Managing People, Devices &

Information in Office 365

Welcome

What do you hope to learn today?

Please take a moment to fill out the yellow cards.

Our presenters will review the cards to ensure that we cover

the topics/areas of interest.

We will collect them before we get started.

Thanks!

Collect ‘Learn Today’ Cards

What do you hope to learn today?

Please take a moment to fill out the yellow cards.

Our presenters will review the cards to ensure

that we cover the topics/areas of interest.

We will collect them before we get started

Thanks!

System Source & Microsoft: Microsoft Certified Partner…since 1980’s

Silver – Learning Solutions

Train 6,000 students/year

Our Instructors rate 20% higher than Microsoft National

Average Customer Satisfaction Scores.

Silver – Infrastructure

1,000’s of Microsoft implementations

Small Business to Enterprise

Non-profit

Education

System Source & Microsoft:

Agenda (Dave’s portion)

What is Office 365

Identity Management

Azure AD

Cloud, Synchronized, Federated accounts

Azure AD Features Examples

Multi-Factor Authentication / Self Serve Password Reset

Single Sign On – Using Azure AD for SaaS SSO

Native Office 365 Mobile Device Management

What is Office 365?

What is Office 365? Office 365 is mostly a SaaS solution

Your connectivity to and use of Office 365 and other Microsoft Cloud

services are flexible. Subscribe to one service only or a suite of services

Subscription plans offer various levels of features

You can use only the Cloud for login and data

Synchronize directories and/or Federate to control accounts locally

Integrate the Cloud services with on-premises services (Hybrid) so data and services

can span both locations

What is Office 365?

•SharePoint Online

•OneDrive

•Yammer

•Rich client

•Web client

•Apps

•Skype for Business

•Exchange Online

•Archiving

•Encryption

EmailReal-time

Communication

CollaborationOffice

Plans

Plans

Plans

Plans

World-Class Data Centers

Office 365 Trust Center

Clear messaging with plain English

Details for security experts

Links videos, whitepapers

http://trust.office365.com

Identity ManagementHow does Office 365 (and Azure) integrate with my environment?

How does Office 365 integrate with my environment?

Office 365 services (Exchange, SharePoint, Skype for Business) can be

on-premises, in the cloud or a combination (hybrid)

Microsoft offers hybrid configurations for Skype for Business, SharePoint and

Exchange. Available features vary with service and subscription plans.

Interoperability between Exchange, SharePoint and Skype for Business has some limitations but

integration is improving.

DirSync and ADFS is a requirement* for hybrid deployments

User accounts can be in the cloud or on-premises

User accounts can be managed in the cloud or on-premises

Where are your Office 365 Accounts?

Microsoft Azure Active Directory Azure Active Directory (Azure AD) is Microsoft’s

multi-tenant cloud based directory and identity

management service.

Azure AD also includes a full suite of identity

management capabilities including multi-factor

authentication, device registration, self-service

password management, self-service group

management, privileged account management,

role based access control, application usage

monitoring, rich auditing and security monitoring

and alerting. Active Directory

Azure

Active Directory

What is Azure Active Directory? The Azure Active Directory service comes in three editions:

Free

Basic

Premium

The Free edition is included with an Azure or Office 365 subscription.

The Basic and Premium editions are available through a Microsoft Enterprise

Agreement, the Open Volume License Program, and the Cloud Solution

Providers program.

Every paid subscription to Office 365

comes with a free subscription to Azure

Active Directory.

You can use Azure AD to manage your

apps and to create and manage user

and group accounts independent of

Office 365.

To activate this subscription and access

the Azure management portal, you

have to complete a one-time

registration process.

Office 365 Subscription – Domains The default domain when opening a subscription is

<DomainName>.onmicrosoft.com

This domain is fully functional and can be used for

login and email.

This domain will be used for internal routing in co-

existence scenarios.

Your production domains are added to the

subscription for login and email.

Login IDs are in UPN format

Note – When using Directory Synchronization you

would match your local Active Directory UPNs to a

domain(s) configured in your subscription.

Local AD Integration with Office 365

Cloud identity

Single identity in the cloud Suitable

for small organizations with no

integration to on-premises

directories

Cloud identity with directory synchronization

Single identity

suitable for medium

and large organizations without

federation*

Federated identity

Single federated identity

and credentials suitable

for medium and large

organizations

On-Premises ADFS Implementation

Multiple ADFS Servers and Proxy (Web Application

Proxy)

WID Replication and NLB for redundancy

On-Premises ADFS Implementation Users are redirected to the ADFS server for authentication

portal.microsoftonline.com“example.com” is recognized as a

Federated Domain. User will be

redirected to local ADFS server.

