blown up to the point that it has increased the vital need for enterprise mobility and security solutions to manage people, devices, apps, and data for all organizations’ sizes. Additionally, the pandemic has led to businesses’ need to increasingly offer remote working options that facilitate employees to use their personal or company-owned devices. Therefore, enterprise mobility management and security solutions will have a long-term impact in the future.

Governance and compliance regulations are the biggest challenges when choosing a suitable and sturdy solution. This is where Microsoft’s Enterprise Mobility and Security solution acts to provide a more significant transformation of the workloads with identity and access management, endpoint management, information protection, and security through various Microsoft 365 policies configurations. This article explains how these policies are scattered under Enterprise Mobility and Security solution as follows.

Microsoft 365 policies are continuously evolving to protect organization resources such as devices, apps, identities, and data. I categorize these policies into three significant blocks and refer to them as a whole as Microsoft 365 Policies Framework – MSPC. Let us walk through the unique features of all these components.

Microsoft Figure 1 MSPC

Management

The Management aspect of the Enterprise Mobility and Security solution provides easy and secure access of devices or apps to users with Microsoft 365 licenses when collaborating with people inside or outside the organizations, regardless of any locations or types of devices. It comes with a centralized place to Secure, deploy, and manage all users, apps, and devices called Microsoft Endpoint Manager.
Microsoft Endpoint Manager is designed to help administrators use Configuration Manager and Intune together with cloud-only or hybrid setup for devices and apps management. This management process comes with Microsoft Intune, which includes Mobile Device Management (MDM) and Mobile Application Management (MAM) providers with different policies to configure and control the devices and apps once they are enrolled as follows. MDM controls employees’ corporate and personal devices, while MAM manages data and privacy within the apps and devices.

Microsoft Endpoint Manager

MDM Policies

  1. Device Configuration Profiles: Devices profiles policies let you configure settings and then push these settings to devices in your organization. We can apply these settings to both devices and users. If settings are configured for devices, it remains with the device, regardless of who is signed in. If settings are configured for users, then it goes with the user when signed into their devices.
  2. Device Compliance policies: This policy provides rules and settings that users and devices must meet to be compliant with organization standards for the devices, such as OS platform or security feature in the device. When a compliance policy is deployed to a user, all the user’s devices are checked for compliance. And as an Administrator, you can remotely lock/retire the devices if a device is not compliant for the user or notify them.
  3. Device Conditional Access Policies: To enforce the access requirements of users, based on specific conditions such as unfamiliar sign-in, User or group, IP Location, Users with devices of particular platforms, conditional access policies are used. When these conditions are matched, conditional access policies direct users to perform certain actions such as password changes, multi-factor authentication, or as an administrator, you can block access or grant access.

MAM Policies

  1. App Configuration policy: It provides the ability to publish configuration settings for iOS/iPad and Android apps. For example, As an Administrator, you can change custom port numbers, Language settings, Security settings, Branding settings such as a company logo of the applications removes the user’s involvement to configure the application on their own.
  2. App Protection Policy: App protection policy is applied to the app, such as desktop/Mobile apps for any managed or unmanaged devices. This policy is used to ensure an organization’s data safety, making the app a managed app. It provides a rule that is enforced when the user attempts to access or move “corporate” data or a set of prohibited or monitored actions when the user is inside the app. For example, As an Administrator, you can restrict copy-paste action between certain apps or print organization data.
  3. Office App Policy: Many policies are meant for Office apps only to add to Microsoft Intune and apply to groups of end-users. For example, blocking add-ins in Excel, disabling the shortcut keys in Word, clearing cache on close, or even hyperlink color in documents. Currently, there are 2093 policies to apply across multiple platforms for office applications.

