Collaborate on Invoice Microsoft for Security with Ease Using airSlate SignNow

Invoice microsoft for Security

a quick bank check will be looking to start our web securing Microsoft 365 in one minute you okay hello everyone thank you for joining our event securing Microsoft 365 I'm Hugh Valentine from Val so Microsoft 365 specialists and today we're going to be looking to cover off the following key areas so the first thing we're going to cover is around the Microsoft 365 licensing there's been a few changes to this recently and we're just going to cover off how those changes work and what that means for the security aspects we're then going to jump into a section around baseline security so the baseline security is what we're able to do with office 365 without any additional security add-ons we'll then on move on how we can control access so Microsoft 365 will discuss classifying encrypting and protecting key data that sits in the Microsoft 365 platform we'll go over the device management tools that are available we'll cover off advanced protection so some of the additional add-ons that are available and we'll also cover off something new called as your sentinel the technologies that we're looking to explore around the Microsoft 365 licensing the security and compliance Azure ad premium engine as your information protection Windows Defender ATP and as your sentinel so we'll be covering off all of those today as we go through our presentation so the licensing that's available for Microsoft 365 there's been a few name changes recently and as you'll see at the balm we have a blog post that details these changes on our webpage so we've done a detailed blog post and a nice table an Excel document that clearly outlines the features and functionalities that are available so if you want to get more information on this go on to our blog and we can cover that off there now the first license has now been called Microsoft Research for business basic this is formally the license that was called office 365 business essentials so effectively this license includes all of the office365 tools such as SharePoint exchange power-ups teams but it doesn't include the ability to Microsoft Office we then have the Microsoft 365 business standard license this is the one that was formerly called Office 365 business premium and this is the same includes all of the tools for SharePoint exchange onedrive but it also includes the capability to office on any device so you can that office client on up to five devices and mobiles and tablets the newest license which was formerly called Microsoft 365 business has now been renamed to Microsoft 365 business premium so if you are an organization that's less than 300 users and you're currently on the Microsoft 365 standard plan you'll almost certainly want to look at upgrading to the Microsoft 365 business premium now the reason for this is it includes everything the business standard includes the ability to an office client the actual tools available but it has some key improvements so the first one of those improvements is the actual office client can be installed on remote desktop environments and it also supports Windows virtual desktop so this is really key because a lot of organizations in the past have used office 365 III because that included the office client that allowed them to use it on remote environments like RDS now we've got this in business premium you could actually make a cost saving of about to pound a user a month and get the additional security tools that you don't get with office 365 III the other thing we get is the security tools themselves so we're going to be covering those off in details a day as your ADP one as your information protection in June and a few other products that we'll go through and we also have an upgrade to Windows 10 business so this provides some more enhanced security features and functionality that you can deploy and it allows you to upgrade from Windows 7 or 8 Pro to Windows 10 business so if you currently on on the legacy version of Windows you can upgrade for that with this plan as well off note is if anybody who isn't using office 365 currently you can actually get the office 365 P 1 license free for six months so it doesn't include the security tools but it might be useful if you're looking to try and get on board with that if you're over 300 users we've then got the Microsoft 365 III plan and the Microsoft 365 v5 plan so these basically include the same security tools but they include some more enhanced functionality and basically the Microsoft 365 e 5 includes absolutely everything that's available so the first thing that I wanted to cover off is what is available to us out of the box so if I don't have a security add-on such as EMS or Microsoft 365 business premium what can I do to secure my environment and what we're going to do is we're just going to go into a live demonstration and show exactly how these tools work and where you can find them so the very first thing that we can do with Microsoft 365 without a security add-on is we can come into the administration section here and we can actually jump into a section here that's called multi-factor authentication so what you can do on every office 365 environment completely free is switch on multi-factor authentication and what this does basically is allows us to to simply toggle that this user should have MFI switched on or off now mfa can have a relatively big impact for users so what mfa basically means is when a user signs in to office 365 with their username and password they will receive a secondary prompt usually on their mobile phone so when I sign in with my username and password as an example I will receive an additional prompt that then asks me to confirm my identity so I'll just show you this very briefly so effectively I can get my password and put that into the platform and what will happen is as I then sign into this platform it'll then ask for my password and I can put into gear and you'll see now that it's asking me to approve my request so on my mobile phone now I've got a pop-up notification using something called the Microsoft Authenticator app and I can actually approve that sign in and say trust me for 30 days so by trusting this device for 30 days I won't get an additional prompt so effectively MFA is very very powerful and it can stop 99.9% of attacks so by switching this on you're very much hardening your environment as a classic example if someone was to accidentally a phishing email address and put they username and password in without MFA that phishing attack would be successful and they would be able to log