Professional Documents
Culture Documents
Microsoft Cloud Architecture and Identify Mnagement
Microsoft Cloud Architecture and Identify Mnagement
for Office 365 capabilities to help you secure your data, identities, and
devices.
capabilities to meet their baseline requirements.
2 Increased protection
All customers
Capabilities are recommended in three tiers — baseline
protection, sensitive protection, and protection for Some customers have a subset of data that must be protected at higher levels.
environments with highly regulated or classified data. You can apply increased protection to specific data sets in your Office 365
environment. Microsoft recommends protecting identities and devices that
It’s important to use consistent levels of protection access sensitive data with comparable levels of security.
across your data, identities, and devices. For example, if Some customers
you protect sensitive data at a higher level, be sure to 3 Protection for highly regulated environments
protect the identities and devices that access this data A few customers
Some organizations may have a very small amount of data that is highly classified,
at a comparable level. This document shows you which
trade secret, or regulated data. Microsoft provides capabilities to help organizations
capabilities are comparable.
Recommended meet these requirements, including added protection for identities and devices.
with Azure AD Baseline protection Sensitive data protection Highly regulated or classified data
Intune device management of PCs Intune device management of PCs and phones/tablets
Identity and device capabilities
work together to secure access
to your data. This document Azure Active Directory multi-factor authentication
includes more information
More architecture resources about these capabilities plus Azure Active Directory conditional access
like this additional recommendations.
aka.ms/cloudarch Azure Active Directory Identity Protection
Microsoft Cloud App Security -or- Office 365 Cloud App Security
Protection Device type Azure AD conditional access policies Azure AD Identity Protection Intune device compliance Intune app protection
user risk policy policy policies
level
Baseline Require multi-factor Block clients that don’t Require compliant PCs High risk users must Define compliance policies
authentication (MFA) when support modern change password
(One policy for each
sign-in risk is medium or authentication
platform)
high (Forces users to change
(Clients that do not use their password when
modern authentication can signing in if high risk
Require approved apps bypass conditional access activity is detected for their Define app protection
rules, so it’s important to account) policies
(Enforces mobile app
protection for phones and block these) (One policy per platform —
tablets) iOS, Android)
(Enforces Intune
management for PCs and
phone/tablets)
regulated
Start by implementing Azure Multi-Factor authentication (MFA). First, For other SaaS apps in your For all conditional access Enroll devices for Device compliance policies define the requirements devices App policies define which
use an Identity Protection MFA registration policy to register users for environment, configure rules in Azure AD, configure management with must meet. Intune let’s Azure AD know if devices pass and apps are allowed and what
MFA. After users are registered you can enforce MFA for sign-in. single sign-on with Azure an Azure AD group for Intune before are compliant. Recommended requirements include: actions these apps can take
Using multi-factor authentication is recommended before enrolling AD and apply these rules or ‘Exclusion’ and add this implementing device • Use passwords with strong parameters (alphanumeric, with your organization
devices into Intune for assurance that the device is in the possession create new conditional group to these rules. This compliance policies. at least six characters, expiration of no more than 90 content.
of the intended user. access rules. gives you a way allow days).
access to a critical user
Be sure to start using the pre-configured MFA policy for Admins — while you troubleshoot • Be patched, have anti-virus, and firewalls enabled.
Baseline policy: Require MFA for admins. access issues. • Use encryption, lock on inactivity, and wipe on multiple
sign-in failures.
Product key All Office 365 Enterprise plans • Not be jailbroken or rooted.
Configure basic password policies for Manage applications on mobile devices Azure AD offers a simplified joining BitLocker — Use this on all PCs to encrypt Windows Hello for Business replaces
Outlook Web Access (OWA). regardless of whether the devices are experience, efficient device management, all data at rest and protect it against passwords with strong two-factor
If you implement password policies using enrolled for mobile device management. automatic mobile device management offline attacks. authentication on PCs and mobile devices.
Intune later, these settings are Deploy apps, including LOB apps. Restrict enrollment, and single sign-on capability Credential Guard — Prevents attacks by This authentication consists of a new type
disregarded. Intune password policies actions like copy, cut, paste, and save as, for Azure AD and on-premises resources. protecting NTLM password hashes and of user credential that is tied to a device
require device enrollment. to only apps managed by Intune. Enable An incremental step in this direction is to Kerberos Ticket Granting tickets. and uses a biometric or PIN.
secure web browsing using the Intune auto-Azure-AD join your on-premises Device Guard — Prevents tampering by Windows Hello for Business
Mobile device mailbox policies in joined Windows 10 devices.
Managed Browser App. Enforce PIN and users or malware, only allows trusted
Exchange Online
encryption requirements, offline access applications. AppLocker can also be used.
Extending cloud capabilities to Windows
time, and other policy settings.
10 devices through Azure Active Directory
What are app protection policies? Join
Windows 10 PCs
November 2018 © 2018 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.
Additional capabilities for sensitive and classified data You can greatly increase protection with capabilities on this page. Choose the capabilities that are best
for your environment.
devices
apps on Windows 10 devices non-Windows devices
If you choose to enable “Windows The Health Attestation Service is a Windows Information Protection Microsoft provides Lookout
Device Health Attestation” in a trusted cloud service operated by allows you to protect data within Mobile Endpoint Security
device compliance policy, create a Microsoft that reports what Microsoft Intune-managed integration with Microsoft
separate policy. When you create security features are enabled on applications. Enterprise Mobility + Security
the corresponding conditional the device. (EMS). Lookout provides real-time
Create a Windows Information
access policy in Azure AD, application, OS, and network-level
Device Health Attestation Protection (WIP) policy using
configure the policy to apply only protection for devices.
to the Windows platform. Use Microsoft Intune
caution with this policy because it Microsoft and Lookout: Securing
will deny access to Windows all your endpoints begins today
devices that do not support Device
Health Attestation.
Windows 10 PCs
November 2018 © 2018 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.