Try Quick Test Here

Security & Protection

“Security and Protection” is a crucial component of Microsoft 365 policies, configurable from the portals such as Microsoft Security Center, Microsoft Cloud App Security Center, Microsoft Defender Security Center, Microsoft Defender for Identity, and Azure Portal. These portals help detect, prevent, investigate, and respond across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

Security and Protection M365 Framework

Microsoft Defender for Office 365

It is a place where you can see risky users. Incident reports such as impossible travel activity, security score with recommended actions, and the ability to create an advanced custom query to identify security breach activity against schema such as generated alerts/apps/identities/devices/threat activities. It safeguards the organization against malicious threats posed by email messages, links (URLs), and collaboration tools. Moreover, you can also create threat protections policies explained as follows:

  • Anti-malware policy: As an Administrator, you can quarantine the message for your review if malware is detected in an attachment. Thereby, you can block attachment types in an email that may harm the computer.
  • Anti-phishing Policy: This policy allows to configure anti-phishing protection settings for a specific group of users over emails to avoid malicious attacks based on impersonation to steal sensitive information from the messages. As an administrator, you can configure an action if a malicious email is found, such as redirecting the message to decision-makers or quarantine the message or delete the message.
  • Safe attachment policy: It is an extra layer of security on top of the Exchange online protection for the inbound messages as well as files residing in the SharePoint, OneDrive, and teams. Using this policy, administrators can investigate malicious attachments or files that could destroy user data/steal information.
  • Domain Keys Identified Mail: This policy configuration helps protect both senders and recipients from hackers to forge email in transit.

Further, you can also configure 29 default alert policies that help identify Exchange admin permissions abuse, malware activity, potential external and internal threats, and information governance risks.

Microsoft Cloud App Security (MCAS)

Cloud App Security portal is a comprehensive solution to investigate on-premises logs and cloud content such as files/user accounts. It provides a rich visibility control over data and sophisticated analytics to identify and resolve cyber threats across all cloud services. The whole office 365 usage logs are ingested in cloud app security for better visibility and alert configurations. Office 365 usage log activities are available based on conditional access and app configuration in the Cloud app security. At present, there are 75 inbuilt configurable alert policies to generate email notifications for specified users on suspicious activities. You can also investigate all security configuration gaps across multi-cloud platform such as AWS/Azure/Google. In the CAS portal, you can view recommended actions to improve the identity security posture, for example, stopping clear text credentials exposure. Additionally, as an Administrator, you can create policies as follows:

  1. Access policy: It generates an alert or grant access based on a match of certain devices/apps/users.
  2. Activity policy: It helps notify the concerned user on mass download, multiple failed user log-on/log on from risky machine/browser. It also allows to create an alert based on any usage activity occurred in Microsoft 365.For example, Notify decision makers by configuring an alert in the Activity policy, when DLP policy in Power Platform has changed.
  3. App discovery policy: It helps generate alerts when new apps are discovered in your organization.
  4. Cloud discovery anomaly detection policy: It creates an alert based on compliance, security, or general risk factors such as HIPAA, ISO 27001, data center, domain, GDPR, etc. and unusual increases in cloud application usage such as downloaded data, uploaded data, transactions, and users are considered for each cloud application. For example, trigger alert for the top three suspicious activities per 2,000 users per week.
  5. File policy: It generates an alert if the File is shared with a personal email or unauthorized domain. Based on this alert, the Administrator can further remove a user or apply a protection label or put the user in quarantine.
  6. Oauth app policy: This policy helps generate an alert if the app matches specific permission levels or permission requests. As an Administrator, you can also revoke permissions for the app user who authorized it. For example, you can automatically be alerted when apps require a high permission level and were authorized by more than 30 users.
  7. Session policy: Session policy provides real-time monitoring and control over user activity in the cloud apps. For example, As an Administrator, create a session policy to monitor Power BI activities.

Microsoft Defender for Endpoint (MDE)

Microsoft Defender for Endpoint is a complete solution to help enterprise networks monitor and respond to threat activity. It continuously discovers the threats and detects a vulnerability, and suggests remediation. It provides security configuration posture of organizations devices across OS, Application, Network, Accounts, and Security Controls. These activities are observed via the sensor installed in the domain controller. You can view a dashboard that summarizes threat activities such as the latest and positively impacted threats or threat impacts over the organization.

With Microsoft Defender for Endpoint, As an Administrator, you can assess your organization’s impact, review security resilience and posture – for example, charts that provide an overview of how resilient your organization is against a given threat. It also suggests the recommended actions that can help you increase your organizational resilience against the threat and eventually, the security posture.