A SAML token is generated

and used to authenticate the

user to Office 365 resources.

Managing Cloud Identities Accounts are independent of your local AD

Managed through the Office 365 portal

DEMO

Synchronizing Identities Azure AD Connector (DirSync) tool.

Installed on 64-bit domain controller.

Builds a connector between Azure

AD and your local AD.

Synchronizes selected objects

every three hours by default.

Managing Synchronized Identities Accounts are managed in local

AD and synchronized Every three hours by default

Password changes immediately

Account disabled on normal cycle

Passwords synchronized one-

way unless the Azure AD

subscription is upgraded.

Exchange attributes need to be

managed using an on-

premises Exchange Server /

Console or through ADSIEdit

(not recommended).

Managing Federated Identities Federated IDs are managed

on-premises. There is no

synchronization delay since

users are directed to the local

AD for authentication.

Disabling an account or

changing a password is

immediate.

Access to Office 365

resources is dependent on

your AD and ADFS being

available!

Multi-Factor Authentication and Self Serve Features

(Samples of Azure AD features)

Multi-Factor Authentication (MFA) Office 365 offers two-factor authentication.

Office 365 MFA covers…

Exchange Online

SharePoint Online

Lync Online

Dynamics CRM Online

Project Online

Office 2013 Pro Plus on-premises

App Passwords are used for Office applications

App Password – A 16-character randomly generated password used with Office

applications in lieu of the second authentication factor.

Note – The roadmap is to add true MFA to Office applications

Multi-Factor Authentication (MFA)

Demonstration – User setup and administration, user controls

Self Serve Password Reset Azure AD Free - cloud-only administrators can reset their own passwords

Azure AD Basic or Basic with a Paid O365 Subscription - cloud-only users and

cloud-only administrators can reset their own passwords

Azure AD Premium - any user or administrator, including cloud-only, federated, or

password synced users, can reset their own passwords (requires password writeback

to be enabled)

Self Serve Setup Setup through Azure AD

Enable service for the

users

Setup required parameters

Self Serve Use Part of portal login

process

Single Sign On – Using Azure AD for SaaS SSO

SaaS Authentication Challenge

Azure AD as the control point

2500+ Pre-integrated SaaS Solutions

The On-Premises SSO Portion (ADFS)

Azure AD – SaaS SSOhttps://azure.microsoft.com/en-us/documentation/articles/active-directory-saas-salesforce-tutorial/

We need to discuss if this should

be in my portion of the

presentation or a part of Steve’s

EMS (InTune) presentation.

I have about an hour’s worth of

material without MDM.

Office 365 MDM – Device Types You can use MDM for Office 365 to secure and manage the following types

of devices.

Windows Phone 8.1

iOS 7.1 or later versions

Android 4 or later versions

Windows 8.1*

Windows 8.1 RT*

* Access control for Windows 8.1 and Windows 8.1 RT devices is limited to Exchange ActiveSync.

Office 365 MDM – Enrollment and Polices These apps will prompt

users to enroll if there is a

policy applied to the user.

Exchange

Exchange ActiveSync includes native email

and third-party apps, like TouchDown, that

use Exchange ActiveSync.

Office and OneDrive for Business

Office 365 MDM – Enrollment and Policies The following diagram shows what

happens when a user with a new device

signs in to an app that supports access

control with MDM for Office 365.

The user is blocked from accessing

Office 365 resources in the app until

they enroll their device.

Office 365 MDM – Enrollment and Polices User logs in with an enrolled device that

isn’t compliant with a security setting in a

mobile device management policy that

applies to their device.

They are blocked from accessing Office

365 resources in the app until their device

complies with the security setting.

Setting up MDM in Office 365 Set up MDM for Office 365—Activate the feature and configure the

environment.

Configure MDM policies—Configure Security Groups and Device

policies.

Enroll devices—When users access Exchange, SharePoint or

OneDrive using the MDM-enabled applications, they are required to

enroll their devices.

Manage devices—You can wipe enrolled devices and run reports.

