Microsoft 365 SMB

Technical Fundamentals
Module 3: Security Fundamentals
Module 6: Advanced Security & Compliance
Pedro F. Pereira
[email protected]
Data de revisão: 22/11/2019
Module: After this module you should know
and understand:
Introduction
• Microsoft 365 Powered Device Security
• Protect against threats in Office 365
• Multi-Factor Authentication
• Conditional Access
• Microsoft Intune
• Where to Start
Module: After this module you should know
and understand:
Introduction
• Secure Score
• Compliance and security features in
Office 365
• Data Loss Prevention
• Configuring archive mailboxes
• Azure Information Protection (Azure
Rights Management)
 Breach detection
Device Threat Identity Information investigation &
protection resistance protection protection
response
 Microsoft 365 security areas

Identity and access Information Threat Security

management protection protection management
• Azure Active Directory • Azure Information • Azure Security Center
• Azure Advanced
Protection
• Conditional Access Threat Analytics • Office 365 Security &
• Office 365 Data Loss Compliance Center
• Windows Hello for Enterprise • Windows Defender Advanced
Prevention
Threat Protection • Windows Defender
Credential Guard • Windows Information
• Office 365 Advanced Advanced
Protection Security Center
Threat Protection
• Microsoft Cloud
• Office 365 Threat Intelligence
App Security
• Office 365 Advanced
Security Management
 Device Identity Data Application

Cloud
Windows Defender Azure RMS / Azure
Azure Active Directory
Advanced Threat Protection Information Protection

Device SmartScreen
Windows User
Guard Windows Hello for Business Bitlocker EFS Account
Defender
Windows 10 KMCI Control Windows
Defender
Enterprise Application
Device Health Credential Windows
Conditional Device Guard
Attestation Guard Information Guard
Access
Protection UMCI
AppLocker

Advanced Threat Analytics Microsoft Bitlocker

Security Baseline Administration &
Active Directory Management

Active Directory AD RMS FCI

Federation Services
Windows Server 2016
On-Premises
 Protect Detect Respond

BitLocker UEFI & TPM 2.0 Windows Hello for Device Guard
Trusted Boot Business Credential Guard
Early Launched Armored Kerberos Standard User Right with UAC enabled
MBAM
Antimalware Compound Windows Defender
Authentication Windows Defender Application Guard
Windows Device Configuration Manager Software Updates
Health Registration Password Brute
Force Protection ConfigMgr Desired Configuration Manager
Windows Defender ATP
BitLocker recovery
Account Lockout
BitLocker recovery Microsoft Edge Micro Windows Firewall
TPM Lockout Virtualization Windows Networking
Windows Defender BitLocker To Go
cloud based protection Dynamic Access Control
Windows SmartScreen
Windows Firewall Windows Information
Device Restriction GPOs Protection

Exchange Online ATP Advanced Threat Analysis

 Windows 10

Identity Protection ▪ An easy-to-use and easy-to-

deploy, multi-factor, password
alternative
▪ Easy and cost effective multi-
factor authentication that uses
biometrics to provide a more
secure way of accessing your
device, apps, data, and online
resources
▪ Prevents Pass the Hash attacks
https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello

• Windows Hello replaces passwords.

Goal • Align with goals to deliver solution to both consumer and business users, and to
provide a solution that works in all scenarios and industries

• Strong passwords can be difficult to remember, and users often reuse passwords
on multiple sites.
Problems with
• Server breaches can expose symmetric network credentials (passwords).
Passwords
• Passwords are subject to replay attacks.
• Users can inadvertently expose their passwords due to phishing attacks.

• Microsoft account
• Active Directory account
Authentication is
• Microsoft Azure Active Directory (Azure AD) account
performed to
• Identity Provider Services or Relying Party Services that support Fast ID Online
(FIDO) v2.0 authentication (in progress)

• Facial recognition
Biometric sign-in
• Fingerprint recognition
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-identity-verification

• Replace passwords with a private key made available solely through a “user
gesture” (PIN, Biometric, remote device, etc.).
• Can use certificate-based architecture instead of a private key.
Goals • Support both local and remote credentials (phone, USB dongle, etc.).
• Introduce Hello for Business because of its convenience and security first, and
that its UX is at least as good as with passwords.
• Align with goal to mainstream two-factor authentication.