Microsoft Defender for Identity (MDI)

Microsoft Defender for Identity is one of the Microsoft Defender suit components used to detect and investigate advanced threats, compromised user accounts, and malicious insider actions directed in the organization based on on-premises active directory activities.

MDI monitors and analyzes user activities and information across the enterprise network. It learns about user behavior by identifying user permissions and detects suspicious activities to provide deep insights. It helps to reveal the advanced threat activities, compromised user accounts, and insider threats facing your organization. It also helps to provide hybrid attacks on ADFS.

Azure Portal for Identity Protection

The Azure portal allows configuring policies for identity protections that help Automate the detection and remediation of identity-based risks such as leaked credentials, authentication by a different user, or unfamiliar activities such as accessing an anonymous app IP address, impossible travel, etc. These are the default policies that administrators can configure.

  1. Azure AD MFA registration policy: This policy act as a self-remediation method for risk events within Identity Protection. It is a process where a user is prompted at the sign-in process for an additional identification form. This could be to enter a code on their cellphone or to provide a fingerprint scan. It is also used to roll out Azure AD Multi-Factor Authentication (MFA) via Conditional Access policy.
  2. Sign-in risk policy: This policy block/allow access or allow access but require multi-factor authentication to users based on the user risk level. This risk level is analyzed from each sign-in, both real-time and offline. It is based on the sign-in activity only and analyses the probability that the user may not have performed the sign-in.
  3. User risk policy: This policy block/allow access or allow access but require a password reset to users based on the user risk level. This risk level is analyzed from each sign-in, both real-time and offline. It detects the probability that a user account has been compromised by detecting risk events that are atypical behavior of a user.

Try Quick Test Here

Compliance

Microsoft compliance manager helps to manage risks and protect data from aligning with industry standards. It also provides visibility on the current level of enterprise compliance posture and suggests recommended actions to improve. It is majorly used to classify and protect sensitive information and generates alerts if any compliance issues are detected. You can enable the auditing for entire Microsoft 365 workloads. There are three central policies that you can configure from the compliance manager as explained follows:

M365 Policies Framework Compliance

  1. Data loss prevention policy: DLP policy for Microsoft 365 workloads to help identify and protect the organization’s sensitive information. For example, as an administrator, you want to prevent users from sending email messages that contain specific credit card numbers or sensitive information about projects/businesses.
  2. Retention policy: with increasing data every day, governing data is a crucial task to comply with industry regulations and internal policies, reduce the security breach and improve productivity. As an administrator, you can retain the content forever or for a specified time or delete the content after a specified time by creating a retention policy.
  3. Audit log alert policy: As an administrator, you can create alerts based on user activities that match the alert policy’s condition. For example, you can create an alert when the user modifies the Power Platform’s DLP policy. There is almost 500+ activities based on which you can generate the alert and notify respective users.

Try Quick Test Here

In essence, Enterprise Mobility and Security is a foundation to keep organization assets safe, whether in the cloud, on-premises, or in a hybrid setup. Properly setting up this ecosystem of policies require a driven mindset and strong command of different tools and features. I hope this article helps to spark more ideas and interest to move forward to build a deeper understanding of mobility and security aspects and ultimately lead to more robust security postures.

To get started with Microsoft Mobility and Security learning, I suggest subscribing to the Microsoft 365 Development program and building the test environment to configure various Mobility and Security scenarios via Microsoft 365 policies. This would also provide experience towards earning “Microsoft 365 Certified Enterprise Administrator” certification. See the links below to get started:

Step 1:

Step 2:

Step 3:

Step 4:

Microsoft has recently released a new office 365 service called SharePoint Syntex. SharePoint Syntex adds Artificial Intelligence (AI) capabilities to SharePoint document libraries. SharePoint Syntex is the first product to be released from Microsoft project Cortex. SharePoint Syntex provides us with out of the box capabilities to build no-code AI models and apply them to document libraries. SharePoint Syntex is now available for Office 365 commercial customers. You can integrate this service into your Office 365 tenant. There is also a free trial available for one month.

