module 2: how to setup and configure microsoft cloud...
TRANSCRIPT
Microsoft Partner Confidential – SMB LIVE 2016
Module 2: How to setup and configure Microsoft Cloud Security and Management Solutions
SMB LIVE
Microsoft Partner Confidential – SMB LIVE 2016
Overview of the Microsoft Cloud Security
9:30 – 10:00am
How to setup and configure Microsoft Cloud Security and Management Solutions
10:30am – 1:30pm
SaaS, IaaS, PaaS? What is Azure all about and why should I care?
1:30 – 2:00pm
How to setup and configure solutions in Azure
2:00 – 4:30pm
Closing & Next Steps
4:30 – 5:00pm
Lunch
11:45am – 12:30pm
Welcome to SMB LiveIntro and Foundation
9:00 – 9:30am
SMB LIVE
Today’s Agenda
Identity drivensecurity
Comprehensive solution
Managed mobile productivity
EMPOWER ENTERPRISE MOBILITY
Key ScenariosMobile Device Management• Self Service Password Management• Mobile Device Settings Management• Device Certificate Management• Surface & Windows Phone Enterprise
Deployment & Integration• Selective Wipe• Conditional Access
Mobile App Management• App Creation, Deployment and Updating• Self Service Provisioning • Onboarding and Off boarding• Cloud App Discovery• Delegated App Management• Remote Access to Legacy Apps
Identity as a Service• Cloud Services Federation• Single sign-on• Multi-Factor Authentication• Identity Authentication and Integration• Windows 10 Azure AD Join• AD App Proxy
Information Protection• Secure Information Sharing – inside and
outside the organization• Message Encryption• Enlightened Apps• Document Tracking• Rights Revocation
Products
Information Protection
Persona Management
Device management
Single sign-on
Scenarios
Foundational EMS scenarios
Azure Active Directory Premium
Azure Rights Management
Mobile Application
Management
InTune
Journey1) Single sign-on 2) Document Protection 3) Multi-Factor
Authentication4) Persona Management 5) Device Management
Customer Pain
Users have multiple username/passwords to remember for SaaS and on-premises apps
The company needs to make sure sensitiveinformation stays protected, wherever it goes.
IT needs to provide multiple layers of security to apps and resources across their on premise and cloud environments.
IT wants to manage company data when accessed on employee’s personal devices (BYOD) but doesn’t want to risk intruding on a their personal life.
IT wants to manage BYOD or Corporate Devices that are accessing and connecting to company resources.
Solution
Provide a single sign-on experience to on premise & 2,500+ SaaS apps including: Salesforce, Workday, Concur, DocuSign & DropBox.
Protect information and documents by restricting editing, copying and sharing. Remain in control of your data even when it is shared outside your organization.
Multi-Factor Authentication provides two keys to the front door via strong authentication with multi-platform verification options: phone call, text message, or mobile app.
Utilize Mobile Application Management (MAM) without requiring the device to be enrolled for management andrisk intruding on user’s personal devices.
Manage employee’s iOS, Android and Windows devicesby providing employees with the ability to register, enroll, and manage their devices as well as install corporate apps from the self-service Company Portal.
Attach Motion
Upgrade O365 to Azure Active Directory Premium.
Upsell Azure Rights Management Service.
Upgrade O365 to Azure Active Directory Premium.
Upsell mobile application mgmt. with Microsoft Intune.
Upsell mobile device mgmt. with Microsoft Intune.
Compete Okta, Ping, Centrify, IBM Adobe, Good Okta, Ping, Centrify, IBM, RSA AirWatch, MobileIron,MaaS360, Kaseya
AirWatch, MobileIron,MaaS360, Kaseya
Pitch
One login to access thousands of SaaS applications with secure IT controls in place.
Know with certainty that your valuable company data is not falling into the wrong hands.
Increase security and access to your company information with multiple verification options.
Deliver, protect & manage apps without enrolling employee’s personal devices for management.
Use iOS, Android & Windows at work providing IT the ability to provide governance, management & control.
Attach Enterprise Mobility + Security with Microsoft Office 365Help your customers enhance their Office 365 experience with a secure and integrated solution which addresses their need to keep employees productive and company data secure, wherever their users choose to work. This step by step journey is structured to help guide you and your customers towards the best managed services solution.
