As a Digital Workspace service provider, System4u helps companies from any industry address this issue.
System4u, as a Microsoft Gold Partner, has trained technicians and licensing specialists for Microsoft tools and can professionally help companies with this issue.
Microsoft 365 tools are quite intricately interconnected and to make everything work as it should, it is necessary to think properly at the beginning what we expect from a properly functioning IT.
Office 365 tools (mail, contacts, calendar, data sharing ) are core Microsoft tools and the main reason customers start with Microsoft 365 services. As end users work with these tools, additional Microsoft functionality is layered on top of them, opening up a very important area of security for all user access, devices and corporate data
The first step is to switch from your existing email solution (usually an Exchange server) to Microsoft 365 “mail in the cloud”. The most common method is the so-called. Hybrid migration, where the existing Exchange server in the internal network is integrated with Microsoft 365, followed by a gradual migration of users’ e-mail boxes.
The transition of mail to Microsoft 365 is related to the use of other cloud tools, such as the Microsoft Teams communication tool, with which Sharepoint and One Drive data stores are connected. In addition, the use of office tools in the Microsoft cloud environment, such as Word, Excel, PowerPoint, is quite obvious.
For integration between Microsoft 365 cloud services and the company’s on-premise Active Directory solution, the Azure Active Directory / Entra ID. It’s a cloud-based directory service from which all user information (name, password, permissions and the devices users use and access corporate data from) can then be extracted. To interact from Active Directory, the so-called Azure AD connector is used, a tool that is installed on the internal network and that synchronizes users to Microsoft 365.
There are two possible settings for this integration:
- Synchronize all user information incl. domain password hashes and authenticate users at the Microsoft website when logging in (called user validation)
- Federated authentication (federated authentication), where the user is not authenticated on Microsoft servers, but is redirected after entering the e-mail to the so-called. Identity Provider (ADFS or another third-party solution, such as Okta, etc.), where the user’s identity is verified.
After the integration, selected company data (user mailboxes, shared files) are placed in the Microsoft 365 cloud environment and the end user can log in from anywhere on any device.
That’s where Enterprise Mobility & Security comes in, which addresses access to Microsoft 365 services and the security of data stored in Microsoft 365.
It is important to note that the established standard in which company systems are located in a private data centre accessible only from a local network, where employees have to be at their workplace, in the building of a particular company, to do their work, does not work now. Employees can now access company data from anywhere, anytime and from any device, and it is important to control these accesses and ensure that the user only accesses Microsoft 365 services, and therefore company data, under specified security conditions.
Azure Active Directory Conditional Access is used for this purpose . It checks who, from what device and from where logs in to the services and evaluates other parameters at the same time.
It can be likened to a smart firewall, in which we define specific users that we want to allow access to specific applications and only under defined conditions. For example, what device is the user logging in from – do we know that device? Does the login time and location match the standard behaviour of the user?
So, with Azure Active Directory Conditional Access, it’s possible to assess risk. It is visible from where the user is logging in, whether it is the internal network, Prague, Brno or a completely different continent. If the user logs in from another continent or at a completely unusual time, this unusual situation indicates the possibility of an attack that can be prevented at this stage. It is possible to force an additional authentication factor (e.g. SMS, etc.) and if the access is assessed as risky and therefore may be a stolen identity, the password will be reset and access blocked.
Another tool is used to identify the device from which the user enters the Microsoft environment Microsoft Intune , Microsoft’s Mobile Device Management solution, now called Microsoft Endpoint Manager.
This tool is used to manage and secure devices (Mobile Device Management (MDM) or standalone applications on devices (Mobile Application Management (MAM)). All common operating systems on the market are supported (iOS, Android, Windows10, macOS).
All the information that is collected from the device using Microsoft Intune (Microsoft Endpoint Manager) then forms a crucial parameter with which it is in the so-called Compliance Flag. Each device has a specified security level and if it meets it, Microsoft Intune writes that flag to Azure Active Directory and then we can check it in Azure AD Conditional Access rules. This ensures that the user only logs in from a secure device.
Another security feature is protection at the level of Microsoft applications (Word, Excel, etc.), where it is possible to send security policies to them. For example. the user cannot copy data from the app and send it on via private email, force a PIN to access the app. Even on devices without MS Intune registration.
Third-party MDMs (MobileIron, VMware Workspace ONE) are also able to write the above mentioned Compliance Flag , but the Azure Active Directory P1 license is a prerequisite.
If a company is using one of the above mentioned MDM technologies and wants to fully migrate to Microsoft Intune solution, whether for licensing or other reasons, this migration can be elegantly solved with the IDOT application from System4u.
This app will help you migrate from your existing MDM solution to Microsoft Intune and the end user can do everything from their mobile device. The IDOT app guides him through the whole process step by step, everything happens automatically, you just have to “click”.
The administrator has an overview of the ongoing migration in his console, he can see who has already migrated, who is yet to migrate, who needs help.
In a situation where all company data is already in the Microsoft 365 cloud, all company devices are secured using Microsoft Intune (or other MDM technologies) and everything is integrated with Azzure Active Directory, it is also necessary to secure specific company documents containing sensitive data.
Microsoft Azure Information Protection has two basic functions.
- It allows you to automatically mark documents with sensitive data (e.g. bank card numbers, birth numbers) and when the user wants to send such a document by email, it can block the sending or display a notification “do you really want to send a document containing sensitive data?”
- If such a document really has to leave the company, it can be encrypted and can only be read by the recipient, during transmission and even afterwards the document remains protected. There can be a complication here if the recipient doesn’t have Microsoft 365 services, but that’s something to think about too. All he has to do is register his email address (called a free account) in the Microsoft 365 environment and then he can access the document. Even documents sent in this way can be checked and e.g. “invalidate” them after a certain specified period of time.
So this article describes secure access to Microsoft 365, device protection and document protection. We’ll talk about the next steps and security options using Microsoft 365 tools in our webinar.
Roman Přikryl and Petra Holubcová
