module 2: how to setup and configure microsoft cloud...

Microsoft Partner Confidential – SMB LIVE 2016

Module 2: How to setup and configure Microsoft Cloud Security and Management Solutions

SMB LIVE

Microsoft Partner Confidential – SMB LIVE 2016

Overview of the Microsoft Cloud Security

9:30 – 10:00am

How to setup and configure Microsoft Cloud Security and Management Solutions

10:30am – 1:30pm

SaaS, IaaS, PaaS? What is Azure all about and why should I care?

1:30 – 2:00pm

How to setup and configure solutions in Azure

2:00 – 4:30pm

Closing & Next Steps

4:30 – 5:00pm

Lunch

11:45am – 12:30pm

Welcome to SMB LiveIntro and Foundation

9:00 – 9:30am

SMB LIVE

Today’s Agenda

Identity drivensecurity

Comprehensive solution

Managed mobile productivity

EMPOWER ENTERPRISE MOBILITY

Key ScenariosMobile Device Management• Self Service Password Management• Mobile Device Settings Management• Device Certificate Management• Surface & Windows Phone Enterprise

Deployment & Integration• Selective Wipe• Conditional Access

Mobile App Management• App Creation, Deployment and Updating• Self Service Provisioning • Onboarding and Off boarding• Cloud App Discovery• Delegated App Management• Remote Access to Legacy Apps

Identity as a Service• Cloud Services Federation• Single sign-on• Multi-Factor Authentication• Identity Authentication and Integration• Windows 10 Azure AD Join• AD App Proxy

Information Protection• Secure Information Sharing – inside and

outside the organization• Message Encryption• Enlightened Apps• Document Tracking• Rights Revocation

Products

Information Protection

Persona Management

Device management

Single sign-on

Scenarios

Foundational EMS scenarios

Azure Active Directory Premium

Azure Rights Management

Mobile Application

Management

InTune

Journey1) Single sign-on 2) Document Protection 3) Multi-Factor

Authentication4) Persona Management 5) Device Management

Customer Pain

Users have multiple username/passwords to remember for SaaS and on-premises apps

The company needs to make sure sensitiveinformation stays protected, wherever it goes.

IT needs to provide multiple layers of security to apps and resources across their on premise and cloud environments.

IT wants to manage company data when accessed on employee’s personal devices (BYOD) but doesn’t want to risk intruding on a their personal life.

IT wants to manage BYOD or Corporate Devices that are accessing and connecting to company resources.

Solution

Provide a single sign-on experience to on premise & 2,500+ SaaS apps including: Salesforce, Workday, Concur, DocuSign & DropBox.

Protect information and documents by restricting editing, copying and sharing. Remain in control of your data even when it is shared outside your organization.

Multi-Factor Authentication provides two keys to the front door via strong authentication with multi-platform verification options: phone call, text message, or mobile app.

Utilize Mobile Application Management (MAM) without requiring the device to be enrolled for management andrisk intruding on user’s personal devices.

Manage employee’s iOS, Android and Windows devicesby providing employees with the ability to register, enroll, and manage their devices as well as install corporate apps from the self-service Company Portal.

Attach Motion

Upgrade O365 to Azure Active Directory Premium.

Upsell Azure Rights Management Service.


Upsell mobile application mgmt. with Microsoft Intune.

Upsell mobile device mgmt. with Microsoft Intune.

Compete Okta, Ping, Centrify, IBM Adobe, Good Okta, Ping, Centrify, IBM, RSA AirWatch, MobileIron,MaaS360, Kaseya

AirWatch, MobileIron,MaaS360, Kaseya

Pitch

One login to access thousands of SaaS applications with secure IT controls in place.

Know with certainty that your valuable company data is not falling into the wrong hands.

Increase security and access to your company information with multiple verification options.

Deliver, protect & manage apps without enrolling employee’s personal devices for management.

Use iOS, Android & Windows at work providing IT the ability to provide governance, management & control.