Set up MDM

EnterpriseEnrollment CNAMEEnterpriseEnrollment.manage.m

icrosoft.com3600

EnterpriseRegistration CNAMEEnterpriseRegistration.windows.

net3600

Setup DNS

iOS – APN Certificate Create a CSR

Generate certificate as Apple’s site

Download and upload the certificate to Office 365

Policies – Security Settings

Policies – Other Settings

https://technet.microsoft.com/en-us/library/ms.o365.cc.devicepolicysupporteddevice.aspx

ActiveSync Policies

ActiveSync polices are in

the Exchange admin center

You can create multiple

policies and apply different

settings to different users

Wiping a device Full wipe: Deletes all data on a user's mobile device, including installed

applications, photos, and personal information. When the wipe is complete,

the device is restored to its factory settings.

Selective wipe: Removes only organization data and leaves installed

applications, photos, and personal information on a user's mobile device.

When a device is wiped (full wipe or selective wipe), the device is removed

from the list of managed devices.

You can set up a mobile device management policy that automatically wipes

a device after the user unsuccessfully tries to enter the device’s password a

specific number of times.

Break

Enterprise Mobility Suite for SMB

Steve Deming – Technology Strategist

Agenda What PAINS does EMS solve for?

Overview and Key Points

Technical Components of EMS

Getting Started

Are organizations prepared?

59

50% 90%

93% 80%50% of employers by 2017 will

require employees to supply their

own devices for work purposes *

90% of enterprises will have two

or more mobile operating systems

to support in 2017**

93% of employees admit

to violating information

security polices ***

80% of employees admit using non-

approved software-as-a –service applications in their jobs ****

*Gartner Press Release link** CEB Survey of 165,000 employees***CEB Executive Guidance - http://www.executiveboard.com/exbd/executive-guidance/index.page?cid=70180000000anZM**** http://www.computing.co.uk/ctg/news/2321750/more-than-80-per-cent-of-employees-use-non-approved-saas-apps-report

Cross Platform Device ManagementMicrosoft Enterprise Mobility Suite

Microsoft Partner Confidential – SMB LIVE 2015

Enterprise Mobility Suite (EMS)

Hybrid and Cloud Identity • Single sign-on across multiple SaaS applications• Self Service Password Reset & Group management• Security audit reports & Multi Factor Authentication• Watch the hybrid identity demo

Enabled via Azure Active Directory Premium:

Mobile Device Management• Mobile device settings management• Mobile app management• Selective wipe• Watch the mobile device management demo

Enabled via Microsoft Intune

Data Protection• Information protection• Connection to on-premises assets• Watch the information protection demo

Enabled via Azure Rights Management Service:

Device Management, Access Control, Information Protection

A comprehensive identity and access management cloud solution.

It combines directory services, advanced identity governance, application access management and a rich standards-based platform for developers

It is available in 3 editions: Free, Basic and Premium (Premium in

EMS)

What is Azure Active Directory?

Identity as the control plane

Preintegrated SaaS apps in the application gallery

A holiday resort is using

multiple social media and

online travel sites to

promote their offers and

stay in touch with travelers.

Due to the seasonality of

their business, their staff

changes a lot during a year,

including many interns

during high season. All of

them require easy access

to these websites.

67

Using the management

portal in Azure Active

Directory Premium, the

company easily enables

new staff members to

access all of the required

social media and travel

sites.

1

With single sign-on, the team

members access any of the sites

quickly and easily with their same,

consistent company login.

The team is able to be more

productive, eliminating time spent

managing multiple passwords.

2

Example:

Then when the off-season begins, the temporary employees’ logins

are deactivated and their access to the sites is immediately shut

off.

If they had been using their own separate logins, they could access

and make unauthorized posts to these sites. Instead, the company

is protected and easily able to manage access for seasonal staff.

3

Mobile application management

PC managementMobile device management

Intune helps organizations provide their employees with access to corporate applications, data, and

resources from virtually anywhere on almost any device, while helping to keep corporate information secure.

User IT

Enroll• Provide a self-service Company

Portal for users to enroll devices

• Deliver custom terms and

conditions at enrollment

• Bulk enroll devices using Apple

Configurator or service account

• Restrict access to Exchange

email if a device is not enrolled

Retire• Revoke access to corporate

resources

• Perform selective wipe

• Audit lost and stolen devices

Provision• Deploy certificates, email, VPN,

and WiFi profiles

• Deploy device security policy

settings

• Install mandatory apps

• Deploy app restriction policies

• Deploy data protection policies

Manage and Protect• Restrict access to corporate

resources if policies are violated

(e.g., jailbroken device)

• Protect corporate data by

restricting actions such as

copy/cut/paste/save outside of

managed app ecosystem

• Report on device and app

compliance

User IT

Maximize mobile productivity and protect corporate

resources with Office mobile apps

Extend these capabilities to existing line-of-business

apps using the Intune app wrapper

Enable secure viewing of content using the Managed

Browser, PDF Viewer, AV Player, and Image Viewer apps

Managed apps

Personal appsPersonal apps

Managed apps

ITUser

Personal apps

Managed apps

Maximize productivity while preventing leakage of company

data by restricting actions such as copy/cut/paste/save in

your managed app ecosystem

User

Personal apps

Managed apps Company Portal

Are you sure you want to wipe

corporate data and applications

from the user’s device?