in to your account and then make changes on your behalf with MFA enabled they would still have the password but they wouldn't be able to sign in without that secondary prompt so it's very very powerful what we can do with us now while it does have is a bit of an administration overhead so as an example if I have users that don't have mobile phones so you might have a lot of deaths class workers perhaps cleaners or volunteers in your organization and switching the MFI on can be a bit of an onerous task they might not want to use their personal phone and they might have basically concerns about enabling this functionality so as we go through some of the enhanced functions and tools that are available later today we'll cover off how that works and what we can do from that perspective within the service settings we can also basically enable the settings for multi-factor authentication so as an example here I can choose trusted IPS this is great because it just literally locks down your environment to be able to say only you can access it from this environment I can also choose the methods available to users so I can choose whether to enable calling text message applique Asians and I can also choose the how long they can trust that device for so you can enable up from 1 to 60 days the stone sides again of this I have to remember to switch it on for each user so if I forget to do that you potentially have a security hole so it's a bit of an administration task from that perspective another tool that we have available to us is the within the admin Center we have a security and a compliance section so within the security section there's a range of tools that are available and one of those key tools that we have here is something called Microsoft secure score so you'll see here we've got a ranking of why our score is that's been improving over time and then we've got some metrics about what we're actually improving the arm if we click on the Microsoft secure school that takes me to a page where I'm able to sign up and I can see all of the recommendations that this makes so by having this switched on it basically you can determine what actions you should be looking to do so turning MFI on for each user do not expire passwords an able self-service password reset so it's basically Romo making recommendations of where we should be enabling features and functions and then it's giving us a score of how we rank with by doing those changes so this is a very key tool and it will also identify when you've got additional add-ons so some of these add-ons are only available when you have an azure ad p2 so perhaps not all of the features that you would have available are in your current license plan you might need to look to purchase additional want but the secure score basically provides an overview of where you're currently up a list of improvement actions so basically where you can improve and what you need to do you can see the history of those changes and when your scores improved or regressed and we can then see some metrics where other organizations fit so you can see we're above the rank were not perfect in this demo environment or we're certainly not where other organizations are sitting so the secure score is a free tool that's available in all three office 365 environments and it will give you a good overview of the features and functionality that are available so that can be found in protection office comm another really fantastic tool that we have is called the audit log search so by default this is now switched on but if you have an older office 365 environment you might find that this isn't currently enabled so you need to click on audit log search and then this will switch that functionality on and make it available now what it does is if I hit the search button here it's basically tracking all of the changes that has happened to office 365 so pretty much every single change that's occurred takes a minute to load up as it get all the data and now we can see here all of the actions that the employees at the organization have been doing so for example Karen's been creating a lot of folders and we can actually then break down and search on specific activities so perhaps if I wanted to check if someone had recently changed their permissions to an exchange mailbox I can see all of the exchange mailbox activities and then I can do another search on there so this is a very very powerful tool that basically is keeping track of absolutely everything that's going on in the environment and we can then go back and see what's been done this is capped for 90 days so it perhaps as an organization you need to keep this data for longer there is some tools like as your sentinel which we'll talk about at the end that this log will only keep things that are 90 days and older so you might need to if you've had a breach as an example it's a good idea to try and gather that information as quickly as you possibly can we've then got some additional tools around that are available in the Microsoft 365 tools so the baseline security that I've covered off we basically have three key areas that are useful for organizations to look at the multi-factor authentication which can be switched on or off for all the users but the side effects of that are it can be a bit of an administration nightmare because we can only switch on or off we don't have any other controls around that we then had secured school which basically gives you a ranking of where your office 365 environment currently sits and what points you've got for that environment we've also then got the audit log itself which is tracking all of the changes and it's very handy perhaps if you've had a breach and you want to see what's happened you can go back and look at that the next thing that we want to look at is how can we control access to Microsoft 365 so by default Office 365 can be accessed on any PC or any location and any device so what that means is it's fantastic from a usability perspective it means you users can simply log on to any device and they can start to get access to things but actually from a IT standpoint that isn't actually all that great because you have no control if they're logging in my home PC you don't know if they have malware on that home PC you don't know if they're logging in on the home PC to steal your information so what we actually really want to do is look at controlling how people can access office 365 and the way we do that isn't using something that's included in the Microsoft 365 business premium license a product called as your ad p1 so you can see if you're at what level your Active Directory