Enhancing the Office 365Multi-Factor Authentication and RM OnlineOctober 2013

Agenda

Multi-Factor authentication Why is Multi-Factor

important Securing Cloud

resources Windows Azure AD

Multi-Factor Authentication (WAAD MFA)

Rich Client Support with App Password

Information Protection and Control using Windows Azure AD Rights Management

Windows Azure AD – Multiple-Factor Authentication

4

Why MFA is important Passwords are no longer enough. Customers want a

higher level of security than standard authentication of user name and password. Growing need for stronger security measures for identities Cloud services perceived as higher risk, requiring MFA Increase use of mobile access demands stronger seamless security

measures Competition is driving expectation for Strong Authentication Compliance drives increasingly rigorous authentication scenarios,

and is showing up as sales blocker (e.g. FISMA, NIST)

Windows Azure AD is used for multiple online services

What is Azure AD MFA?• Secure resources accessed

by Azure AD, with phone-based Multi-Factor Authentication.

• Applicable for Cloud Identities and Federated Identities

• Ease of configuration and low maintenance – no server installation required, end-users configure 2FA.

Azure AD MFA for Cloud IdentitiesSecuring Cloud resources

6

Customer

Azure AD& Office 365

1. Logon with Username / Password

2. MFA challenge

3. Reply to MFA challenge- 1-way or 2-way SMS- Phone call- Mobile Application

Microsoft Confidential

Enabling MFA on your tenant• Through Azure portal only

8 Microsoft Confidential

First logon experience with MFA

9

User Security Verification Options

Microsoft Confidential

Further web logon experience

11 Microsoft Confidential

Setting up App Password for rich client support

12 Microsoft Confidential

App Password maintenance

13

App PasswordRich client support with MFA

Customer

Azure AD& Office 365

1. One-time setup: User create App Password (1 per application) through MOP or AAD

2. Rich client logon withApp Password

14

App Password features Admin must:

Create a Windows Azure Authentication Provider Enable Multi-Factor Authentication for the users

App Password available to end-users only Not available for Administrative accounts

Password is automatically generated 16 characters

A limit of 40 passwords per user Passwords never expire

Set Expiration feature is schedule for a future release

15

Azure AD MFA offering Free for Administrators Must pay for Users

Purchase as a Multi-Factor Authentication Provider through Windows Azure AD Per-user or Per-authentication licensing models

Web application support by default Outlook Web Access (OWA), SharePoint, etc.

Must enable Application Passwords for use with rich clients Outlook, Lync, PowerShell, Lync IP phone Application passwords cannot be enabled for administrator accounts

Does not support Lync phones Not supported with Office 365 Pre-Upgrade (Wave 14

customers)

Windows Azure AD Right Management

Information Protection and Control (IPC) Industry trends

The traditional perimeter is rapidly erodingIT needs continuous data protection that work across ‘classic ‘boundaries’

Consumerization of ITUsers need access, from any device

Externalization of ITApplications are on-premises and in the cloud

More Data, Stored in More PlacesDispersed enterprise data needs protection

Social EnterpriseData is shared between people and applications

Internal Sharing of Sensitive DataOrganization of all sizes have sensitive data

The numbers vary from ~3% to “far more” when customer data contain PII

Data is increasing rarely in a state of permanent restMobile devices; data sync’d for use at home; SQL/SAP reporting to Excel; etc.

RMS is used / reasoned over by users / software

RMS protects sensitive data at rest and in motionRMS, and enlightened applications, offer native supports for file protectionOutlook and Exchange adds RMS support for emailVertical offers are now adding RMS too. SharePoint, DAC, DLP, and now SAP…

19

Right Management deployment options Use Windows Azure AD Right Management

Out-of the box Integrate natively with Exchange online and SharePoint online

Integrate Office 365 with existing on-premises AD RMS infrastructure

20

What is Windows Azure AD Right Management Windows Azure AD Rights Management enables the ability to encrypt and

assign usage restrictions to content for organizations that subscribe to Microsoft online services. Rights Management helps protect content created and exchanged using Microsoft Office as well as other applications or services that have been updated to integrate with the Rights Management service. By implementing a cloud-based rights management service, Rights Management provides an alternative for organizations seeking information protection capabilities within Microsoft Office 365.