• To IT, it’s familiar as it’s based on certificate or asymmetrical key pair.

• To the user it’s familiar, as a Biometric or PIN user gesture.
Credential
• AD/AAD validates and proofs user by OTP, Code, Phone.
• AD/AAD maps the public key of Windows Hello for Business to the user account.

• Keys are ideally generated in hardware (TPM) first, with software as a last resort.
• Hardware-bound keys can be attested.
Usage
• Single “unlock gesture” provides access to multiple credentials and the origin is
isolated.
• Browser support is available through JS/W3C WebAuthn APIs.
https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements

• Protects secrets from bad guys.

Goal
• Align with goal to make credentials theft resistant and breach and phish proof.

• Single Sign-on (SSO)

• Users enter credentials once
• Signing on provides credentials to Windows
• Authentication protocols (Security support providers (SSPs)) receive a copy
Why keep secrets? of the credentials
• SSPs cache the credential or derived credentials
• Applications authenticate transparently
• Authenticated connections to resources using SSP
• Since SSPs have credentials, user connects without prompting

• Usernames & passwords

• Certificates or public/private key pairs (Smart cards, Windows Hello, TLS
What are credentials? certificates)
• Derived keys (NT one way function (NTOWF), Kerberos DES, RC4, AES long-lived
keys)
• Session keys (Kerberos TGT session keys, Kerberos Service ticket session keys)
• Bearer tokens
 Apps

Trustlet #2

Trustlet #3
Credential
Credential Guard uses VBS to isolate

Guard
•

Windows authentication from

Windows operating system. Windows Platform
Services
• Protects LSA Service (LSASS) and
derived credentials (Kerberos Ticket; Kernel
Kernel
NTLM Hash). System Container

• Fundamentally breaks delivered

credential theft using MimiKatz.

Device Hardware
Hypervisor
 • Credential Guard helps to mitigate threats by using Hyper-V powered secure
execution environment to protect NTLM tokens.
• Prevents pass-the-hash attacks and enterprise credential theft that happens by
Overview reading and dumping the content of LSASS memory.
• You can place items under Credential Guard, but they cannot be removed.
• Decouples NTLM hash from logon secret.
• Fully randomizes and manages full length NTLM hash to prevent brute force
attack.

• Credential Manager support.

Improvements • TPM 1.2 and 2.0 provides protection for encryption keys that are stored in the
firmware and are used by Credential Guard.

• Enabled without lock (if you want to turn off remotely by using Group Policy).
Configuration Options • Enabled with UEFI lock (Administrator must be physically present at a machine
and disable Credential Guard).
 Threat

Mitigation

Improvements

Configuration
Options
 • Windows 10 x64 Edition
• UEFI 2.3.1 or higher firmware and Secure Boot
• TPM 2.0 (Note: TPM 1.2 can be used but is not recommended.)
Requirements • Virtualization capable hardware
• Physical device
• The firmware is updated for Secure MOR implementation.
• Optionally, A VT-d or AMD-Vi IOMMU (Input/output memory management unit)
• Credential Guard does not allow:
• Unconstrained Kerberos delegation
• NTLMv1, MS-CHAPv2, Digest, CredSSP, Kerberos DES encryption
Impacts • Saved password in remote desktop
• Some hardware and drivers may not work—The investigation and the tests
should be conducted.

Deployment • Credential Guard policies are ignored on incompatible hardware.

 GPO

Registry
 System
Information

LsaIso
https://docs.microsoft.com/en-us/windows/security/identity-protection/remote-credential-guard

Overview

Features

Requirements

Considerations
 • Remote Credential Guard helps to mitigate threats by blocking NTLM allowing
Overview only
• Kerberos, preventing Pass the Hash and previous usage of a credential after
disconnection.
Protects the device from advanced attacks
launched against Microsoft Edge
Malware and vulnerability exploits targeting
the browser, including zero days, unable to
impact the operating system, apps, data and
network
Application Guard uses virtualization based
security to hardware isolate Microsoft Edge
from the rest of the system
Closing Microsoft Edge wipes all traces of
attacks that may have been encountered
while online
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview
 Overview