tenant is that by going to the administration Center and picking the Azure Active Directory option here and you'll see here that I'll our tenant is currently enabled for spare with me as your ad p2 so that means we've got the highest level we can the business premium includes Azure ad p1 and there's some minor features there in than this I'd recommend you look at our blog post I mentioned if you want to see exactly what's included in each one now within here as your ad we have a security section and one of the key tools that we have is this one here called conditional access so conditional access beta basically that's us define exactly how an environment can be accessed on office 365 so you can see here we've got a number of our vault o policies that we've enabled the first one we have here is called a trusted location MFA so what this policy basically does is as I go into the statins here you can see we've got different ways of assigning this so we can assign it to users and groups we can assign it to specific cloud apps so it could build a policy that only applies to SharePoint or a policy that only applies to exchange and we can then define conditions so our trusted location MFA is basically saying for all users regardless of who they are what they do exclude in specific uses in here like a break glass account and my admin account and also excluding guest accounts as well so this policy is basically gonna apply to everyone that isn't in that exclusion we then got all cloud apps so this will apply to absolutely everybody every application Exchange SharePoint teams and we then have conditions a year so the conditions are basically saying we're gonna basically block any location or we're going to require MFA for any location excluding our trusted locations so in effect what this policy is doing is it saying if someone is logging in from a non trusted location so it's not the head office or any of our other sites that we have then they will require an MFA prompt so this means that we have a blanket enable of MFA and it can help reduce the administration that I mentioned earlier and what it does that means if a cleaner who should only really need to access your exchange emails and SharePoint while they're actually at your site that would mean that they don't need to MFA because they're are accessing it from a trusted location so moves a lot of the administration overheads the MFA can impose and it also means that we don't have to worry about switching MFA on manually anymore because we've got this blanket enabled for MFA so regardless of what i sat in the other admin center regardless of what this says here with this account yes as dead disabled this conditional access policy is over right in that and saying this is applying to all users and then at the bottom we've got the ability to say grunt so what we can actually do is say we can actually require them for multi-factor authentication or we can require the device to be marked as compliant I could require both if I wanted at the bottom but what this means is as we go through later we can use something called engine to actually identify a word PC and ensure it meets our policies so for this policy in summary what we're saying as if they're coming into a trusted location they don't have to MFA if they're at a non trusted location such as home they have to MFA or they have to have a work issued compliant device so this policy basically is enabling MFA across our environment and then exclude in those scenarios we can also do different things of these policies so we can do for example block legacy authentication so recently Microsoft enabled something called modern authentication which is when you're signing into Outlook and teams each supports MFA so it basically enables you to have an MFA prompt legacy authentication you may have seen something called app passwords which allows you to create they're basically like a back door where the MFA prompt doesn't work so you can create an app password that likes and allows an app to just access it on a one-time basis so they're not really a great method of security so we can actually block those we've got a couple of other policies here restrict risky countries so if you guys don't operate in countries like China and Brazil and India then we might as well block those risky countries because we see a lot of environments that are constantly getting sign-in attempts from those countries so we might as well block them all altogether it doesn't doesn't stop them from using a VPN and stuff but it might stop at a big portion of people that are trying to sign in with them got two year block non-compliant devices so this basically is a policy that can block home PCs so if we don't want that salesperson logging in on a home PC we can block it and then we know that they're secure or we don't want somebody just generally doesn't need to access their data on a home PC we can just use this block restrict non-compliant devices is similar but it basically allows us to restrict what they can do so they could still sign in they would require an mfa prompt but what this then actually enables them to do is say I'm going to put it into a limited mode so they could say I'm not able to download any documents are not allowed to connect the outlet client but I could edit documents in the web browser and I can do that kind of thing so effectively what that means is I'm able to do anything around that and restrict them if they are needing to log in on a home PC and of course all of these policies are then able to just sign in and apply to different groups so you might have a management group where they they can sign in our home PC and you might have a office bound user group which can only sign in on their work issued device so the conditional access tool is very very powerful and some of the cool things that we've got for an example we only enforce the outlook app so we don't allow users to use the mail application on their phone so that just basically means it limits it gives us some more security controls which I'll show later on and we enforce the outlet client on devices as well so if they're using things like a Mac enable client or Windows Mail we block that just because they don't have as much security controls as we'd like and the other thing that we can actually do now which is kind of a new feature is we can enable policies for report only so this basically can do absolutely nothing but we can then track whether that policy is working as intended or not so the conditional access side of things is a very very powerful feature and it gives us a lot of controls around what we can do from