Rights management provides the following: Safeguards sensitive information. Provides persistent protection. Supports closer management of usage rights and conditions. Integrates rights management with Office 365. 

21

Right Management deployment options Windows Azure AD Rights Management information rights management (IRM) features available in Microsoft Office 365 Enterprise E3 and Microsoft Office 365 ProPlus:

Office IRM Integration Exchange Online IRM Integration SharePoint Online IRM Integration

22

Office integration w/ Rights Management When creating or consuming information rights management (IRM) protected content only the following versions of Microsoft Office are supportedFor this Office product family… …these restrictions apply for Rights

Management use

Microsoft Office Professional Plus 2013 Supported for this release.

Microsoft Office 2010

Supported for this release.To publish rights-protected content requires Office Professional Plus. To consume rights-protected content, Office Standard is required.

Microsoft Office 2007 Not supported for this release.

23

Configuring RMO for Exchange online Step 1: Use the Office 365 Admin Center to activate

Windows Azure Active Directory Rights Management (see next slide)

Step 2: Use the Shell to configure the RMS Online key sharing location in Exchange Online Note: Use the RMS key sharing URL corresponding to your location (using Set-

IRMConfiguration -RMSOnlineKeySharingLocation ….)

Step 3: Use the Shell to import the Trusted Publishing Domain (TPD) from RMS Online Using Import-RMSTrustedPublishingDomain -RMSOnline -name "RMS Online"

Step 4: Use the Shell to enable IRM in Exchange Online Using Set-IRMConfiguration –InternalLicensingEnabled

Check RMS capability using OWA Note: this can take some additional hours to propagate Open OWA, Click on New Message and in the “…” menu you should see a “Set Permission” option

24

Activating Rights Management

25

RMO with Exchange online capabilitiesAfter it’s enabled, IRM protection can be applied to messages as follows:• Users can manually apply a template using Outlook and Outlook Web App• Users can apply an AD RMS rights policy template to an email message by selecting the template from

the Set permissions list. When users send an IRM-protected message, any attached files that use a supported format also receive the same IRM protection as the message. IRM protection is applied to files associated with Word, Excel, and PowerPoint, as well as .xps files and attached email messages.

• Administrators can use transport protection rules to apply IRM protection automatically to both Outlook and Outlook Web App • You can create transport protection rules to IRM-protect messages. Configure the transport protection

rule action to apply an AD RMS rights policy template to messages that meet the rule condition. After you enable IRM, your organization's AD RMS rights policy templates are available to use with the transport protection rule action called Apply rights protection to the message with.

• Administrators can create Outlook protection rules• Outlook protection rules automatically apply IRM-protection to messages in Outlook 2010 (not Outlook

Web App) based on message conditions that include the sender's department, who the message is sent to, and whether recipients are inside or outside your organization. For details, see Create an Outlook Protection Rule.

26

Configuring RMO for SharePoint online Need to be a SharePoint online administrator Step 1 go to SharePoint online Admin center / Settings Step 2 Check IRM usage

And click on Refresh IRM settings

Step 3 IRM-enable SharePoint document libraries and lists Go to the list or library for which you want to configure IRM. On the ribbon, click the Library tab, and then click Library Settings (If you are working in a list, click the List tab,

and then click List Settings). Under Permissions and Management, click Information Rights Management. On the Information Rights Management Settings page, select the Restrict permission to documents in this

library on download check box to apply restricted permission to documents that are downloaded from this list or library.

In the Create a permission policy title box, type a descriptive name for the policy that you can use later to differentiate this policy from other policies (Example Company Confidential)

In the Add a permission policy description box, type a description that will appear to people who use this list or library that explains how they should handle the documents in this list or library (Example, Discuss the contents of this document only with other employees)

To apply additional restrictions to the documents in this list or library, click Show Options, and select the one you want to apply

After you finish selecting the options you want, click OK.

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.