Requirements

Benefits

Application
Signing Options

Code Integrity
Policy
Overview of
KMCI

KMCI vs UCMI
Microsoft Defender consistently rated top AV

1 AV-TEST: Protection score of 6.0/6.0 in the

latest test

AV-Comparatives: Protection rating of

2 99.9% in the latest test

3 SE Labs: AAA award in the latest test

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/top-scoring-industry-
antivirus-tests
Protect your PCs against advanced
malware with Windows Defender

The problem:
Bad actors can avoid traditional AV by executing
ransomware attacks without ever needing to write
anything to the disk.
These fileless attacks, which compose over 50% of all
threats, are extremely dangerous and constantly
changing.

The solution:
Windows Defender Exploit Guard helps protect
users against advanced forms of ransomware.
Microsoft Defender
Exploit Guard
What it is: How it works:
Microsoft Defender Exploit Guard Microsoft Defender Exploit Guard utilizes the capabilities of the
extends Defender to protect Microsoft Intelligent Security Graph and the security research
Windows devices from a broad range team at Microsoft to identify & block active exploits and
of cyber threats. common behaviors
• Controlled folder access – Prevents untrusted processes
from crawling into protected folders like My Documents
• Attack Surface Reduction - Blocks executable payloads in
Office macros, email, downloaded js/vbs etc.
• Network protection – Blocks outbound connections to low
reputation IP (command & control)

https://docs.microsoft.com/en-
us/windows/security/threat-protection/microsoft-
defender-atp/enable-exploit-protection
Enforce Microsoft Defender
on all your PCs

With Microsoft 365 Business, you

can easily enforce the protections
of Microsoft Defender on all your
Windows 10 devices, via the
Setup Wizard.
Protect against threats in Office
365
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/protect-against-threats
https://docs.microsoft.com/en-us/office365/servicedescriptions/exchange-online-protection-service-description/exchange-online-protection-service-
description?redirectedfrom=MSDN
Feature availability across Exchange Online Protection (EOP) plans
https://docs.microsoft.com/en-us/office365/servicedescriptions/exchange-online-protection-service-description/exchange-online-protection-
service-description?redirectedfrom=MSDN#feature-availability-across-exchange-online-protection-eop-plans
Set up your EOP service
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-your-eop-service
EOP features
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/eop-features
https://docs.microsoft.com/en-
us/microsoft-365/security/office-365-
security/atp-safe-attachments
https://docs.microsoft.com/en-
us/microsoft-365/security/office-365-
security/view-reports-for-atp
 https://docs.microsoft.com/en-
us/microsoft-365/security/office-365-
security/view-reports-for-atp

• MSFT - https://www.microsoft.com/en-us/wdsi/filesubmission
• VirusTotal - https://www.virustotal.com/gui/home

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/enable-the-report-message-add-in
 https://docs.microsoft.com/en-
us/microsoft-365/security/office-365-
security/view-reports-for-atp