Identity and access management in the cloud
Cloud powered protection
Manage access at scale
1000s of apps, 1 identity
Enable business without borders
• Advanced user lifecycle management
• Low IT overhead • Monitor your identity
bridge
• Cloud connected seamless authentication experience
• Single sign-on• Bring your own apps • Secure remote access
to on-premises apps• Support for lift and
shift to the cloud
• Control access to resources
• Safeguard user authentication
• Respond to advanced threats with risk based policies and monitoring
• Mitigate administrative risks
• Governance of on-premises and cloud identities
• Ease of use for end users • Cross organization
collaboration • Any time, any place,
productivity with Windows 10
• Support for consumer facing applications
What is Azure Active Directory?
A comprehensive identity and access management cloud solution for your employees, partners and customers.
It combines directory services, advanced identity governance, application access management and a rich standards based platform for developers.
B2E B2B B2C
Self-service Singlesign-on
•••••••••••
Username
Identity as the core of Enterprise MobilitySimple
connection
Cloud
SaaSAzure
Office 365Publiccloud
Other Directories
Windows ServerActive Directory
on-premises Microsoft Azure Active Directory
IDENTITY DRIVEN SECURITY
Connect your on-premises identities to the cloud for a seamless authentication experienceSingle sign-on to thousands of pre-integrated and custom SaaS apps. Bring your own apps: templates for SSO to any SaaS app
Secure remote access to on-premises apps
SSO from mobile apps
Support for lift and shift of traditional apps to the cloud
1000s of apps, 1 identity
Provide one persona to the modern workforce for SSO to 1000s of cloud and on-premises applications
Pre-integrated SaaS apps in the application gallery
1000s OF APPS, 1 IDENTITY
Azure Active Directory Connect
ADFS
Sync engine
Making a hybrid identity simple1000s OF APPS, 1 IDENTITY
Azure Active Directory Connect Consolidated deployment assistant for your identity bridge components.
All currently available sync engines will be replaced by the sync engine included in the Connect tool. Assisted deployment of ADFS (Active Directory Federation Services) will be available through Azure Active Directory Connect.
ADFS is an optional component for authentication in hybrid implementation. Password sync can replace ADFS for more scenarios.
DirSync
Azure Active Directory Sync
FIM (Forefront Identity Manager)+ Azure Active Directory
Connector
ADFS
Identity synchronization with password (hash) sync
Identity synchronization
User attributes are synchronized using identity synchronization services, including a password hash; authentication is completed against Azure Active Directory
User attributes are synchronized using identity synchronization tools; authentication is passed back through federation and completed against Windows Server Active Directory
Delivering a seamless user authentication experience1000s OF APPS, 1 IDENTITY
ADFS
Microsoft AzureActive Directory
Microsoft AzureActive Directory
Microsoft AzureActive Directory
Enable business without borders
Stay productive everywhere with easy access to every application and powerful collaboration capabilities across location, application, and device borders
Ease of use for end users
Any time, any place productivity with Windows 10
Connect better with your consumers
Enable cross-organization collaboration
Microsoft Azure Active Directory Cloud app discovery
Source: Help Net Security 2014
as many Cloud apps are in use than IT estimates
• SaaS app category• Number of users• Utilization volume
Comprehensive reporting
Reveal shadow ITDiscover all SaaS apps in use within your organization
CLOUD POWERED PROTECTION
What is AzureMulti-Factor
Authentication?• A standalone Azure identity and access management
service, also included in Azure Active Directory Premium
• Prevents unauthorized access to both on-premises and cloud applications by providing an additional level of authentication
• Trusted by thousands of enterprises to authenticate employee, customerand partner access
CLOUD POWERED PROTECTION
How does it work?CLOUD POWERED PROTECTION
Text messages
Phone calls
Mobile apps
CLOUD POWERED PROTECTION
Azure MFA vs MFA for Office 365MFA for Office 365/Azure
AdministratorsAzure Multi-Factor Authentication
Administrators can enable/enforce MFA to end users Yes Yes
Use mobile app (online and OTP) as second authentication factor Yes Yes
Use phone call as second authentication factor Yes Yes
Use SMS as second authentication factor Yes Yes
Application passwords for non browser clients (e.g., Outlook, Lync) Yes Yes
Default Microsoft greetings during authentication phone calls Yes Yes
Suspend MFA from known devices Yes Yes
Custom greetings during authentication phone calls Yes
Fraud alert Yes
MFA SDK Yes
Security reports Yes
MFA for on-premises applications/ MFA server Yes
One-time bypass Yes
Block/Unblock users Yes
Customizable caller ID for authentication phone calls Yes
Event confirmation Yes
Trusted IPs Yes
Identity GovernanceCLOUD POWERED PROTECTION
Reduce risks of excessive access to your organization’s data
Dashboards with insights
Policy driven review workflows for governance decisions
Richer auditing to address compliance reporting needs
Decisions at the business level (self-service)
Apps in Azure
Third party apps & clouds
Apps on-premises
One common identity
Simplify management
Improve security
IDENTITY DRIVEN SECURITY
Identity and access management
One common identityIDENTITY DRIVEN SECURITY
Self-service capabilities
• Password reset• Group membership• MyApps portal
Manage everything
• Dynamic groups• Provisioning• B2B collaboration
Single sign-on
• Easy connection to existing assets
• Unified experience across user devices
Journey1) Single sign-on 2) Document Protection 3) Multi-Factor
Authentication4) Persona Management 5) Device Management
Customer Pain
Users have multiple username/passwords to remember for SaaS and on-premises apps
The company needs to make sure sensitiveinformation stays protected, wherever it goes.