Attach Enterprise Mobility + Security with Microsoft Office 365Help your customers enhance their Office 365 experience with a secure and integrated solution which addresses their need to keep employees productive and company data secure, wherever their users choose to work. This step by step journey is structured to help guide you and your customers towards the best managed services solution.

Identity and access management in the cloud

Cloud powered protection

Manage access at scale

1000s of apps, 1 identity

Enable business without borders

• Advanced user lifecycle management

• Low IT overhead • Monitor your identity

bridge

• Cloud connected seamless authentication experience

• Single sign-on• Bring your own apps • Secure remote access

to on-premises apps• Support for lift and

shift to the cloud

• Control access to resources

• Safeguard user authentication

• Respond to advanced threats with risk based policies and monitoring

• Mitigate administrative risks

• Governance of on-premises and cloud identities

• Ease of use for end users • Cross organization

collaboration • Any time, any place,

productivity with Windows 10

• Support for consumer facing applications

What is Azure Active Directory?

A comprehensive identity and access management cloud solution for your employees, partners and customers.

It combines directory services, advanced identity governance, application access management and a rich standards based platform for developers.

B2E B2B B2C

Self-service Singlesign-on

•••••••••••

Username

Identity as the core of Enterprise MobilitySimple

connection

Cloud

SaaSAzure

Office 365Publiccloud

Other Directories

Windows ServerActive Directory

on-premises Microsoft Azure Active Directory

IDENTITY DRIVEN SECURITY

Connect your on-premises identities to the cloud for a seamless authentication experienceSingle sign-on to thousands of pre-integrated and custom SaaS apps. Bring your own apps: templates for SSO to any SaaS app

Secure remote access to on-premises apps

SSO from mobile apps

Support for lift and shift of traditional apps to the cloud

1000s of apps, 1 identity

Provide one persona to the modern workforce for SSO to 1000s of cloud and on-premises applications

Pre-integrated SaaS apps in the application gallery

1000s OF APPS, 1 IDENTITY

Azure Active Directory Connect

ADFS

Sync engine

Making a hybrid identity simple1000s OF APPS, 1 IDENTITY

Azure Active Directory Connect Consolidated deployment assistant for your identity bridge components.

All currently available sync engines will be replaced by the sync engine included in the Connect tool. Assisted deployment of ADFS (Active Directory Federation Services) will be available through Azure Active Directory Connect.

ADFS is an optional component for authentication in hybrid implementation. Password sync can replace ADFS for more scenarios.

DirSync

Azure Active Directory Sync

FIM (Forefront Identity Manager)+ Azure Active Directory

Connector

ADFS

Identity synchronization with password (hash) sync

Identity synchronization

User attributes are synchronized using identity synchronization services, including a password hash; authentication is completed against Azure Active Directory

User attributes are synchronized using identity synchronization tools; authentication is passed back through federation and completed against Windows Server Active Directory

Delivering a seamless user authentication experience1000s OF APPS, 1 IDENTITY

ADFS

Microsoft AzureActive Directory



Enable business without borders

Stay productive everywhere with easy access to every application and powerful collaboration capabilities across location, application, and device borders

Ease of use for end users

Any time, any place productivity with Windows 10

Connect better with your consumers

Enable cross-organization collaboration

Microsoft Azure Active Directory Cloud app discovery

Source: Help Net Security 2014

as many Cloud apps are in use than IT estimates

• SaaS app category• Number of users• Utilization volume

Comprehensive reporting

Reveal shadow ITDiscover all SaaS apps in use within your organization

CLOUD POWERED PROTECTION

What is AzureMulti-Factor

Authentication?• A standalone Azure identity and access management

service, also included in Azure Active Directory Premium

• Prevents unauthorized access to both on-premises and cloud applications by providing an additional level of authentication

• Trusted by thousands of enterprises to authenticate employee, customerand partner access