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/how-atp-safe-attachments-works
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-for-spo-odb-and-teams
Turn on Office 365 ATP for SharePoint, OneDrive, and Microsoft Teams
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/turn-on-atp-for-spo-odb-and-teams
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-for-spo-odb-and-teams#keep-these-points-in-mind
Quarantine in ATP for SharePoint Online, OneDrive for Business, and Microsoft Teams
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-for-spo-odb-and-teams#quarantine-in-atp-for-sharepoint-online-onedrive-for-business-and-microsoft-teams
Set up Office 365 ATP Safe Attachments policies
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-atp-safe-attachments-policies
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-safe-links
Set up Office 365 ATP Safe Links policies
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-atp-safe-links-policies
Set up a custom blocked URLs list using Office 365 ATP Safe Links
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-a-custom-blocked-urls-list-wtih-atp
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-safe-links#example-scenarios
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/how-atp-safe-links-works#how-atp-safe-links-works-with-urls-in-email
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/how-atp-safe-links-works#how-atp-safe-links-works-with-urls-in-office-documents
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-anti-phishing
Set up Office 365 ATP anti-phishing and anti-phishing policies
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies
How to get ATP anti-phishing
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-anti-phishing
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-hour-auto-purge
Additional reports to view
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/view-reports-for-atp#additional-reports-to-view
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/automated-investigation-response-office
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-trackers#what-are-threat-trackers
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-trackers#what-are-threat-trackers
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-trackers#what-are-threat-trackers
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-trackers#what-are-threat-trackers
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulator
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/automated-investigation-response-office
For more investigations
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-
security/automated-investigation-response-office#investigation-graph
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/office-365-atp#get-office-365-atp
https://docs.microsoft.com/pt-pt/office365/servicedescriptions/office-365-advanced-threat-protection-service-description#feature-availability-across-advanced-threat-protection-atp-plans
Multi-Factor Authentication
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-deploy
https://docs.microsoft.com/en-us/azure/active-
directory/conditional-access/overview
Conditional Access
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/plan-conditional-access
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-baseline-protection
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/plan-conditional-access
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-baseline-protection
What are baseline policies?
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-baseline-protection
Quickstart: Require MFA for specific apps with Azure Active Directory Conditional Access
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-based-mfa
How to: Require MFA for access from untrusted networks with Conditional Access
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/untrusted-networks
Quickstart: Block access when a session risk is detected with Azure Active Directory Conditional Access
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-sign-in-risk
Require managed devices
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/require-managed-devices
Require approved client apps
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/plan-conditional-access#test-your-policy
Block legacy authentication
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication
Test your policy
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/plan-conditional-access#test-your-policy
What are baseline policies?
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-baseline-protection
Microsoft Intune is an MDM and
MAM provider for your devices
https://docs.microsoft.com/en-us/intune/fundamentals/what-is-intune
https://docs.microsoft.com/en-us/intune/fundamentals/media/what-is-intune/intunearchitecture.svg
QuickStart: Create a user in Intune and assign them a license
https://docs.microsoft.com/en-us/intune/fundamentals/quickstart-create-user

QuickStart: Create a group to manage users

https://docs.microsoft.com/en-us/intune/fundamentals/quickstart-create-group

QuickStart: Create and assign a custom role

https://docs.microsoft.com/en-us/intune/fundamentals/quickstart-create-custom-role

Create a device profile in Microsoft Intune

https://docs.microsoft.com/en-us/intune/configuration/device-profile-create
Create a compliance policy in Microsoft Intune
https://docs.microsoft.com/en-us/intune/protect/create-compliance-policy
How To: Require managed devices for cloud app access with Conditional Access
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/require-managed-devices
Create a device profile in Microsoft Intune
https://docs.microsoft.com/en-us/intune/configuration/device-profile-create
Use security baselines to configure Windows 10 devices in Intune
https://docs.microsoft.com/en-us/intune/protect/security-baselines
Manage Windows 10 software updates in Intune
https://docs.microsoft.com/en-us/intune/protect/windows-update-for-business-configure
Set enrollment restrictions
https://docs.microsoft.com/en-us/intune/enrollment/enrollment-restrictions-set
Identify devices as corporate-owned
https://docs.microsoft.com/en-us/intune/enrollment/corporate-identifiers-add
Configure eSIM cellular profiles in Intune - Public preview
https://docs.microsoft.com/en-us/intune/configuration/esim-device-configuration
Use policy sets to group collections of management objects
https://docs.microsoft.com/en-us/intune/fundamentals/policy-sets
How-to Guides
https://docs.microsoft.com/en-us/intune/configuration/
Create a profile with custom settings in Intune - Open Mobile Alliance Uniform Resource Identifier
(OMA-URI) values.
https://docs.microsoft.com/en-us/intune/configuration/custom-settings-configure
App protection policies overview
https://docs.microsoft.com/en-us/intune/apps/app-protection-policy