IT needs to provide multiple layers of security to apps and resources across their on premise and cloud environments.
IT wants to manage company data when accessed on employee’s personal devices (BYOD) but doesn’t want to risk intruding on a their personal life.
IT wants to manage BYOD or Corporate Devices that are accessing and connecting to company resources.
Solution
Provide a single sign-on experience to on premise & 2,500+ SaaS apps including: Salesforce, Workday, Concur, DocuSign & DropBox.
Protect information and documents by restricting editing, copying and sharing. Remain in control of your data even when it is shared outside your organization.
Multi-Factor Authentication provides two keys to the front door via strong authentication with multi-platform verification options: phone call, text message, or mobile app.
Utilize Mobile Application Management (MAM) without requiring the device to be enrolled for management andrisk intruding on user’s personal devices.
Manage employee’s iOS, Android and Windows devicesby providing employees with the ability to register, enroll, and manage their devices as well as install corporate apps from the self-service Company Portal.
Attach Motion
Upgrade O365 to Azure Active Directory Premium.
Upsell Azure Rights Management Service.
Upgrade O365 to Azure Active Directory Premium.
Upsell mobile application mgmt. with Microsoft Intune.
Upsell mobile device mgmt. with Microsoft Intune.
Compete Okta, Ping, Centrify, IBM Adobe, Good Okta, Ping, Centrify, IBM, RSA AirWatch, MobileIron,MaaS360, Kaseya
AirWatch, MobileIron,MaaS360, Kaseya
Pitch
One login to access thousands of SaaS applications with secure IT controls in place.
Know with certainty that your valuable company data is not falling into the wrong hands.
Increase security and access to your company information with multiple verification options.
Deliver, protect & manage apps without enrolling employee’s personal devices for management.
Use iOS, Android & Windows at work providing IT the ability to provide governance, management & control.
Attach Enterprise Mobility + Security with Microsoft Office 365Help your customers enhance their Office 365 experience with a secure and integrated solution which addresses their need to keep employees productive and company data secure, wherever their users choose to work. This step by step journey is structured to help guide you and your customers towards the best managed services solution.
“My users have multiple username/passwords to remember for SaaS and on-premises apps. This is not only inconvenient but a security risk as well.”
“We need a way to provide multiple layers of security to apps and resources across our on-premises and cloud environments.”
“Managing groups and forgotten user passwords increase my IT costs.”
DemoIdentity and Access Management• Single Sign-On, Multi-Factor Authentication, Self-service Access• How to add SaaS applications and configure• SSO options and Automatic User Provisioning• How to configure MFA, custom branding, access rules, self-service, and more
Journey1) Single sign-on 2) Document Protection 3) Multi-Factor
Authentication 4) Persona Management 5) Device Management
Customer Pain
Users have multiple username/passwords to remember for SaaS and on-premises apps
The company needs to make sure sensitiveinformation stays protected, wherever it goes.
IT needs to provide multiple layers of security to apps and resources across their on premise and cloud environments.
IT wants to manage company data when accessed on employee’s personal devices (BYOD) but doesn’t want to risk intruding on a their personal life.
IT wants to manage BYOD or Corporate Devices that are accessing and connecting to company resources.
Solution
Provide a single sign-on experience to on premise & 2,500+ SaaS apps including: Salesforce, Workday, Concur, DocuSign & DropBox.
Protect information and documents by restricting editing, copying and sharing. Remain in control of your data even when it is shared outside your organization.
Multi-Factor Authentication provides two keys to the front door via strong authentication with multi-platform verification options: phone call, text message, or mobile app.
Utilize Mobile Application Management (MAM) without requiring the device to be enrolled for management andrisk intruding on user’s personal devices.
Manage employee’s iOS, Android and Windows devicesby providing employees with the ability to register, enroll, and manage their devices as well as install corporate apps from the self-service Company Portal.