How does it work?CLOUD POWERED PROTECTION

Text messages

Phone calls

Mobile apps


Azure MFA vs MFA for Office 365MFA for Office 365/Azure

AdministratorsAzure Multi-Factor Authentication

Administrators can enable/enforce MFA to end users Yes Yes

Use mobile app (online and OTP) as second authentication factor Yes Yes

Use phone call as second authentication factor Yes Yes

Use SMS as second authentication factor Yes Yes

Application passwords for non browser clients (e.g., Outlook, Lync) Yes Yes

Default Microsoft greetings during authentication phone calls Yes Yes

Suspend MFA from known devices Yes Yes

Custom greetings during authentication phone calls Yes

Fraud alert Yes

MFA SDK Yes

Security reports Yes

MFA for on-premises applications/ MFA server Yes

One-time bypass Yes

Block/Unblock users Yes

Customizable caller ID for authentication phone calls Yes

Event confirmation Yes

Trusted IPs Yes

Identity GovernanceCLOUD POWERED PROTECTION

Reduce risks of excessive access to your organization’s data

Dashboards with insights

Policy driven review workflows for governance decisions

Richer auditing to address compliance reporting needs

Decisions at the business level (self-service)

Apps in Azure

Third party apps & clouds

Apps on-premises

One common identity

Simplify management

Improve security

IDENTITY DRIVEN SECURITY

Identity and access management

One common identityIDENTITY DRIVEN SECURITY

Self-service capabilities

• Password reset• Group membership• MyApps portal

Manage everything

• Dynamic groups• Provisioning• B2B collaboration

Single sign-on

• Easy connection to existing assets

• Unified experience across user devices


Authentication4) Persona Management 5) Device Management

Customer Pain






Solution






Attach Motion








Pitch







“My users have multiple username/passwords to remember for SaaS and on-premises apps. This is not only inconvenient but a security risk as well.”

“We need a way to provide multiple layers of security to apps and resources across our on-premises and cloud environments.”

“Managing groups and forgotten user passwords increase my IT costs.”

DemoIdentity and Access Management• Single Sign-On, Multi-Factor Authentication, Self-service Access• How to add SaaS applications and configure• SSO options and Automatic User Provisioning• How to configure MFA, custom branding, access rules, self-service, and more


Authentication 4) Persona Management 5) Device Management

Customer Pain






Solution






Attach Motion








Pitch







Products


Persona Management

Device management

Single sign-on

Scenarios




Mobile Application

Management

InTune

Manage and secure mobile productivity

MANAGED MOBILE PRODUCTIVITY

• Conditional access• Compliance enforcement• Multi-identity support

Access management

• Mobile app management (w & w/o a device enrollment)

• File and data encryption

Built-in security

• Office mobile apps• Familiar and trusted

Goldstandard

Mobile app management


Managed apps

Personal apps

Personal apps

Managed appsCorporate data

Personaldata

Multi-identity policy

Personal apps

Managed apps

Copy Paste Save

Save to personal storage

Paste to personal app

Email attachment

Collaborate securely


Integrated use

• Works across all platforms• Free content consumption• Consistent user experience• Integrate into common

apps and services

Persistent protection

• Storage independent• Permit all companies to

authenticate• Enforce authorization

policies

Tracking and compliance

• Powerful logging and reporting• Use/abuse tracking• Kill documents remotely• IT can reason over data

Data level protection for secure sharingCOMPREHENSIVE SOLUTION

Any device/ any platform

• Data level encryption

• All file types• LOB app protection

Protect Share Track and revoke

External user

*******

Internal user

*******

• Timeline view• Map view• Access and denials



Customer Pain






Solution






Attach Motion








Pitch







“My company needs to make sure that sensitive information stays protected, wherever it goes.”

“I need a way for user to securely share, track and remove access to sensitive documents and information.”

DemoInformation Protection• Sharing, Tracking, and Revoking Protected Documents• Defining departmental RMS policy templates

Products


Persona Management

Device management

Single sign-on

Scenarios




Mobile Application

Management

InTune



Customer Pain






Solution






Attach Motion








Pitch







Maximize mobile productivity and protect corporate resources with Office mobile apps – including multi-identity support

Extend these capabilities to your existing line of business apps using the Intune App Wrapping Tool

Enable secure viewing of content using the Managed Browser, PDF Viewer, AV Player and Image Viewer apps

Managed apps

Personal appsPersonal apps

Managed apps

ITUser

Corporate data

Personaldata

Multi-identity policy

Enforce corporate data access

requirements

Prevent data leakage on the

device

Enforce encryption of app data at rest

App level selective wipe

Personal apps

Corporate apps


MDM policies

MAM policies

File policies

MDM – optional (Intune or 3rd party)

Prevent data leakage for Office mobile and other apps on unmanaged devices or devices managed by a third-party MDM(Mobile Device Management).