OK Cancel

Perform selective wipe via self-service company portal or admin console

Remove managed apps and data

Keep personal apps and data intact

ITIT

Customer Example:

The sales team at a small

construction company is

always on the go, and they

often use personal mobile

devices for work.

The company wants

to ensure company data

and apps on employee

devices is protected—

especially when one

of their sales reps leaves

to join a competitor.

A sales rep has a cell phone

with company emails, contacts,

and Office applications

combined with personal data,

apps, and family photos.

1

Selective Data Wipe

The sales rep leaves the company

to join a competitor. Using “selective wipe”

IT can remotely remove the company

information—including customer data and

business apps—from the employee’s phone

without touching or losing his personal data.

3

With Microsoft Intune, the company

can manage and protect all of the

mobile devices and apps used at work.

Intune works with Office to prevent

the employee from copying sensitive

data from company apps and pasting

it into personal ones.

2

Copy

and

paste

7

6

Help customers protect their information, wherever it goes.

Enable information sharing, while keeping data

protected.

Help protect

information sent

in email by

preventing

viewing, editing,

and forwarding.

Restrict editing,

copying, and

printing files

to specific

people and

groups.

Microsoft Azure Rights Management Service (RMS)

Enable customers

to easily apply

rights

management

protection to

information and

files.

78

Manage rightsEncrypt data Enforce policy

Protect data to secure mobility

Azure Active Directory RMS

Share internally Share externally

Customer Example:

8

1

A mortgage company

works with customers

over phone and email to

process loan applications.

The company needs

to make sure sensitive

customer information

stays protected, wherever

it goes.

To process a loan application, a

mortgage broker requests a

social security number and credit

card details from a customer via

email. The customer emails her

personal data to the broker.

1 With Microsoft Azure Rights

Management Service (RMS), the data

in the email is protected, so editing,

copying, and printing the customer’s

information is restricted to the broker

and his immediate team.

2

The broker then sends an email containing the

customer’s personal data to the loan processing team.

Using Azure RMS, the email is restricted from

forwarding or editing.

So the broker can benefit from the convenience of

email, while knowing that data stays protected after

he clicks the “send” button.

3

ITUser

Enterprise

Mobility Suite

Identify and authorize user

Apply device policies

Apply application policies

Apply content policies

Active Directory Premium

Rights Management

EMS IT Manageability benefits for O365 customers

Cloud and hybrid identity management

Mobile device management

Information protection

Enterprise Mobility

Suite

RMS Protection via RMS for

O365

• Protection for content stored in

Office (on prem or O365)• Access to RMS SDK• Bring your own Key

RMS for O365 +

• Protection for on-premises

Windows Server file shares

• Protection for multiple file types,

such as PDF and CAD

Basic Mobile Device

Management via MDM for O365

• Device Settings Management

• Selective Wipe

• Built into O365 Mgmt Console

MDM for O365 +

• PC Management

• Mobile App Management

(prevent cut/copy/past/save as

from corporate apps to personal

apps)

• Secure content viewers

• Certificate Provisioning

• System Center integration

Basic Identity Mgmt via Azure

AD for O365:

• Single Sign on for O365

• Basic Multifactor Authentication

(MFA) for O365

Azure AD for O365 +

• Single Sign on for all cloud apps

• Advanced MFA for all workloads

• Self Service group management

and password reset with write

back to on prem directory

• Advanced security reports

• FIM (Server + CAL)

Cloud identity management

Why Microsoft?

Mobile device & app management

Information protection

Azure Active Directory Premium Microsoft Intune Azure Rights Management Service

Ping Identity

Okta

Centrify

Salesforce Identity AirWatch MobileIron

Good

KaseyaSymantec Seclore

FasooAdobe LiveCycle

EMS: One Vendor, One Contract, One SKU

Why Microsoft?