Attach Motion
Upgrade O365 to Azure Active Directory Premium.
Upsell Azure Rights Management Service.
Upgrade O365 to Azure Active Directory Premium.
Upsell mobile application mgmt. with Microsoft Intune.
Upsell mobile device mgmt. with Microsoft Intune.
Compete Okta, Ping, Centrify, IBM Adobe, Good Okta, Ping, Centrify, IBM, RSA AirWatch, MobileIron,MaaS360, Kaseya
AirWatch, MobileIron,MaaS360, Kaseya
Pitch
One login to access thousands of SaaS applications with secure IT controls in place.
Know with certainty that your valuable company data is not falling into the wrong hands.
Increase security and access to your company information with multiple verification options.
Deliver, protect & manage apps without enrolling employee’s personal devices for management.
Use iOS, Android & Windows at work providing IT the ability to provide governance, management & control.
Attach Enterprise Mobility + Security with Microsoft Office 365Help your customers enhance their Office 365 experience with a secure and integrated solution which addresses their need to keep employees productive and company data secure, wherever their users choose to work. This step by step journey is structured to help guide you and your customers towards the best managed services solution.
Products
Azure Rights Management
Persona Management
Device management
Single sign-on
Scenarios
Foundational EMS scenarios
Azure Active Directory Premium
Azure Rights Management
Mobile Application
Management
InTune
Manage and secure mobile productivity
MANAGED MOBILE PRODUCTIVITY
• Conditional access• Compliance enforcement• Multi-identity support
Access management
• Mobile app management (w & w/o a device enrollment)
• File and data encryption
Built-in security
• Office mobile apps• Familiar and trusted
Goldstandard
Mobile app management
MANAGED MOBILE PRODUCTIVITY
Managed apps
Personal apps
Personal apps
Managed appsCorporate data
Personaldata
Multi-identity policy
Personal apps
Managed apps
Copy Paste Save
Save to personal storage
Paste to personal app
Email attachment
Collaborate securely
MANAGED MOBILE PRODUCTIVITY
Integrated use
• Works across all platforms• Free content consumption• Consistent user experience• Integrate into common
apps and services
Persistent protection
• Storage independent• Permit all companies to
authenticate• Enforce authorization
policies
Tracking and compliance
• Powerful logging and reporting• Use/abuse tracking• Kill documents remotely• IT can reason over data
Data level protection for secure sharingCOMPREHENSIVE SOLUTION
Any device/ any platform
• Data level encryption
• All file types• LOB app protection
Protect Share Track and revoke
External user
*******
Internal user
*******
• Timeline view• Map view• Access and denials
Journey1) Single sign-on 2) Document Protection 3) Multi-Factor
Authentication 4) Persona Management 5) Device Management
Customer Pain
Users have multiple username/passwords to remember for SaaS and on-premises apps
The company needs to make sure sensitiveinformation stays protected, wherever it goes.
IT needs to provide multiple layers of security to apps and resources across their on premise and cloud environments.
IT wants to manage company data when accessed on employee’s personal devices (BYOD) but doesn’t want to risk intruding on a their personal life.
IT wants to manage BYOD or Corporate Devices that are accessing and connecting to company resources.
Solution
Provide a single sign-on experience to on premise & 2,500+ SaaS apps including: Salesforce, Workday, Concur, DocuSign & DropBox.
Protect information and documents by restricting editing, copying and sharing. Remain in control of your data even when it is shared outside your organization.
Multi-Factor Authentication provides two keys to the front door via strong authentication with multi-platform verification options: phone call, text message, or mobile app.
Utilize Mobile Application Management (MAM) without requiring the device to be enrolled for management andrisk intruding on user’s personal devices.
Manage employee’s iOS, Android and Windows devicesby providing employees with the ability to register, enroll, and manage their devices as well as install corporate apps from the self-service Company Portal.
Attach Motion
Upgrade O365 to Azure Active Directory Premium.
Upsell Azure Rights Management Service.
Upgrade O365 to Azure Active Directory Premium.
Upsell mobile application mgmt. with Microsoft Intune.
Upsell mobile device mgmt. with Microsoft Intune.
Compete Okta, Ping, Centrify, IBM Adobe, Good Okta, Ping, Centrify, IBM, RSA AirWatch, MobileIron,MaaS360, Kaseya
AirWatch, MobileIron,MaaS360, Kaseya
Pitch
One login to access thousands of SaaS applications with secure IT controls in place.
Know with certainty that your valuable company data is not falling into the wrong hands.