App configuration policies for Microsoft Intune

https://docs.microsoft.com/en-us/intune/apps/app-configuration-policies-overview
What is device enrollment?
https://docs.microsoft.com/en-us/intune/enrollment/device-enrollment
Set the mobile device management authority
https://docs.microsoft.com/en-us/intune/fundamentals/mdm-authority-set
Enroll devices in Microsoft Intune
https://docs.microsoft.com/en-us/intune/enrollment/
Supported operating systems and browsers in Intune
https://docs.microsoft.com/en-us/intune/fundamentals/supported-devices-browsers
Technology decisions for enabling BYOD with Microsoft Enterprise Mobility + Security (EMS)
https://docs.microsoft.com/en-us/intune/fundamentals/byod-technology-decisions
What is co-management?
https://docs.microsoft.com/en-us/configmgr/comanage/overview
Tutorial: Enable co-management for existing Configuration Manager clients
https://docs.microsoft.com/en-us/configmgr/comanage/tutorial-co-manage-clients
App protection policies overview
https://docs.microsoft.com/en-us/intune/apps/app-protection-policy
What are common ways to use Conditional Access with Intune?
https://docs.microsoft.com/en-us/intune/protect/conditional-access-intune-common-ways-use
Hybrid Azure AD joined devices
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join-hybrid
How To: Plan your hybrid Azure Active Directory join implementation
https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan
How to: Plan your Azure AD join implementation
https://docs.microsoft.com/en-us/azure/active-directory/devices/azureadjoin-plan
Set up Mobile Device Management (MDM) in Office 365
https://support.office.com/en-us/article/set-up-mobile-device-management-mdm-in-office-365-dd892318-bc44-4eb1-af00-9db5430be3cd
Capabilities of built-in Mobile Device Management for Office 365
https://support.office.com/en-us/article/capabilities-of-built-in-mobile-device-management-for-office-365-a1da44e5-7475-4992-be91-9ccec25905b0
Microsoft Intune Co-existence with MDM for Office 365
https://blogs.technet.microsoft.com/configmgrdogs/2016/01/04/microsoft-intune-co-existence-with-mdm-for-office-365/
HOW TO ENABLE CO-MANAGEMENT IN SCCM 1902
https://www.systemcenterdudes.com/co-management-sccm-1902/
Where to Start
Where to Start:
Security features built into Office 365

Office 365 includes built-in security protections:

✓ Encryption of data at rest and in transit
✓ Continuous data backup via replication to geo-redundant servers
✓ Robust spam and virus filtering, including capabilities such as zero-
hour auto purge (ZAP)
✓ “Red team” that tries to break in to our servers
✓ Microsoft invest $1bn per year on security

These and other protections are on by default; you don’t have

to take any action to activate them
 First steps to increase the
security of your business
1. Set up multi-factor authentication

2. Train your users

3. Use dedicated admin accounts

4. Raise the level of protection against malware

in mail

5. Protect against ransomware

6. Stop auto-forwarding for email

7. Use Office Message Encryption

8. Protect your email from phishing, malware,

and malicious links

https://docs.microsoft.com/en-us/office365/admin/security-and-
compliance/secure-your-business-data
 1. Set up multifactor authentication

The problem: The solution:

Passwords are vulnerable 1 Multi-factor authentication (MFA)
• 90% of passwords can be cracked in Microsoft 365 Business includes MFA
less than six hours 1 capabilities; which are off by default
• Two-thirds of people use the same When activated, employees can choose to
password everywhere 1 authenticate using:
• Criminals are getting more effective in • Phone call. Voice call to the user’s phone; they enter PIN at prompt
stealing passwords through phishing • Text message. Text containing code sent to user’s phone
and social engineering
• App on phone. Microsoft Authenticator app for iOS and Android devices
• Windows Hello. PC can act as the second factor.

1 https://secureswissdata.com/two-factor-authentication-importance/
Enable MFA w/Baseline Policies
To set up Conditional Access Baseline Policies:
1. In the Microsoft Admin Center, choose Azure Active Directory in
the left-hand navigation under Admin Centers. This will open the
Azure Active Directory admin center in a new tab
2. In the Azure Active Directory admin center, click Azure Active
Directory in the left-hand navigation
3. Click Security near the top of the left menu in the Azure Active
Directory blade.
4. Click Conditional Access under the Protect heading near the top of
the left menu.
5. Select Baseline policy: Require MFA for admins (Preview)
6. Under Enable Policy select the radio button next to Use policy
immediately and then click Save
7. Select Baseline policy: Block legacy authentication (Preview)
8. Set Enable Policy to On and then click Save