control in how office 365 can be accessed within azure ad premium as well we also have a section here called enterprise application now enterprise applications basically enables us to create a new application so I can either if I'm develop developing an app and I want to use it your ad with it I can choose this option if I have some legacy on-premise applications that are using sam'l and I want to sign in with office 365 I can do that and all of the pretty much 3453 cloud applications are available in here what this basically means is if as an organization we use and I want to replace the sign in credentials for so what this will do is it'll say you no longer have a separate user name for what you will do and there's a live example of that we have a product that we use called screenconnect which we use to help provide remote connectivity screenconnect has its normal username and password here and I'm able to sign in but I've also got this new option that's a period of the bomb which is called connect with Azure ad when I click on that it's determined I've already signed in so that basically knows I've already signed in to office 365 and it's given me access if I don't have a sign in it would basically prompt me to say as another example if we do that again and I connect with Azure ad I get the standard office 365 login box so it basically gives us a way of accessing office 365 signing in with office 365 credentials so if you think from an IT administration perspective it means that we don't have to have lots of usernames and passwords scattered around all over the place and then when someone leaves the business IT don't have to remember to go shut them down in loads of areas it replaces those sign-in with them so effectively as an organization we have three groups that drive all of the permissions and based on the people being in those groups gives them access to our various applications such as Google screen connects and asked that kind of thing so that's kind of a key area which is around replacing the silence another thing that I'd like to recommend to organizations is to enable some company branding so if we're on the office 365 homepage you'll notice that we've got our logo on the sign-in page and we've also got our branded chester logo in the background as well so what that basically means is we can train our users to say if you see a phishing attack and you don't see our login information like this do not sign into that password so if actively means we can control would just train the users to understand that they need to see this and not the typical office 365 sign-in page and it just makes it a bit easier from that perspective so that's kind of the key ways that we can control access to Microsoft 365 we've got the conditional access tool which lets us build all kinds of rules on how people can access it and then we've got the single sign-on tool which enables us to then define specific rules on how people can use third-party applications like screen connects and desk and HR systems you might have the next section that we're going to look at is classify encrypt and protect so this is all about once you have your data in office 365 what tools are available to me to basically protect that data so if we go back to the admin center we've got a section here called security and compliance if we were to jump into the security section there is a few different portals floating around at the moment they're working on a new portal and it can be a bit of a fiddle but if you if you go to protection dot office com you'll get to the same poll that I'm showing now now under the classification section we've got two types of labels the first one we have is called potentially so retention labels basically allow us to define how long content that's stored in SharePoint onedrive and outlook should be kept for so it stops users from being able to permanently delete that file and it automatically allows you to automate the deletion of data when it reaches a certain age so as an example I've got a CDS area here and the Seavey's one basically is saying when a file that's classified with a cv hits two months we want to delete it and it's based on when that document was created so anything that's been applied to this label which is called CVS will automatically get deleted after the two month period we've then got one called finance so what the finance labels doing is saying protect that data for seven years so what it's saying is don't allow users to delete it preserve it after seven years we then want to go through a review process so email all of the reviewers which could be a group of people to say it's time to review this document and then after that they can decide then to delete it once it's been approved and what that looks like if I click on explore items we've got a view to show all the areas that are classified with that label so exchange one SharePoint ones we can actually see all the items that are classified with it so I can jump into a SharePoint location where this files being classified and then we've got the pending disposition so when those files do reach the seven year period it's seven years so none of them have reached that age yet what we can then do is choose dispose which will basically get rid of the file we can choose extend which will extend the label so we could say we're only keep it for another year or we could real able that so you might decide we're going to actually use it for a bit longer and we can export that out as well if you needed to move it into another system so the reviewing area allows us to basically dispose extend reel able or export that data right so the retention side of things is obviously very very key and customers generally used those for things like as I've got my CDs example I've got my finance example which is basically all of the the financial information and you could use it for personal and customer data as well so it's particularly handy if you've got like a really large project area and you need to start paging off the old projects after seven years you can do that automate some of those requirements there we've also got sensitivity labels so sensitivity labels basically allow us to decide on labels that are going to be used to protect data and protect information so you can see we've got all these labels here but what that actually means is if I jump into a word file quickly when I've got this enabled I've actually got a new sensitivity tag in Word Excel Outlook all of those kind of applications and what I can actually do is I can flag this file to say it's Finance only so if we call this document salary info and scroll