Increase security and access to your company information with multiple verification options.
Deliver, protect & manage apps without enrolling employee’s personal devices for management.
Use iOS, Android & Windows at work providing IT the ability to provide governance, management & control.
Attach Enterprise Mobility + Security with Microsoft Office 365Help your customers enhance their Office 365 experience with a secure and integrated solution which addresses their need to keep employees productive and company data secure, wherever their users choose to work. This step by step journey is structured to help guide you and your customers towards the best managed services solution.
“My company needs to make sure that sensitive information stays protected, wherever it goes.”
“I need a way for user to securely share, track and remove access to sensitive documents and information.”
DemoInformation Protection• Sharing, Tracking, and Revoking Protected Documents• Defining departmental RMS policy templates
Products
Azure Rights Management
Persona Management
Device management
Single sign-on
Scenarios
Foundational EMS scenarios
Azure Active Directory Premium
Azure Rights Management
Mobile Application
Management
InTune
Journey1) Single sign-on 2) Document Protection 3) Multi-Factor
Authentication 4) Persona Management 5) Device Management
Customer Pain
Users have multiple username/passwords to remember for SaaS and on-premises apps
The company needs to make sure sensitiveinformation stays protected, wherever it goes.
IT needs to provide multiple layers of security to apps and resources across their on premise and cloud environments.
IT wants to manage company data when accessed on employee’s personal devices (BYOD) but doesn’t want to risk intruding on a their personal life.
IT wants to manage BYOD or Corporate Devices that are accessing and connecting to company resources.
Solution
Provide a single sign-on experience to on premise & 2,500+ SaaS apps including: Salesforce, Workday, Concur, DocuSign & DropBox.
Protect information and documents by restricting editing, copying and sharing. Remain in control of your data even when it is shared outside your organization.
Multi-Factor Authentication provides two keys to the front door via strong authentication with multi-platform verification options: phone call, text message, or mobile app.
Utilize Mobile Application Management (MAM) without requiring the device to be enrolled for management andrisk intruding on user’s personal devices.
Manage employee’s iOS, Android and Windows devicesby providing employees with the ability to register, enroll, and manage their devices as well as install corporate apps from the self-service Company Portal.
Attach Motion
Upgrade O365 to Azure Active Directory Premium.
Upsell Azure Rights Management Service.
Upgrade O365 to Azure Active Directory Premium.
Upsell mobile application mgmt. with Microsoft Intune.
Upsell mobile device mgmt. with Microsoft Intune.
Compete Okta, Ping, Centrify, IBM Adobe, Good Okta, Ping, Centrify, IBM, RSA AirWatch, MobileIron,MaaS360, Kaseya
AirWatch, MobileIron,MaaS360, Kaseya
Pitch
One login to access thousands of SaaS applications with secure IT controls in place.
Know with certainty that your valuable company data is not falling into the wrong hands.
Increase security and access to your company information with multiple verification options.
Deliver, protect & manage apps without enrolling employee’s personal devices for management.
Use iOS, Android & Windows at work providing IT the ability to provide governance, management & control.
Attach Enterprise Mobility + Security with Microsoft Office 365Help your customers enhance their Office 365 experience with a secure and integrated solution which addresses their need to keep employees productive and company data secure, wherever their users choose to work. This step by step journey is structured to help guide you and your customers towards the best managed services solution.
Maximize mobile productivity and protect corporate resources with Office mobile apps – including multi-identity support
Extend these capabilities to your existing line of business apps using the Intune App Wrapping Tool
Enable secure viewing of content using the Managed Browser, PDF Viewer, AV Player and Image Viewer apps
Managed apps
Personal appsPersonal apps
Managed apps
ITUser
Corporate data
Personaldata
Multi-identity policy
Enforce corporate data access
requirements
Prevent data leakage on the
device
Enforce encryption of app data at rest
App level selective wipe
Personal apps
Corporate apps
Azure Rights Management
MDM policies
MAM policies
File policies
MDM – optional (Intune or 3rd party)
Prevent data leakage for Office mobile and other apps on unmanaged devices or devices managed by a third-party MDM(Mobile Device Management).
Protect data at the file level for Office documents and more with Azure Rights Management.
Enable familiar Office experiences for employees. No enrollment.
Personal apps
Managed apps
Perform selective wipe via self-service company portal or admin console
Remove managed apps and data
Keep personal apps and data intact
ITIT
Data protection at the file layer
Document tracking
Access control
Data encryption
Share internally Share externally
z
On any device
Authentication and collaboration
Identity
Application
Device
Data
Journey1) Single sign-on 2) Document Protection 3) Multi-Factor
Authentication 4) Persona Management 5) Device Management
Customer Pain
Users have multiple username/passwords to remember for SaaS and on-premises apps
The company needs to make sure sensitiveinformation stays protected, wherever it goes.