To learn more, see Baseline policy: Require MFA for admins (preview) &
Baseline policy: Block legacy authentication (preview)
Enable MFA for users by using
Conditional Access
To set up MFA for a subset of users:
1. In the Microsoft Admin Center, choose Azure Active Directory in
the left-hand navigation under Admin Centers. This will open the
Azure Active Directory admin center in a new tab
2. In the Azure Active Directory admin center, click Azure Active
Directory -> Security -> Conditional Access in the left-hand
navigation
3. Click +New Policy and name the policy Require MFA for Marketing
Users
4. Assignments | Users and Groups: Include the Marketing group,
exclude your admin account
5. Assignments | Cloud apps or actions: Office 365 Exchange
Online and Office 365 SharePoint Online, and Microsoft Teams
6. Access Controls | Grant | Require multi-factor authentication:
Checked

To learn more, see Quickstart: Require MFA for specific apps with Azure
Active Directory Conditional Access
2. Train your users

The problem:
“Our users are the
Cybersecurity is fundamentally a
human problem, not a technical one. biggest threat to this
network, bar none”
The solution: —Aaron S. IT director
User training to help establish a at 65 person law firm in Portland
culture of security awareness
2. Train your users

Phishing: ”My employees are

Watch for signs of phishing attacks. If you receive an email that
looks even slightly suspicious, do the following:
pretty good at not
• Hover over the link and look for the name of the actual website
clicking on anything
the link is sending you to
that looks weird.
• Search for the legitimate website instead of clicking a link
There is a culture of
Spoofing:
not clicking on
A message from someone you know that looks a bit unusual could
mean the sender's email account was compromised. Contact the anything where
sender and ask if it was legitimate.
there's doubt.”
Passwords:
—Jonas R. IT manager
Use strong passwords; or better yet, a password manager. at 70 employee manufacturing firm in
Los Angeles
Don’t reuse passwords or share accounts with coworkers.
3. Use dedicated admin accounts
The problem:
Admin accounts include elevated privileges and are
valuable targets for hackers and cyber criminals.
The solution:
Admins use separate account for regular use and
only use their administrative account when necessary

Tips:
• Admin only accounts do not require a license in
Microsoft 365 Business
• Configure all admin accounts for MFA
• Before using admin accounts, close all unrelated
browser sessions and apps, including personal
email accounts.
• After completing admin tasks, log out of the
browser session.
4. Raise the level of protection
against malware in email by
blocking risky attachments

The problem:
Malware is often introduced to a computer via
macros or other executables.

The solution:
Block attachments containing filetypes that are
commonly used for malware.
4. Raise the level of protection
against malware in mail by
blocking risky file types

• Go to https://protection.office.com and sign in

with your admin account credentials
• In the Office 365 Security & Compliance Center,
in the left navigation pane, under Threat
management, choose Policy > Anti-Malware
• Double-click the default policy to edit this
company-wide policy
• Click Settings
• Under Common Attachment Types Filter,
select On. The file types that are blocked are
listed in the window directly below this control.
You can add or delete file types later, if needed
• Click Save
5. Protect against ransomware

”Even if it’s not an

The problem: extreme case, it
Ransomware is a type of malware that takes a
computer hostage and demands payment to revert
takes time away
it back to its original state. from running my
business.”
The solution:
—Doug, owner at 25 employee
Warn users before opening attachments with macros manufacturing firm in Chicago
Encourage employees to use OneDrive for Business
for file storage
Use OneDrive for Business to recover from successful
attack
5. Protect against ransomware
Warn users before opening attachments with macros, by
creating a mail transport rule:
• In the Microsoft 365 admin center, click Admin
centers > Exchange
• In the mail flow category, click rules
• Click +, and then click Create a new rule
• Click More options at the bottom of the dialog box to see the full
set of options
• Apply the settings in the following table for each rule. Leave the
rest of the settings at the default, unless you want to change these

Name Anti-ransomware rule: warn users

Apply this rule if . . . Any attachment . . . file extension matches . . .
Specify words or phrases Add these file types:
dotm, docm, xlsm, sltm, xla, xlam, xll, pptm, potm, ppam, ppsm, sldm

Do the following . . . Notify the recipient with a message

Provide message text Do not open these type of files from people you do not know
because they might contain macros with malicious code.

