Fast Track to Office 365:

Controlling Access and Protecting Data

Liam ClearyCEO / Owner & Microsoft MVPSharePlicity

Bob CordiscoSystems EngineerNetwrix Corporation

Housekeeping

Type your question

here

Click “Send”

All attendees are on mute.

Ask your questions!

Questions will be answered during the session or in the Q&A at the end.

You will receive the slides and webinar recording in a follow-up email.

The webinar should take about 60 minutes.

Let’s get started!

Agenda

Office 365 Authentication and Authorisation

Office 365 Permissionso SharePoint Online

o OneDrive for Business

Controlling Data Flow within Office 365

Protecting Data using Office 365 Serviceso Information Rights Management (IRM)

o Advanced Information Protection (AIP)

Getting accurate classification results using Netwrix Data Classification for Office 365

Office 365 Authentication and Authorisation

Office 365 Authentication

Cloud Only

Password hash sync with seamless single sign-on (On-premises Sync)

Pass-through authentication with seamless single sign-on

Federated identity with Active Directory Federation Services

Third-party authentication and identity providers

Office 365 Authentication

User navigates to Office 365 site or service

Cloud Account

External Account

On-premises Account

Access Granted

Authenticateon-premises

Authenticateexternally

Office 365 Authorisation

Conditional Access Policy

Has Assigned License

Is Member of Security Group

Is Member of Service specific

Group / Role

Validate user or device is allowed

to connectCheck IP address

to ensure is allowed

Validate user has service assigned license if needed

Is user assigned to the corresponding

security group required to access

the service or location

Is user a member of a security group

or role for the content location or content itself

Office 365 Permissions

Office 365 Permissions: Administration

• Administration Groups

– Global Administrator

– Billing Administrator

– Dynamics 365 Service Administrator

– Customer Lockbox Access Approver

– Exchange Administrator

– Helpdesk Administrator

– License Administrator

– Skype for Business Administrator

– Power BI Service Administrator

– Service Administrator

– SharePoint Administrator

– Teams Communication Administrator

– Teams Service Administrator

– User Management Administrator

• Administration Groups

– Message Center Reader

– Reports Reader

– Teams Communications Support Engineer

– Teams Communications Support Specialist

Office 365 Permissions: SharePoint / OneDrive

SharePoint Administrator

o Access SharePoint Administration Center

o Manage specific configuration and services

Site Collection Administrator

o Manage the entire Site Collection

Site Owner

o Manage a specific sub site within a Site Collection

User Account

o Can access the site collection, sub sites and content where access is granted

Office 365 Permissions

User (No Admin Access) Role

Active Directory Group Assignment

Application Role Assignment

Location / Item Permission Assignment

Controlling Data Flow within Office 365

Data Flow within Office 365: SharePoint

Libraries and Lists

Upload and Download

Internal Sharing

External Sharing

Search Workflows

Data Flow within Office 365: OneDrive

Libraries and Lists

Upload and Download

Internal Sharing

External Sharing

Search

Data Flow within Office 365: Teams

Libraries and Lists

Upload and Download

Internal Sharing

External Sharing

Search Chat Sharing

Protecting Data Using

Office 365 Services

Protecting Data: Encryption

Two types of Encryptiono Volume-level encryption, used for all services

o Service Encryption, used within Exchange Online, Skype for Business, SharePoint Online, and OneDrive for Business to encrypt customer data

Encryption in Transito Client machine communicates with an Office 365 server

o Office 365 server communicates with another Office 365 server

o Office 365 server communicates with a non-Office 365 server

Encryption for contento Information Rights Management

o Advanced Information Protection

o Office Message Encryption (OME)

o Secure/Multipurpose Internet Mail Extensions (S/MIME)

Protecting Data: Information Management Policies (IRM)

Enabled in SharePoint Admin Center

Policies applied within document librarieso Library level settings

o Controls and permissions defined for access rights

o Apply group restrictions

Office Client support ad-hoc policy creation and applying

Exchange Emailo Manually apply templates from Outlook Client

o Applied using Mail Transport Rules

o Older versions of the Outlook Client can use Protection Rules

Protecting Data: Advanced Information Protection (AIP)

Encryption Identity Authorisation

Labels

Labels that are applied force protection using Rights Management policies

Policy stays with the documents and emails, independently of the location

Protections keeps control of the data, even when it is shared with other people

Protecting Data: Advanced Information Protection (AIP)

No server infrastructure required: Azure Information Protection doesn't require the additional servers and PKI certificates that Active Directory Rights Management Services requires

Cloud-based authentication: Azure Information Protection uses Azure AD for authentication - for both internal users and users from other organizations

Built-in support for mobile devices: No deployment changes are needed for Azure RMS to support mobile devices and Mac computers

Document tracking and revocation: Azure Information Protection supports these features with the Azure Information Protection client, whereas Active Directory Rights Management Services does not

Classification and labeling: Azure Information Protection supports these features with the Azure Information Protection client that integrates with Office applications and File Explorer, whereas Active Directory Rights Management Services does not

Protecting Data: Data Loss Prevention Policies

Content Created or Changed

Search Crawls New or Changed Content

Search Index Updated

DLP Policy Query

DLP Policy Action

Blocking Policy Applied

Protecting Data: Conditional Access Policies

User navigates to Office 365 site or service

Access Granted

Access Denied

Is Member

Is Member

Approved Device

Approved Location

Protecting Data: Cloud App Security Policies

Policies defined to capture specific actions

Multiple types of policies

Protecting Data: Cloud App Security Policies

Policies can contain multiple properties and checks

Standard Account Governance can protect once problem

is identified

Alerts can utilize Email, SMS and Microsoft Flow Playbooks

Netwrix Auditor

Know Your Data. Protect What Matters.

Email:

Bob.Cordisco@netwrix.com

Bob CordiscoSystems Engineer

About Netwrix Corporation

Year of foundation: 2006

Headquarters location: Irvine, California

Global user base: over 300,000

Recognition:

7 years among the fastest growing

software companies in the US

More than 140 industry awards

What’s Next?

Visit our next sessions:

‘Q&A session’ on April 2 @ 2 PM BST / 3 PM CEST

Virtual Appliance: get Netwrix Auditor up and running in minutes

netwrix.com/go/appliance

Online Demo: explore Netwrix Auditor right from your browser, without having to install the product

netwrix.com/browser_demo

Contact Sales: obtain more information about Netwrix Auditor

netwrix.com/contactsales

www. .com

Thank you!

Liam ClearyCEO / Owner & Microsoft MVPSharePlicity

Bob CordiscoSystems EngineerNetwrix Corporation