SharePoint contains collections of documents with hidden knowledge inside. SharePoint Syntex helps us extract information from these documents that is important to us using built-in AI models. We can use this metadata to process the documents automatically. Since we do not have to extract the document’s metadata anymore manually, it saves time and money. There is no need to call the external APIs anymore to extract the metadata from document libraries’ documents; SharePoint Syntex brings us two no-code AI models: The Document Understanding model and the Form Processing Model. Below is the example whiteboard diagram of SharePoint Syntex high-level explanation.

AI model Diagram

Document Understanding Models:

Document understanding models work best with unstructured documents (which have more text) such as contracts, resumes, letters, email messages, health records. You can create a document understanding model using the SharePoint Content Center site (Model creation interface) and then apply it to SharePoint document libraries in your Office 365 tenant. The document understanding model comes in two models:

  • Classifier: Identify and classify the documents (Examples: resumes, contracts, letters) uploaded to document libraries.
  • Extractor: Optionally add the extractor to your model to extract the keywords from essential documents. For example, you may extract critical metadata from your document like “Person Name,” “Organization Name” “Contract Start Date” and add them as column values in a document library, and you can use these metadata to process your document further automatically. Example: If “Contract Start Date” is more significant than today, send an email to a group of people.

To train the Classifier and Extractor, documents must have common text to identify using phrases or patterns. Example: If we want to create a model’s explanation for “Resumes,” we can add phrases like “Name,” “Degree,” “Address,” “Programmer,” “Network Engineer,” “Software Engineer” in the model explanation phrase list, which helps the model to identify the document type as “Resume.” Beyond the classification and extraction of keywords, you can also apply a retention label to document understanding models. These cannot be deleted from the document library for the specified time period. Below diagram shows the key steps we can perform from the SharePoint Content Center Site:

Figure 2 Document Understanding

Form Processing Model

The form processing model works best with structured documents like forms, purchase orders, and invoices. Unlike the document understanding model, Form processing can be created directly from SharePoint document libraries, using Microsoft PowerApps AI Builder and Flow. Using the Form Processing model, we can extract the key-value pairs and table data from structure or semi-structured documents and add them as column values in SharePoint libraries.

The below diagram shows the key steps to create and publish the Form Processing model.

Create a Form Processing Model

SharePoint Library Form ProcessingConclusion

SharePoint Syntex can help organizations to automate the business processes since it automatically extracts metadata (information) from the documents. We can use metadata to process documents further, using Flow or any other workflow tools. Now, we have meaningful metadata available on document libraries, which improves the search results. It helps manage the compliance risk since the AI model can also apply a retention label to documents, not deleted from libraries for a specific period. We are getting these features with no code AI Models! This year, Microsoft Project Cortex is also coming up with many new AI features (Topic cards, Topic Pages, Knowledge Centers) in Office 365, which will automatically help us turn content into knowledge.

Referenced for getting started

The pandemic has changed the way Microsoft has had to deliver new product enhancements, but it hasn’t slowed down the respective productive teams from unveiling significant changes to Microsoft 365. Last week, the Microsoft Build conference became the showcase for several Microsoft 365 announcements, and now that it is complete, we can summarize and reflect on how these announcements will change the way we use the platform.

In this post we will look at the highlight announcements and discuss how these changes can impact your usage of Microsoft 365, whether you’re an administrator, user, or implementer.

Microsoft Lists

There is no doubt that one of the biggest announcements last week was Microsoft Lists. What this effectively continues is the trend of Microsoft taking the pieces of SharePoint and building them out across Microsoft 365.

The biggest change is that now Microsoft Lists are their own application inside of Microsoft 365 with its own landing page. It takes what we already had in modern SharePoint lists and made them available outside of just a SharePoint context. Now these lists, which are really small applications, can be outside of SharePoint or can be created inside of a Group connected SharePoint Team Site (but unfortunately it doesn’t seem to be available to create in Communication sites, although you can still get much of the functionality as a SharePoint list in that site design).

Microsoft Lists

These lists have the functionality we are used to like custom formatting, integration with Power Apps/Power Automate, rich filtering, and editing experiences, and more. There are some good enhancements such as a gallery (or “card”) view, a modern monthly calendar view, conditional metadata show/hide based on criteria, a conversational notification creation interface, and a lot more. Also, there are now prebuilt templates for various list types, and all of this is seamlessly available to be surfaced inside of Microsoft Teams.