• Click Save
5. Protect against ransomware
Restore files using OneDrive ransomware recovery:
• Go to the user’s Onedrive For Business
• If you're signed in with a work or school account, select
Settings > Restore your OneDrive.
• On the Restore page, select a date from the dropdown list,
such as Yesterday, or you can select Custom date and time.
If you're restoring your files after automatic ransomware
detection, a suggested restore date will be filled in for you
• If you're selecting a custom date and time, select the earliest
activity that you want to undo. When you select an activity,
all other activities that occurred after that are selected
automatically.
• When you’re ready to restore your OneDrive, click Restore to
undo all the activities you selected.
6. Stop auto-forwarding for email

The problem:
Hackers can access an email account and configure the
mailbox to automatically forward to another email account,
giving the hacker access to all info in these emails

The solution:
Turn off auto-forwarding for email; by creating a mail
transport rule
6. Stop auto-forwarding for email
Stop auto-forwarding for email, by creating a mail
transport rule:
• In the Microsoft 365 admin center, click Admin
centers > Exchange
• In the mail flow category, click rules
• Click +, and then click Create a new rule
• Click More options at the bottom of the dialog box to see
the full set of options
• Apply the settings in the following table for each rule. Leave
the rest of the settings at the default, unless you want to
change these
Name Prevent auto forwarding of email to external domains
Apply this rule if . . . The sender . . . is external/internal . . . Inside the organization
Add condition The message properties . . . include the message type . . . Auto-
forward
Do the following . . . Block the message . . . reject the message and include an explanation

Provide message text Auto-forwarding email outside this organization is prevented for
security reasons

• Click Save
Secure Score
Compliance and security features in
Office 365
Data Loss Prevention
Configuring archive mailboxes
Azure Information Protection (Azure
Rights Management)
Introducing the Office 365 Secure Score

https://securescore.office.com
https://support.office.com/en-us/article/Introducing-the-Office-
365-Secure-Score-c9e7160f-2c34-4bd0-a548-5ddcc862eaef
Introducing the Office 365 Secure Score
Office 365 provides features to comply with the following compliance
standards:
• HIPAA
• Data processing agreements
• FISMA
• ISO/IEC 27001:2013
• EU Model Clauses
• The U.S.‒EU Safe Harbor Framework
• FERPA
• SSAE 16
• PIPEDA
• GLBA
• GDPR
The Protection Center features:
• Home
• Permissions
• Security policies
• Data management
• Search & Investigation
• Reports
• Service Assurance
 Introducing the Office 365 Security & Compliance
Data Loss Prevention

• Detect

• Protect

• Monitor

• https://support.office.com/en-us/article/Overview-
of-data-loss-prevention-policies-1966b2a7-d1e2-
4d92-ab61-42efbb137f5e
• https://support.office.com/en-ie/article/Prevent-
data-loss-in-Office-365-6a888faa-c114-4395-b20d-
a5b8ebd1ac0c
Introducing the Office 365 Secure Score Security & Compliance
Data Loss Prevention
Introducing the Office 365 Secure Score Security & Compliance
Data Loss Prevention
You can use the Exchange Online admin center to manage DLP policies:
• Create a DLP policy
• Create a custom DLP policy
• View DLP policy detection reports
You use Security & Complinace Center to create DLP policies for content
on Exchange server, Sharepoint server, and OneDrive
Enable a DLP policy
To enable a DLP policy
• Go to https://protection.office.com.
• Sign in to Office 365. You're now in the Office 365 Security & Compliance Center.

In the Security & Compliance Center > left navigation > Data loss prevention > Policy > + Create a policy.
• Choose the DLP policy template that protects the types of sensitive information that you need > Next.

In this example, you'll select Financial>PCI Data Security Standard (PCI DSS).
• Name the policy > Next.
• On the Choose locations page:
• Choose All locations in Office 365 > Next.
• On the Customize the type of content you want to protect page:
• Click Find content that contains: Credit Card Number, and select Detect
when this content is shared … with people outside my organization
• Click Next
On the What do you want to do if we detect sensitive info page:
• Select Show policy tips…
• Select Detect when content that’s being shared contains: … change to 1
instance
• Select Send incident reports…
• Click Next
On the Do you want to turn on the policy… page:
• Select Yes, turn it on right away
• Click Next
On the Review your setting page, click Create
Send sensitive data in an email
To send an email to see DLP policies from user perspective
• Go to http://outlook.office365.com (or access Outlook on the web via the app launcher if
already logged)
• Compose an email:
• To: [any external email address]
• Subject: Info you asked for
• Body:

Here you go.