IT needs to provide multiple layers of security to apps and resources across their on premise and cloud environments.
IT wants to manage company data when accessed on employee’s personal devices (BYOD) but doesn’t want to risk intruding on a their personal life.
IT wants to manage BYOD or Corporate Devices that are accessing and connecting to company resources.
Solution
Provide a single sign-on experience to on premise & 2,500+ SaaS apps including: Salesforce, Workday, Concur, DocuSign & DropBox.
Protect information and documents by restricting editing, copying and sharing. Remain in control of your data even when it is shared outside your organization.
Multi-Factor Authentication provides two keys to the front door via strong authentication with multi-platform verification options: phone call, text message, or mobile app.
Utilize Mobile Application Management (MAM) without requiring the device to be enrolled for management andrisk intruding on user’s personal devices.
Manage employee’s iOS, Android and Windows devicesby providing employees with the ability to register, enroll, and manage their devices as well as install corporate apps from the self-service Company Portal.
Attach Motion
Upgrade O365 to Azure Active Directory Premium.
Upsell Azure Rights Management Service.
Upgrade O365 to Azure Active Directory Premium.
Upsell mobile application mgmt. with Microsoft Intune.
Upsell mobile device mgmt. with Microsoft Intune.
Compete Okta, Ping, Centrify, IBM Adobe, Good Okta, Ping, Centrify, IBM, RSA AirWatch, MobileIron,MaaS360, Kaseya
AirWatch, MobileIron,MaaS360, Kaseya
Pitch
One login to access thousands of SaaS applications with secure IT controls in place.
Know with certainty that your valuable company data is not falling into the wrong hands.
Increase security and access to your company information with multiple verification options.
Deliver, protect & manage apps without enrolling employee’s personal devices for management.
Use iOS, Android & Windows at work providing IT the ability to provide governance, management & control.
Attach Enterprise Mobility + Security with Microsoft Office 365Help your customers enhance their Office 365 experience with a secure and integrated solution which addresses their need to keep employees productive and company data secure, wherever their users choose to work. This step by step journey is structured to help guide you and your customers towards the best managed services solution.
“I want my users to be able to access company email and documents from their personal devices (BYOD), but only if I can do it in a way that keeps my company data protected.”
DemoManage Mobile Productivity• Mobile Application Management without Device Enrollment• How to configure Mobile Application Management – review options
and settings• Conditional access and device enrollment with MDM
Go mobile. Stay in control.• New Enterprise Mobility + Security packaging• EM+S Benefits for Office 365 and Windows 10
Enterprise Mobility + SecurityInformation protection
Identity driven security
Managed mobile productivity
Identity and access management
Azure Information Protection Premium P2
Intelligent classification, labeling and protection for email and files shared inside and outside your organization
(includes all capabilities in P1)
Azure Information Protection Premium P1
Protection for files and emails across all storage locations
Cloud based file tracking and revocation
Microsoft Cloud App Security
Enterprise grade visibility, control and protection for your cloud applications
Microsoft Advanced Threat Analytics
Protection from advanced targeted attacks leveraging user and entity behavioral analytics
Microsoft Intune
Mobile device and app management to protect corporate apps and data on any device
Azure Active Directory Premium P2
Identity and access management with advanced protection for users and privileged identities
(includes all capabilities in P1)
Azure Active Directory Premium P1
Secure single sign-on to cloud and on-premises apps
MFA, conditional access, and advanced security reporting
Enterprise Mobility + SecurityInformation protection
Identity driven security
Managed mobile productivity
Identity and access management
Azure Information Protection
Premium P2
(includes P1 features)
Azure Information Protection
Premium P1
Microsoft Cloud App Security
Microsoft Advanced Threat AnalyticsMicrosoft Intune
Azure Active Directory Premium P2
(includes P1 features)
Azure Active Directory
Premium P1E3
E5
Enterprise Mobility + Security PricingInformation protection
Identity driven security
Managed mobile productivity
Identity and access management
Azure Information Protection Premium P2
Azure Information Protection Premium P1
Microsoft Cloud App Security
Microsoft Advanced Threat AnalyticsMicrosoft Intune
Azure Active Directory Premium P2
Azure Active Directory Premium P1
E3$8.75
E5$15
Windows Server CAL rights: $ 1.75(Client Access License)
Common features
Directory as a service 500,000 object limit No object limit No object limit No object limit