The richness of Microsoft Lists will allow users to build rather complex applications with a very straight forward yet powerful interface, and when you want to do something more complex, the Power Platform will allow you to enhance them even further.

Here are Microsoft resources explaining the announcement in greater detail:

Enhancements to Microsoft Teams

While Microsoft Lists may have been the biggest single addition to Microsoft 365 last week, there remains no mystery that Microsoft Teams continues to be the darling of Microsoft 365. To that end, there are several changes that make Teams an ever more compelling product, and that is especially true as the pandemic pushes more organizations to embrace distributed work.

ACCELERATED TEAMS ENABLEMENT
AIS' Accelerated Teams solution quickly deploys Microsoft Teams within days to support your remote workforce using Teams and staying productive.

There have been recent changes such as a new 3×3 video grid when in a call, “raise a hand” to ask a question and changes to the pre-join experience that allows you to set settings easier. These weren’t announced directly at BUILD, but these are important changes worth mentioning. To get an overview, see this video on Microsoft Mechanics: Microsoft Teams Updates | May 2020 and Beyond. One seemingly small but important change is that now when using the search box in Teams, it can now default to your current context such as a chat, which will have a very big discoverability improvement.

Regarding developer announcements at Build, several new changes were announced:

  • New interface inside of tenant administration to build Teams templates where you can set pre-defined channels and tabs/apps.
  • New Visual Studio and Visual Studio Code extensions to build apps for Teams.
  • Single-button deployment of Power Apps applications into Teams.
  • New Power Automate triggers for Teams.
  • Customizable application notifications using the Microsoft Graph.

The biggest takeaway from all these announcements is that Microsoft wants to provide as many avenues to quickly extend Teams whether that’s a more traditional programmatic solution using the Visual Studio family of products or using the Power Platform to enable a new class of power users that are familiar with those products.

Read more about these announcements at the Microsoft Teams blog: What’s New in Microsoft Teams | Build Edition 2020.

Project Cortex Release Date and Taxonomy APIs

While Project Cortex was announced at the Ignite Conference last year, we now know that Project Cortex will enter general availability in early summer this year, which may be no more than a month or two away. While the impact of Project Cortex will have on our Microsoft 365 implementations remains to be seen, it certainly has the promise to change the dynamic of how we do information management in Microsoft 365.

The interesting announcement that came out for developers were new APIs to complete CRUD operations on the Term Store through the Microsoft Graph. This has never been possible before, and it will be interesting to see how customers will integrate this functionality. What is clear is that if you have been ignoring either the Microsoft Graph or Managed Metadata, the time is to investigate how these opportunities can maximize your Microsoft 365 investment.

Microsoft Graph Connectors Entering Targeted Release

Like Project Cortex, this is not a new announcement, but the fact that these are now going to be more broadly available in the targeted release channel in the near future is an exciting development. Essentially, these connectors allow your organization to surface external data sources into search using the Microsoft Graph. If you’re interested in seeing the range of connectors available, check out the Microsoft Graph Connectors gallery.

Implement Today

If you are interested in more Microsoft 365 Announcements, Microsoft has released its Build conference book of news that summarizes all the announcements across all their product lines.

There are great announcements last week but digesting them can be daunting. Let AIS help you understand their impact on your organization and help ensure your investment in Microsoft 365 is being maximized. Contact us today to start the conversation.

ACA Compliance Group needed help streamlining the communications landscape and its fast-growing workforce to collaborate more effectively. AIS recommended starting small with Microsoft Teams adoption and utilizing Microsoft Planner to gain advocates, realize quick wins, and gather insights to guide the larger rollout.

Starting Their Cloud Transformation Journey

The cloud brings many advantages to both companies and their employees, including unlimited access and seamless collaboration. However, to unleash the full power of cloud-based collaboration, a company must select the right collaboration technology that fits their business needs and ensures employees adopt the technology and changes in practices and processes. This ultimately benefits the business through increased productivity and satisfaction.