then because this file has been tagged is finance our only it's got a water mark that says finance and it's also can have a footer as well so if I change this to internal we've got an internal only or again I can change it to highly confidential and you could put a footer on there as well now the whole idea of these labels that we can put rules around them so with a traditional file server if you have permission to the finance salary folder you could copy those files to USB stick or you could email them to somebody and that protection wouldn't live with the document it would as soon as you've got access and copied them that generally means that other people can have access to them with this this document now will always check in the office 365 is your information protection service and what the internal label basically will do is check if if I have a vault or email address so if I was to send this externally to somebody because its internal only they will not be able to open that document and it will say it's an internal only document I could do the same as internal documents as well so I could have a group of people in finance and I could say this salary information is financed only so nobody else would be able to access that to can protect X still face and information and also internal face and information now I always use an example of where this could be really powerful is if you have a company that has to come employees with the same name we might have Dave Jung's that had director the managing director and we might have Dave Jones who's recently joined and they're the cleaner so what can happen is as finance are gonna send this salary information over they accidentally email it so the new Dave Jones because that's a very easy mistake that can happen now what this document will do is it will say write the Dave Jones the cleaner isn't in the finance only group so I'll bounce his permissions back and he won't be able to access that document and therefore protect that data similarly if I had a really sensitive internal email on me that was like our secret way of working then I could flag this as internal only and if someone then decided to send it off to somebody else they would not be able to access that file so there is your information protection side of things is very very powerful and it gives us the capability of classifying labels and building basically policies around that most organizations only end up with less than 10 labels they don't have thousands of them they're generally things like internal only public management that kind of thing is where the policies really since we can automatically apply label different labels to different people so obviously if there was a directors only label a normal employee that wouldn't even be able to see the directors information wouldn't need to see the directors label so we can publish different groups of labels to different people we can also do also labeling so something we'll talk about shortly is data loss prevention but in essence if we identified someone with sending a credit card number we might want to automatically flag that as internal only so they can't and send that to someone outside of the organisation's so the also labeling basically can build rules to say if I detect this string like a credit card number or perhaps a project reference or a customer reference then we'll basically protect that information we've also got kind of back end to this portal so there is your information protection portal that exists in the azure section there's a really powerful tool that's called the as your scanning tool and what that can do is it can scan a file server that's Windows Server 2012 and above and it can go scan all of your documents and it can classify those documents on the file server so if you've got a lot of documents and you're looking to try and classify them based on keywords and protect them we can use the scanning tool to be able to do that also within the admin Center we've got kind of usage reports and activity logs as well so we can actually track who's been opening these documents and that kind of thing so the other thing that we have in the data laps in the security and compliance function is the basically the data loss prevention so what we can do in here is we can apply different types of policies to our areas so we can apply this to exchange point Microsoft Teams and effectively if I create a new policy in here you can see I can look for different types of data so Microsoft have built some automatic detection templates where we could look for UK financial data so if someone answers a credit card number or a EU debit number or it could be if we click on privacy we could look for UK data protection act and we can find national insurance numbers and passport numbers that kind of thing so there's lots of stuff in here where we can identify that information if we stick with UK financial data in here we can call that UK financial data we can apply this everything exchange teams channels onedrive SharePoint and then what we can do is if a if we find the calm term credit card number and it's being shared outside of the organization we can then build some rules so we can say if someone's sending ten instances so if someone's trying to send ten credit card numbers we can then send an incident report to a group of people to check the batch should it be happening we can lower this to one or we can increase it to one hundred and we can also then restrict access or encrypt the content so what this means is we could block them from share it so you shouldn't be sending even one credit card number externally so we'll block that or we can encrypt it and that will then use the labels that I showed you in is your information protection so when that user does receive the credit card number they will have to go through some additional security measures to actually be able to open that file so the DLP is very good it's good for if we're sending emails out and they can stop people from maybe make them think whether they should be sending the credit card number but also in Microsoft Teams if you have a team that shared externally with external parties and someone then decides to put a credit card number in for one of their co-workers not realizing there's external people in there it can also prevent that kind of data loss as well so it's very handy across the whole of Microsoft 365 to prevent those data loss attacks so there was a kind of their key areas that we have for classifying encrypting and protecting data as your information protection which really secures the data and stops people from sharing