Protect data at the file level for Office documents and more with Azure Rights Management.

Enable familiar Office experiences for employees. No enrollment.

Personal apps

Managed apps

Perform selective wipe via self-service company portal or admin console

Remove managed apps and data

Keep personal apps and data intact

ITIT

Data protection at the file layer

Document tracking

Access control

Data encryption

Share internally Share externally

z

On any device

Authentication and collaboration

Identity

Application

Device

Data



Customer Pain






Solution






Attach Motion








Pitch







“I want my users to be able to access company email and documents from their personal devices (BYOD), but only if I can do it in a way that keeps my company data protected.”

DemoManage Mobile Productivity• Mobile Application Management without Device Enrollment• How to configure Mobile Application Management – review options

and settings• Conditional access and device enrollment with MDM

Go mobile. Stay in control.• New Enterprise Mobility + Security packaging• EM+S Benefits for Office 365 and Windows 10

Enterprise Mobility + SecurityInformation protection

Identity driven security



Azure Information Protection Premium P2

Intelligent classification, labeling and protection for email and files shared inside and outside your organization

(includes all capabilities in P1)


Protection for files and emails across all storage locations

Cloud based file tracking and revocation

Microsoft Cloud App Security

Enterprise grade visibility, control and protection for your cloud applications

Microsoft Advanced Threat Analytics

Protection from advanced targeted attacks leveraging user and entity behavioral analytics

Microsoft Intune

Mobile device and app management to protect corporate apps and data on any device

Azure Active Directory Premium P2

Identity and access management with advanced protection for users and privileged identities

(includes all capabilities in P1)


Secure single sign-on to cloud and on-premises apps

MFA, conditional access, and advanced security reporting

Enterprise Mobility + SecurityInformation protection




Azure Information Protection

Premium P2

(includes P1 features)

Azure Information Protection

Premium P1


Microsoft Advanced Threat AnalyticsMicrosoft Intune


(includes P1 features)

Azure Active Directory

Premium P1E3

E5

Enterprise Mobility + Security PricingInformation protection







Microsoft Advanced Threat AnalyticsMicrosoft Intune



E3$8.75

E5$15

Windows Server CAL rights: $ 1.75(Client Access License)

Common features

Directory as a service 500,000 object limit No object limit No object limit No object limit

User/group management (add/update/delete)/user based provisioning, device registration Yes Yes Yes Yes

Single sign-on10 apps per user (pre-integrated SaaS and

developer-integrated apps)

10 apps per user(free tier + Application proxy apps)

No limit (free, Basic tiers +Self-Service App

Integration templates)

No limit (free, Basic tiers +Self-Service App

Integration templates)User based access management/provisioning Yes Yes Yes YesSelf-service password change for cloud users Yes Yes Yes YesAzure AD Connect Yes Yes Yes Yes

Security reports/audit 3 basic reports 3 basic reports Advanced security reports Advanced security reports

Basic features

Group based access management/provisioning Yes Yes YesSelf-service password reset for cloud users Yes Yes YesCompany branding (logon pages/access panel customization) Yes Yes YesApplication Proxy Yes Yes YesSLA Yes Yes Yes

Premium features

Self-Service Group and app Management/Self-Service application additions/ Dynamic Groups Yes Yes

Self-service password reset/change/account unlock with on-premises write back Yes Yes

Advanced usage reporting Yes YesMulti-factor authentication (cloud and on-premises (MFA server)) Yes YesMIM CAL + MIM server Yes YesAutomated password rollover Yes YesConnect Health Yes YesConditional Access based on group and location (Preview) Yes YesConditional Access based on device state (Allow access from managed device) Yes + Intune license Yes + Intune license