User/group management (add/update/delete)/user based provisioning, device registration Yes Yes Yes Yes
Single sign-on10 apps per user (pre-integrated SaaS and
developer-integrated apps)
10 apps per user(free tier + Application proxy apps)
No limit (free, Basic tiers +Self-Service App
Integration templates)
No limit (free, Basic tiers +Self-Service App
Integration templates)User based access management/provisioning Yes Yes Yes YesSelf-service password change for cloud users Yes Yes Yes YesAzure AD Connect Yes Yes Yes Yes
Security reports/audit 3 basic reports 3 basic reports Advanced security reports Advanced security reports
Basic features
Group based access management/provisioning Yes Yes YesSelf-service password reset for cloud users Yes Yes YesCompany branding (logon pages/access panel customization) Yes Yes YesApplication Proxy Yes Yes YesSLA Yes Yes Yes
Premium features
Self-Service Group and app Management/Self-Service application additions/ Dynamic Groups Yes Yes
Self-service password reset/change/account unlock with on-premises write back Yes Yes
Advanced usage reporting Yes YesMulti-factor authentication (cloud and on-premises (MFA server)) Yes YesMIM CAL + MIM server Yes YesAutomated password rollover Yes YesConnect Health Yes YesConditional Access based on group and location (Preview) Yes YesConditional Access based on device state (Allow access from managed device) Yes + Intune license Yes + Intune license
Risk based conditional access with Azure AD Identity Protection YesPrivileged Identity management Yes
Protection for all file types and emails Yes Yes
Protection for data stored in on-premises Office servers Yes Yes
Protection for data stored in O365 services Yes Yes
Protection for data stored in on-premises Windows Server File Shares Yes Yes
Automated file classification, labeling and protection Yes
Azure Information Protection edition comparison
Enterprise Mobility
+ Security
Basic identity mgmt. via Azure AD for O365
• Single sign-on for O365
• Basic multi-factor authentication (MFA) for O365
Basic mobile device management via MDM for O365
• Device settings management
• Selective wipe
• Built into O365 management console
RMS protection via RMS for O365
• Protection for content stored in Office (on-premises or O365)
• Access to RMS (Retail Management Software) and SDK (Software Development Kit)
• Bring your own key
Azure AD for O365+
• Advanced security reports
• Single sign-on for all apps
• Advanced MFA
• Self-service group management & password reset & write back to on-premises,
• Dynamic groups, group based licensing assignment
MDM for O365+
• PC management
• Mobile app management (prevent cut/copy/paste/save as from corporate apps to personal apps)
• Secure content viewers
• Certificate provisioning
• System Center integration
RMS for O365+
• Automated intelligent classification, labeling and protection of data
• Tracking and notifications for shared documents
• Protection for on-premises Windows Server file shares
Advanced Security Management
• Insights into suspicious activity in Office 365
Cloud App Security
• Visibility and control for all cloud apps
Advanced Threat Analytics
• Identify advanced threats in on-premises identities
Azure AD Premium P2
• Risk based conditional access
Information protection
Identity driven security
Managed mobile productivity
Identity and access management
EMS benefits for Office 365 customers
Windows 10
Enterprise Mobility
+Security
• Single sign-on for business cloud apps
• Device setup and registration for Windows devices
• Windows Store for Business• Traditional domain join
manageability• Manageability via MDM and
MAM
• Encryption for data at rest and generated on device
• Encryption for data included in roaming settings
• Conditional access policies for secure single sign-on
• MDM auto-enrollment• Self-Service Bitlocker recovery• Password reset with write back
to on-premises• Cloud based advanced security
reports and monitoring• Enterprise-state Roaming
• Mobile device management• Mobile app management • Secure content viewer• Certificate, Wi-Fi, VPN, email
profile provisioning• Agent based management of
Windows devices (domainn joined via ConfigMgr and internet based via Intune)
• Automated intelligent classification, labeling and protection of data
• Tracking and notifications for shared documents
• Protection for content stored in Office and Office 365 & Windows Server on-premises
Windows Defender Advanced Threat Protection
• Identify advanced threats focused on Windows 10 behavioral sensors
Cloud App Security
• Visibility and control for all cloud apps
Advanced Threat Analytics
• Behavioral analytics for advanced threat detection
Azure AD Premium
• Risk based conditional access
Information protection
Identity driven security
Managed mobile productivity
Identity and access management
EMS benefits for Windows 10 customers
What to expect from this guide
Setting up your EMS-enabled demo tenant requires you to provide a pre-configured Azure subscription. This process is more involved than creating a standard Office 365 demo tenant.