things they shouldn't DLP which is has the built in rules to detect credit-card numbers and you can build your own queries and then retention which can automate the deletion retention of files and that kind of thing the next section that we want to look at is device management so built into the Microsoft 365 business premium licenses we have a section within here called Microsoft Intune so what engine basically allows us to do is to basically protect pretty much any kind of device so the first section we have here is device enrollment so enrollment basically as if you have work issued devices like Apple devices Android or Windows and you answer them policies on them and protect them this is exactly what that's for so Windows enrollment we've got something called autopilot and this basically means we can automatically set up and configure a device so instead of you having to receive the device at I T and then set that up and send it over to the user we can actually ship that device straight to the user they can sign in with their work credentials and also pilot then kicked in and configures the rest of the device the kind of use cases for enroll in Apple and Android devices are you might issue an apple device to people out in the field you might have truck drivers and you want to basically prevent them from using all of the data or you want them to stop them in their own custom applications so we can enroll those kind of mobile and tablet devices to stop them from doing that kind of thing it's not necessary if you quite lacks in terms of you give someone their own phone but you want them the capability to their own apps you might not necessarily have to go through the full enrollment so this is handy where you have specific requirements and you really want to lock the device down but we'll cover something else off which is easier to configure called application management as well so enrollment basically says right we're going to enroll these devices and then we have control of them so for our Windows 10 devices we can have then a compliance policy so a compliance policy basically says right here is Val toes internal compliance policy and we can see that all the devices apart from one are currently compliant with the policy so I can go into the properties and our policies basically saying we require a bet locker we inquire a firewall to be enabled we inquire we require a antivirus and anti-spyware to be switched on and if for some reason those devices do not adhere to this standard we mark them as non-compliant immediately and if we think back to the conditional access policies I mentioned before we could actually block devices from accessing office365 if they don't meet this policy so what that means is we can then adhere to certain standards and this would require if the firewall our antivirus is switched off we should manually intervene and actually see what's cause that is there a malware that's doing them we've then got device configuration so public compliance is checking the device whereas configuration is actually making changes to the device so with the autopilot I mentioned before we've got a load of policies here where we're deploying policies to our users laptops so for example we're deploying Chrome we're deploying onedrive to a specific standard we're enabling Microsoft edge as the default browser because that's a much more secure browser now they brought the new version out we're deploying extensions that we want them to have even we've got favorites for our staff in the top left-hand corner within the browser we're enabling the antivirus we even do things like sync Microsoft teamed areas automatically for people and control the lock screen and that kind of thing so these policies basically give us full control of those devices knowing that they're set up to the standards that you require so the configuration basically is make changes to help automatically deploy we can also do things like software updates so if I wanted to automatically deploy software updates to everybody in the organization we can do that from here you can see all the devices are currently up to date and finally we've got this client app section so the client app section basically allows us to deploy applications to different devices so if we've got an iPhone enrolled we could deploy these apps automatically if we've got Android device we want to roll out to use as we can do that and we can also deploy applications to users devices as well so if we want to deploy an anti-virus or screenconnect and automatically roll that out to everybody we've got office 365 enrolled here we can configure that policy to do that we've also got a protection policies so I've mentioned these before not in you don't have to in all cases enroll devices so we work with organizations who were perhaps issue in iPhones to their users but they're not too bothered whether they their own applications or what they do with those firms they just want to protect their company data so what a protection policies allow us to do is basically say right here's an iPhone app protection policy now this is very handy for bringing your own devices as well so if a user that installs any of these apps on that phone on their personal phone or their work phone we can say as soon as they sign in to Microsoft SharePoint on Microsoft onedrive with a work email address and password we're going to protect only the app so we have no control over their phone we couldn't wipe their phone or change their pictures or anything but for the app specifically we can stop them from backing it up into their personal area we can encrypt the data so third-party apps can't access that data we can stop them even from copying and pasting between apps so if we didn't want them to be able to copy out of SharePoint into Dropbox we can lock that down and we can even then set a pin for access so we can say you know you have to have a pin when you open the app or you can use your face ID or touch ID as well so it basically gives us a very high level of control of the apps on purse people's personal phones and also work phones if you want to do that and if they then leave the business we can then choose app selective wipe so this can then wipe their apps off their phone and not touch any of their other personal information so that's a very quick overview of in tune it basically can manage pretty much any kind of device and it gives us the capability then of controlling both in rolling it putting compliance policies on there to check it's up to standard and then put in configuration policies and deploying applications so it's a dear into your company