In early 2019, an international compliance firm with around 800 employees contacted AIS to help migrate multiple email accounts into a single Office 365 (O365) Exchange account. They invited AIS to continue their cloud journey and help them:

  • Understand their existing business processes and pain points across multiple time zones, countries, departments, and teams.
  • Provide their employees with a secure, reliable, and integrated solution to effective communication and collaboration.
  • Increase employee productivity by improving file and knowledge sharing and problem-solving.
  • Reduce cost from licensing fees for products duplicating features already available through the company’s enterprise O365 license.

Kicking Off a Customer Immersion Experience

First, AIS provided a Microsoft Customer Immersion Experience (CIE) demonstration, which served as the foundational step to introduce all O365 tools. After receiving stakeholder feedback, needs, and concerns, we collaboratively determined the best order for rolling out the O365 applications. The client selected to move forward with Microsoft Teams adoption as the first step to implementing collaboration software in the organization.

Pilots for Microsoft Teams Adoption

Next, we conducted a pilot with two departments to quickly bring benefits to the organization without a large cost investment and to gather insights that would inform the overall Teams adoption plan and strategy for the entire organization. We confirmed with pilot study employees that they saw and welcomed the benefits that Microsoft Teams provides, including:

  • Reduced internal emails.
  • Seamless communication and collaboration among (remote) teams/departments.
  • Increased productivity, efficiency, and transparency.
  • Centralized and accessible location for files, documents, and resources in Teams.

The pilot study also found that adopting Microsoft Teams in the organization would require a paradigm shift. Many employees were used to email communication, including sending attachments back and forth that was hard to track. In addition, while some departments had sophisticated collaboration tools, a common collaboration tool across the company did not exist. For web conferencing, for example, different departments preferred different tools, such as GoToMeeting and WebEx, and most of them incurred subscription fees. Employees had to install multiple tools on their computers to collaborate across departmental boundaries.

QUESTIONS ABOUT TEAMS ADOPTION PROCESS?

Embracing Benefits of Microsoft Teams with Organizational Change Management (OCM)

To help employees understand the benefits of Teams, embrace the new tool, and willingly navigate the associated changes. For the organization-wide deployment and Microsoft Teams adoption, we formed a project team with different roles, including: a Project Manager, Change Manager, UX researcher, Business Analyst, and Cloud Engineer. Organizational Change Management (OCM), User Experience (UX), and business analysis were as critical as technical aspects of the cloud implementation.

Building on each other’s expertise, the project team worked collaboratively and closely with technical and business leaders at the company to:

  • Guide communication efforts to drive awareness of the project and support it.
  • Identify levers that would drive or hinder adoption and plan ways to promote or mitigate.
  • Equip department leaders with champions and facilitate end-user Teams adoption best practices.
  • Guide end users on how to thrive using Teams through best practices and relevant business processes.
  • Provide data analytics and insights to support target adoption rates and customize training.
  • Use an agile approach to resolve both technical issues and people’s pain points, including using Teams for private chats, channel messages, and meetings.
  • Develop a governance plan that addressed technical and business evolution, accounting for the employee experience.

Cutting Costs & Boosting Collaboration

At the end of the 16-week engagement, AIS helped the client achieve its goals of enhanced collaboration, cost savings, and 90% Teams use with positive employee feedback. The company was well-positioned to achieve 100% by the agreed-upon target date.

Our OCM approach significantly contributed to our project success, which is grounded in the Prosci ADKAR® framework, a leading framework for change management based on 20 years of research. As Prosci described on their website, “ADKAR is an acronym that represents the five tangible and concrete outcomes that people need to achieve for lasting change”:

  • Awareness of the need for change
  • Desire to support the change
  • Knowledge of how to change
  • Ability to demonstrate skills and behaviors
  • Reinforcement to make the change stick

The OCM designed was to provide busy executives, leaders, and end-users with key support and insights for action to achieve each outcome necessary for Teams adoption efficiently and effectively.

If you would like to participate in a CIE demonstration or learn more about adopting cloud-based collaboration tools and practices in your company, we are here to help!

READ MORE ABOUT OUR SUCCESS WITH
ACA COMPLIANCE GROUP