This guide will help you:• Gain an understanding for the Microsoft Security policy • Properly create and configure your Azure Subscription• Perform the pre-requisite steps for creating your EMS tenant• Navigate the new Microsoft Demos portal
(https://demos.Microsoft.com) • Leverage current demo guides and other EMS resources
What is Included with an EMS TenantEach EMS demo tenant provisioned will include:
a. An Office 365 “E5” environment, with trial license, and demo-ready sample content (document libraries, emails, OneDrive contents, Yammer posts, etc.)
b. A 100-user Azure AD with EMS trial license and key features pre-configuredc. An Intune environment pre-populated with apps, policies, and “fake” pre-enrolled devicesd. Azure Rights Management activated and pre-configured for key demo scenariose. Azure RemoteApp collection trial (expires in 30 days)
What to know going in:a. Your demo tenant will use 90-day subscriptions of O365 and EMS. b. These are demo trial tenants, to be used for demo purposes only. These tenants should not
be handed to customers or prospects. Please visit the FastTrack program site on how you can provision PoC tenants that may be handed to customers.
How to Use Your EMS TenantOnce you have a tenant, you will need to:• Reference/download the demo guides (available in the “Demos”
tab of demos.microsoft.com portal) for detailed instructions. These include:• One-time manual setup for your tenant• Preparation of your demo devices
• Perform pre-demo checklist steps listed at the beginning of each demo scenario.
• Walk through your demo scenarios. Suggested scenarios are presented in the demo guides with detailed click steps and talking points.
• Perform post-demo reset steps to ensure you’re able to repeat the demo scenario.
Step 1: Sign up for a NEW Demo Live ID AccountWorking with a new Live ID will streamline both your EMS provisioning experience, and any demos that you conduct. We recommend you NOT use your everyday Live ID.a. Go to https://signup.live.com.b. Create a new account (e.g. [email protected]).c. Save login credentials for use later.
Partner Instructions
a. Go to the Azure Account Management portal at https://account.windowsazure.com/
b. Log in with your work or Microsoft account (this is your Azure Account ID).
Step 2: Create a New Azure Subscription
If no previous subscriptions exist:c. Change URL to
https://account.windowsazure.com/signup?offer=MS-AZR-0003P to sign up for a Pay-As-You-Go subscription
d. Complete the phone verification and payment info.
e. Accept Agreement, then Sign up.
If you have previous subscriptions: You may choose to use it for your Demo (proceed to next slide), OR create new:c. Click Subscriptionsd. Click + add subscriptione. Select offer: Pay-As-You-Gof. Verify Payment info and Agreement g. Click Purchase.
NOTE: your credit card will NOT be charged for any services provisioned on your behalf.
Step 3: Change Service Administrator to Live IDa. Browse your list of Azure subscriptions, at https://account.windowsazure.com/subscriptionsb. Locate your Azure subscription and click for details.c. Click Edit subscription details.d. Change the Subscription Name.e. Change Service Administrator to the Live ID
you created in Step #1.a. Click Save.b. Copy the SUBSCRIPTION ID – you’ll need it later.
Partner Instructions
Important: The Service Administrator of your Azure subscription must be changed to a Live ID/Microsoft Account for EMS demos to provision successfully.Note: Granting your Live ID user Co-Administrators role is NOT sufficient – it must be granted Service Administrator.
a. Go to http://demos.microsoft.com. b. Log in as a Microsoft Partner (using your Partner
ID; not your new Live ID)a. If you experience issues signing in, go to Slide 21
c. Go to Tenants tab.d. Click + Create on one of six available “slots”.e. Click Quick Tenant.f. Select Standard Office 365 Content with options.g. Check Enterprise Mobility Add On.h. Enter in your Azure Subscription ID, Service
Administrator user ID and password, then Validate.
i. Once your info has been validated, click Next.j. Your EMS tenant will be ready in approx. 2 hours.
Step 4: Request your Quick Tenant with EMS Add-On
The Demos tab of the site allows you to build out your own demo guides by combining one or more published demo documents and videos.
a. Go to Demos.b. Type a name for your demo (e.g. EMS Demos
for Customer ABC)c. Under Select a Tenant, select the demo tenant
you just created.d. Select one or more of the EMS demo modules
that you would like to include:a. Enterprise Mobility Hero Guide
b. Mobile Device and Application Development Guide
c. Identity and Access Management Guide
d. Information Protection Guide
e. Desktop Virtualization Guide
Step 5: Build your Demo Guides