standards the next piece that we're going to cover off is around advanced protection so there's a couple of things that are available as advanced add-ons so if you go for the Microsoft 365 business premium option within the protection darphus comm we actually have a section in here which is called policy so under threat management I've got one called policy and this adds something called office 365 a tipi plan 1 so what office 365 a tipi plan 1 does is it basically provides three new types of policies the first one is an anti phishing policy so this can be enabled and it basically will identify phishing emails based on machine learning that Microsoft's developed and then automatically quarantine those messages so that users can't even see them well we can also do is we can put safety tips on so if someone's using a cat and a weird character so quite often we might see that instead of using an eye they're using like this this symbol here we can actually identify that but a safety tip on to the user to say there's some unusual characters in here and some other anti-spoofing technology around here so this basically gives us some tools that stop us from receiving phishing emails and if they do manage to get through alerting the user so that they might be phishing attempts we've also got safe attachments so safe attachments basically scans every attachment that comes in to SharePoint in emails and it basically there opens it in Microsoft data center and says which scans that file and then make sure that it is not doing anything malicious like trying to access the registry if it passes at Jack it then presents it to the user and they can open the attachment and safe links basically prevent you from opening malicious links in a similar way to ATP safe attachments so those are kind of key tools that are available for office365 advanced threat protection we also then have a product called Microsoft Pen privileged Identity Management so what that basically means is we have a tool that's called just-in-time administration so again with office 365 has many roles I'm able to have a global admin role which basically gives me full control of absolutely everything in office 365 just-in-time Administration basically I can still have that role so I'm still able to have the role global administration request but what I can actually do in this platform is I can go into my roles I can see here that I've got the global administration role and I have to actually activate it on the far right-hand side here and I can then basically give it some time of how long I need it for I've currently got it enabled for this demo for everything but I can basically say I need the global admin role enabling for one hour two hours I can put a reason in there and I can even enable an approval process so perhaps as head of IT you want to get the final stamp on those changes before an engineer goes ahead we can use this to basically manage that kind of aspect and enable those features we can review the access so that basically will allow us to go into there and I can click on the I'm just the portals changed a little bit so and just jump into the correct section so if I jump into that manage azure ad roll section I can come into this view here and I can see all of my roles that I currently have access to I can activate those as required I'm able to approve requests so if my co-workers have approved those and I can actually even do an access review so an access review will check a group of users and determine whether they should have those roles this kind of an automated way of saying we want to have a report that checks use a global administrator every 60 days so there's a lot of things perhaps in cyber essentials where you have to do these kind of access reviews and this can automate that aspect for your organization as well so privileged Identity Management basically allows us to I can still have my global administration role but when I actually want to use it I have to actually request that and then approve that request before I'm able to make any changes the last thing we want to cover from the development perspective is a product called as your Sentinel so I mentioned earlier that the audit logs for sure are only capped for 90 days so what we're actually able to do is we're able to use a third-party add-on which is called as your son son it's part of a bill and it's a pay-as-you-go use model and what I can actually do within here is I can export all of the audit logs into a database that I can then access so it basically means that if you need to have your data for much longer than 90 days perhaps you have a legal obligation that you need to be able to trace things for 3 years 7 years which a lot of banks have to do we can actually track all of those and keep the logs in this section so if I go into the data connectors here I can actually track loads of different kinds of services in here so I can for example track is your ID and Active Directory logs I can track as your activity I can track Citrix information I can track office 365 events and this basically then stores all of the information into the database that we can then access so I can use the incidence log which basically you can build an incidence or perhaps an incident might be if someone escalates their permission I want to log that as an incident so we can review it some people are creating workbook templates as well so these the people that are basically building automatic alerts and dashboards for you so this is kind of a new tool but I think it's very interesting for organizations to basically start keeping track of all the logs that are going into the system so I can see kind of all the data and I can start the report and that information it used to be a platform that was called operations management suite but it's now moved into this platform and it basically gives us a full track of all the changes and it's in a database type format where you can build reports and that kind of thing so it's a very powerful tool for tracking the logs and keeping those longer than 90 days and I perhaps bringing them in centrally so if you've got logs in Cisco you've got logs in as your AWS and you just want one login platform you can bring this in and then build your dashboards that way so that kind of concludes an overview of the tools that are available from Microsoft 365 security perspective a few of the things so we do a remote workshops so if you're interested in doing a remote workshop perhaps some of the security tools that we've been through today are of interest we do a security workshop in which we go through all of the tools that I've