Other Options in the Market

Manufacturer Authorized Training Insures

Learning Content Matches Software

Offering the most Microsoft Official courses in Maryland –

Accepting Software Assurance Training Vouchers!

100% of Baltimore area VMware training in our classrooms

100% of Baltimore area Oracle training in our classrooms

All courses offered locally and online

eLearning

Expert InstructorsConsistently 19 percentage points higher than

national average for Microsoft Certified Trainers

Tailored Curriculum

Combine chapters from multiple courses

Add company specific content

Develop hands-on labs using your data

Organizational Focus

and Insight Specific to your culture and objectives

Convenient Training Small or large groups, in one location or many

Your Teams – Local and Remote

Offsite Locations Distraction-free learning

Flexible Scheduling

and Delivery

Formats

Instructor Led Training (ILT)

Live Virtual Training (LVT)Attend our ILT sessions from home or work.

Project Based Training (PBT)

Informal Coaching

Dual monitors display digital curriculum and labs

simultaneously

Mobile Curriculum and Classrooms

Integration of Video

Your Teams – Local and Remote

Our ProcessAccount Manager

• Understand your needs

Tools• Assess skill levels

Instructor• Develop content

Register• Easy registration

Attend• Your site, our site and live virtually from your home or office

Evaluate• Give course feedback using independent evaluation tool

Report• Attendance and evaluation reports

Reinforce• Post-class support

Our Process

Customized Training Curriculum

ManagementCorporate/

DevelopmentAccounting Topics

3.5 6.17 5 Teaching Time in Hours

5 5 5 Introduction to SharePoint 2010

Navigating a SharePoint Site

5 5 5 Navigating the Home Page and the SharePoint Site

Navigating the Site Content Tree

Navigating the Ribbon Interface

Browsing Lists on a SharePoint Site

Browsing Document Libraries

5 5 5 Using the Recycle Bin

Working with Lists

30 40 40 Discovering Default Lists in a Site

Adding and Editing List Items

Deleting and Restoring a List Item

Attaching Files to List Items

Sorting and Filtering a List

X Setting up Alerts

Working with Libraries

35 45 35 Creating a New Document

SCAN Documents

S: DRIVE

Editing Documents

Adding Documents

X X Co-authoring

5 5 5 Creating a Picture Library and Adding Pictures

10 15 15 Checking Documents In and Out

10 10 Working with Version History - Major

10 Working with Version History - Major/Minor

X 10 10 Using Alerts

5 5 5 Deleting and Restoring Documents

Working with List Settings

X 15 X Configuring Content Approval and Versioning

Training plans

customized for

each audience in

your organization

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Jan

uary

-12

Fe

bru

ary

-12

Ma

rch-1

2

Ap

ril-12

Ma

y-1

2

Jun

e-1

2

July

-12

Au

gust-

12

Se

pte

mb

er-

12

Octo

ber-

12

Novem

ber-

12

Decem

ber-

12

Jan

uary

-13

Fe

bru

ary

-13

Ma

rch-1

3

Ap

ril-13

Ma

y-1

3

Jun

e-1

3

July

-13

Au

gust-

13

Se

pte

mb

er-

13

Octo

ber-

13

Novem

ber-

13

Decem

ber-

13

Jan

uary

-14

Fe

bru

ary

-14

Ma

rch-1

4

Ap

ril-14

Ma

y-1

4

Jun

e-1

4

July

-14

Au

gust-

14

Se

pte

mb

er-

14

Octo

ber-

14

Novem

ber-

14

Decem

ber-

14

Jan

uary

-15

Fe

bru

ary

-15

Ma

rch-1

5

Ap

ril-15

Ma

y-1

5

Jun

e-1

5

July

-15

Au

gust-

15

Se

pte

mb

er-

15

Octo

ber-

15

Novem

ber-

15

System Source Learning Center Instructor Top Box Graph

System Source MS Overall CPLS Overall 3 per. Mov. Avg. (System Source MS Overall) 3 per. Mov. Avg. (CPLS Overall)

Consistently

19 points

higher!

Course Name Length

MS20346C Managing Office 365 Identities and Services 5 Days

Microsoft Office 365: Web Apps (with Skype for Business) 1 Day

Microsoft Office 2016 and 365 Private Courses

Any one-day Access, Excel, Word, PowerPoint, Outlook or Office 365

Web Apps course:

Only $143 per student for a class of 10

Save $153-$258 per student

Reserve your dates by 2/29 to secure discounted pricing!

Learning Center Offer

Evaluations

Door Prizes

Lunch!

THANK YOU!