Risk based conditional access with Azure AD Identity Protection YesPrivileged Identity management Yes

Protection for all file types and emails Yes Yes

Protection for data stored in on-premises Office servers Yes Yes

Protection for data stored in O365 services Yes Yes

Protection for data stored in on-premises Windows Server File Shares Yes Yes

Automated file classification, labeling and protection Yes

Azure Information Protection edition comparison

Enterprise Mobility

+ Security

Basic identity mgmt. via Azure AD for O365

• Single sign-on for O365

• Basic multi-factor authentication (MFA) for O365

Basic mobile device management via MDM for O365

• Device settings management

• Selective wipe

• Built into O365 management console

RMS protection via RMS for O365

• Protection for content stored in Office (on-premises or O365)

• Access to RMS (Retail Management Software) and SDK (Software Development Kit)

• Bring your own key

Azure AD for O365+

• Advanced security reports

• Single sign-on for all apps

• Advanced MFA

• Self-service group management & password reset & write back to on-premises,

• Dynamic groups, group based licensing assignment

MDM for O365+

• PC management

• Mobile app management (prevent cut/copy/paste/save as from corporate apps to personal apps)

• Secure content viewers

• Certificate provisioning

• System Center integration

RMS for O365+

• Automated intelligent classification, labeling and protection of data

• Tracking and notifications for shared documents

• Protection for on-premises Windows Server file shares

Advanced Security Management

• Insights into suspicious activity in Office 365

Cloud App Security

• Visibility and control for all cloud apps

Advanced Threat Analytics

• Identify advanced threats in on-premises identities

Azure AD Premium P2

• Risk based conditional access

Information protection




EMS benefits for Office 365 customers

Windows 10

Enterprise Mobility

+Security

• Single sign-on for business cloud apps

• Device setup and registration for Windows devices

• Windows Store for Business• Traditional domain join

manageability• Manageability via MDM and

MAM

• Encryption for data at rest and generated on device

• Encryption for data included in roaming settings

• Conditional access policies for secure single sign-on

• MDM auto-enrollment• Self-Service Bitlocker recovery• Password reset with write back

to on-premises• Cloud based advanced security

reports and monitoring• Enterprise-state Roaming

• Mobile device management• Mobile app management • Secure content viewer• Certificate, Wi-Fi, VPN, email

profile provisioning• Agent based management of

Windows devices (domainn joined via ConfigMgr and internet based via Intune)

• Automated intelligent classification, labeling and protection of data

• Tracking and notifications for shared documents

• Protection for content stored in Office and Office 365 & Windows Server on-premises

Windows Defender Advanced Threat Protection

• Identify advanced threats focused on Windows 10 behavioral sensors

Cloud App Security

• Visibility and control for all cloud apps

Advanced Threat Analytics

• Behavioral analytics for advanced threat detection

Azure AD Premium

• Risk based conditional access

Information protection




EMS benefits for Windows 10 customers

Getting Started withEMS Demo Provisioning

demos.microsoft.com

https://demos.microsoft.com/

What to expect from this guide

Setting up your EMS-enabled demo tenant requires you to provide a pre-configured Azure subscription. This process is more involved than creating a standard Office 365 demo tenant.

This guide will help you:• Gain an understanding for the Microsoft Security policy • Properly create and configure your Azure Subscription• Perform the pre-requisite steps for creating your EMS tenant• Navigate the new Microsoft Demos portal

(https://demos.Microsoft.com) • Leverage current demo guides and other EMS resources

https://demos.microsoft.com/

What is Included with an EMS TenantEach EMS demo tenant provisioned will include:

a. An Office 365 “E5” environment, with trial license, and demo-ready sample content (document libraries, emails, OneDrive contents, Yammer posts, etc.)

b. A 100-user Azure AD with EMS trial license and key features pre-configuredc. An Intune environment pre-populated with apps, policies, and “fake” pre-enrolled devicesd. Azure Rights Management activated and pre-configured for key demo scenariose. Azure RemoteApp collection trial (expires in 30 days)