showed today and we come up with a specification and design of how these can be configured and a roadmap of how they will be delivered so obviously everything I showed today would be fantastic but you couldn't just push a button hand and have them on day one so the aim of this workshop is to go through a road map approach to understand the tools in more detail and then configure them in a way that you would need as part of our webinar of the remote working series we're doing a building app our platform strategy which is being run on the 11th of June with my colleague dougie Wood we're doing a new blog post today which is a live case study of medicine so that's one of our clients that's been through this security process and you'll be able to find that video on our YouTube channel we breathe I've just distressed we've got this Microsoft 360 licensing overview blog post so if you want to find out more about the licensing go to our webpage and you can find out exactly what's included in each feature and license one there's some useful links so all the videos we've been doing are available on our youtube channel which you can access here we've got the office 365 roadmap which shows all of the upcoming changes and tools that are available and we've got the Microsoft Security Center which has a lot of useful information about these tools that you can dig into as well we'll also be issuing a recording of this video so anybody that wasn't able to attend well we'll send a link to those and for you guys if you've got colleagues that you want to share this with you'll definitely be able to do that as well so when I move on to Q&A s so I can see that we've had quite a few questions that have popped in throughout the presentation if people will have more questions it feel free to post those now and we'll go will answer those and go through those so the first question we have from Marcin is can a sensitivity labels apply to PDFs also so yeah they can apply to everything pretty much so you can apply them from a Windows Explorer view and you can actually post though put the sensitivity labels on pretty much any type of file format another question is can we use Phaedo to pass wordless authentication in azure ad all right so the answer to that is definitely yes so I've I was to log into our office 365 environment and put my email address in we have a option here sign in with a security key and that will then ask me to put my security key into the US people and then authenticate me so that feature is definitely available and that's something that we've been using and testing and it works really well I've heard my Microsoft will enable MFA by default for any new tenancy I think there is some funds around that in the roadmap so that link I mentioned about the roadmap would be useful do you recommend the passwords shouldn't expire or would you say every 365 days is fine I think it's kind of Microsoft's guidance now is to not have passwords expire at all because it encourages users to basically change passwords to things that they don't remember and then they write them down so having the password set to never expire will prevent that but also having it set to something very high like 365 days I believe is also fine and would be a good policy we can also enable self-service Password Reset so if the users do forget their password they can then reset their own passwords and go through that authentication process lots of questions coming in can MFA be applied to certain user groups only so that's from Jason so yet with conditional access we can apply those policies to only a specific group or the entire organization so it doesn't have to be limited to everybody you're able to very much tailor that to specific people do compliance policies recognize non Microsoft security apps from Steve no no they don't but there is something called cloud app security which is a tool that can integrate with your existing UTM on site and that can be used for tracking and measuring things like DLP and shadow IT so there is some options around that the keys that I'd recommend I'm going to send you an email so just get in touch and I'll send you a link back on those for the Phaedo security keys so just get in touch and I'll send you those over is customer lockbox available on business premium unfortunately not you have to have an e5 license for that but you can have an e5 license for one user so some of the features you might want to enable just for one or two users that need it rather than everybody just trying to go through the questions there's some quite big ones and there people do have questions are not able to answer then please get in touch if the document classified is financed only can finance users download it and send it externally so what I showed earlier is we can have a classification called finance only and we can have multiple users within that that label for finance so you could have finance that are able to change and reclassify the label and we could have a different group of people that could only read only so we can for each label you can have administrators of the label and you could then have normal users and you can really define the permissions so finance might be able to reclassify that before they need to send it out to somebody else so that would definitely be possible can i you the user and admin logins by location in Microsoft 365 business basic yeah so in the Azure ad there's an actual admin log that you can go to and that will show all of the sign ins so I'll just show that very quickly I can actually go into the azure ad I can click on users I could find a user like myself and I can then choose and jump into the sign-in section here and I can see all of the silence that are available and where I signed it and what conditional access policies were applied so that's definitely possible I think we've got time for one more question so when using sam'l does the third-party application also have every users user ID and password and does a breach on 3rd PI affect sam'l so now the user wouldn't he will not pass through the user identity to the other query you build basically still hosting office 365 and you're still using that as the logon place you're not we're not passing any username and passwords to the third PI we're simply pointing to that new service from your third party application okay so that's I can see there is a lot of questions so if anybody wants to get in touch email me Hugh Valtor code at UK and I can definitely help you out and answer those questions and thank you very much for attending and we'll be sending the video link out to there shortly thank you all bye