4147202170724445 CVV 872 2/2023

[the credit card number above is cancelled; but valid from a digits and checksum perspective]
• Wait a few moments. A DLP Policy Tip will appear
• Click the DLP Policy tip to learn more about why it appeared
Configuring archive mailboxes
Use Archive Management in the Protection Center to:
• Enable an In-Place Archive
• Disable an In-Place Archive
Configuring retention tags and policies in Exchange Online
Configuring retention in Security & Compliance Center
You use a retention policy to preserve or delete content on various
locations
 AZURE INFORMATION PROTECTION (AZURE RMS)

• A cloud-based solution that helps an organization to classify, label, and protect its documents and emails
• This can be done:
• Done automatically by administrators who define rules and conditions
• Manually by users, or a combination where users are given recommendations
• Compare Azure Information Protection plans
• https://www.microsoft.com/en-us/cloud-platform/azure-information-protection-features
AZURE INFORMATION PROTECTION (AZURE RMS)
 AZURE INFORMATION PROTECTION (AZURE RMS)
An example of Azure Information Protection in action

1. The administrator has configured rules to detect sensitive data (in this case, credit card information)
2. When a user saves a Word document that contains credit card information
3. The user sees a custom tooltip that recommends to apply a specific label that the administrator
configured
4. Which classifies and optionally protects the document

1. After your content is classified (and optionally protected)

2. You can then track and control how it is used
3. You can analyze data flows to gain insight into your business
4. Detect risky behaviors and take corrective measures - Track access to documents or prevent data
leakage or misuse
 AZURE INFORMATION PROTECTION (AZURE RMS)

Azure Information Protection labels

• You use labels to apply classifcation to documents and emails

• The classification is identifiable at all times, regardless of where the data is stored or with whom it’s
shared
 AZURE INFORMATION PROTECTION (AZURE RMS)

Rights management templates

• These templates can be part of a label's

configuration
• When a specific label is applied to a document
(or email message), the data is both classified
and automatically protected

Azure Rights Management

• Designed to minimize the possibility of data
leakage - unauthorized transmission of
information
• Intregrates with Azure AD/Windows Server
FS/Exchange Server & ExO/SharePoint Server &
SpO/Office Suite/Windows Clients
 AZURE INFORMATION PROTECTION (AZURE RMS)
Rights management templates
For example:
• How you might select a template for a label when you configure the Azure Information Protection
policy from the Azure portal:

• Exchange Admin Center

 AZURE INFORMATION PROTECTION (AZURE RMS)

Azure Rights Management - Exchange Online and Exchange Server

Exchange ActiveSync IRM (Information Rights Management):

• Mobile devices can protect and consume protected email messages

RMS support for the Outlook Web App:

• Implemented similarly to the Outlook client
• Users can protect email messages by templates

Protection rules:
• Outlook clients that an administrator configures to automatically apply Rights Management
templates to email messages for specified recipients
• For example:
• When internal emails are sent to your legal department
• They can only be read by members of the legal department and cannot be forwarded
• Users see the protection applied to the email message before sending it
• Emails are encrypted before they are sent
 AZURE INFORMATION PROTECTION (AZURE RMS)
Azure Rights Management - Exchange Online and Exchange Server
Transport rules:
• An administrator configures to automatically apply Rights Management templates to email messages based on
properties - Sender/ Recipient/ Message Subject/ Content
• Can be applied to Outlook Web Access and emails sent by mobile devices
• Not let users remove the protection
Data loss prevention (DLP) policies:
• Contain sets of conditions to filter email messages
• Take actions to help prevent data loss for confidential or sensitive content (for example, personal information or
credit card information)
• Policy Tips can be used when sensitive data is detected
• To alert users that they might need to apply Information Protection
• Based on the information in the email message
AZURE INFORMATION PROTECTION (AZURE RMS)

How Azure RMS works

AZURE INFORMATION PROTECTION (AZURE RMS)

How Azure RMS works

End of Module

Thank you

Next up: Hands on Lab

Lab Activity
Lab Activity