What to know going in:a. Your demo tenant will use 90-day subscriptions of O365 and EMS. b. These are demo trial tenants, to be used for demo purposes only. These tenants should not

be handed to customers or prospects. Please visit the FastTrack program site on how you can provision PoC tenants that may be handed to customers.

http://fasttrack.office.com/ems

How to Use Your EMS TenantOnce you have a tenant, you will need to:• Reference/download the demo guides (available in the “Demos”

tab of demos.microsoft.com portal) for detailed instructions. These include:• One-time manual setup for your tenant• Preparation of your demo devices

• Perform pre-demo checklist steps listed at the beginning of each demo scenario.

• Walk through your demo scenarios. Suggested scenarios are presented in the demo guides with detailed click steps and talking points.

• Perform post-demo reset steps to ensure you’re able to repeat the demo scenario.

Step 1: Sign up for a NEW Demo Live ID AccountWorking with a new Live ID will streamline both your EMS provisioning experience, and any demos that you conduct. We recommend you NOT use your everyday Live ID.a. Go to https://signup.live.com.b. Create a new account (e.g. [email protected]).c. Save login credentials for use later.

Partner Instructions

https://signup.live.com/

mailto:[email protected]

a. Go to the Azure Account Management portal at https://account.windowsazure.com/

b. Log in with your work or Microsoft account (this is your Azure Account ID).

Step 2: Create a New Azure Subscription

If no previous subscriptions exist:c. Change URL to

https://account.windowsazure.com/signup?offer=MS-AZR-0003P to sign up for a Pay-As-You-Go subscription

d. Complete the phone verification and payment info.

e. Accept Agreement, then Sign up.

If you have previous subscriptions: You may choose to use it for your Demo (proceed to next slide), OR create new:c. Click Subscriptionsd. Click + add subscriptione. Select offer: Pay-As-You-Gof. Verify Payment info and Agreement g. Click Purchase.

NOTE: your credit card will NOT be charged for any services provisioned on your behalf.

https://account.windowsazure.com/

https://account.windowsazure.com/signup?offer=MS-AZR-0003P

Step 3: Change Service Administrator to Live IDa. Browse your list of Azure subscriptions, at https://account.windowsazure.com/subscriptionsb. Locate your Azure subscription and click for details.c. Click Edit subscription details.d. Change the Subscription Name.e. Change Service Administrator to the Live ID

you created in Step #1.a. Click Save.b. Copy the SUBSCRIPTION ID – you’ll need it later.

Partner Instructions

Important: The Service Administrator of your Azure subscription must be changed to a Live ID/Microsoft Account for EMS demos to provision successfully.Note: Granting your Live ID user Co-Administrators role is NOT sufficient – it must be granted Service Administrator.

https://account.windowsazure.com/subscriptions

a. Go to http://demos.microsoft.com. b. Log in as a Microsoft Partner (using your Partner

ID; not your new Live ID)a. If you experience issues signing in, go to Slide 21

c. Go to Tenants tab.d. Click + Create on one of six available “slots”.e. Click Quick Tenant.f. Select Standard Office 365 Content with options.g. Check Enterprise Mobility Add On.h. Enter in your Azure Subscription ID, Service

Administrator user ID and password, then Validate.

i. Once your info has been validated, click Next.j. Your EMS tenant will be ready in approx. 2 hours.

Step 4: Request your Quick Tenant with EMS Add-On

http://demos.microsoft.com/

The Demos tab of the site allows you to build out your own demo guides by combining one or more published demo documents and videos.

a. Go to Demos.b. Type a name for your demo (e.g. EMS Demos

for Customer ABC)c. Under Select a Tenant, select the demo tenant

you just created.d. Select one or more of the EMS demo modules

that you would like to include:a. Enterprise Mobility Hero Guide

b. Mobile Device and Application Development Guide

c. Identity and Access Management Guide

d. Information Protection Guide

e. Desktop Virtualization Guide

Step 5: Build your Demo Guides