OFFICE 365 GOVERNANCE: Top FAQ’s & Best Practices O365... · OFFICE 365 GOVERNANCE: Top FAQ’s & Best Practices ... • New Focus • Managing ... ENTERPRISE MOBILITY + SECURITY

Internal Audit, Risk, Business & Technology Consulting

OFFICE 365 GOVERNANCE:

Top FAQ’s & Best Practices

© 2017 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and

does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

CLOUD ADOPTION

2

• Very latest versions of apps that enhance collaboration and productivity

• Cloud Computing Power (cloud elasticity, built-in machine learning)

• Increased Security and Compliance

• Built-in Business Continuity (backup/recovery, disaster recovery)

• More Predictable Costs (subscription based, more operational, less capital)

Business demands faster, more agile and less costly

solutions to achieve digital transformation – Cloud

computing offers a compelling way to meet ever increasing

user needs.

How does Governance change when moving to the cloud?



1. SHIFTING ROLE OF IT

NO… however IT Professionals need to embrace and enable moving to the cloud!

• The IT professional’s role is changing to one of service management.

• IT is becoming more strategic in their role and moving to focus on initiatives that benefit the business from a higher

level .

• IT professionals are being measured on their contributions to business results.

3

I’m an IT Professional… Will I be out of a job as

my company moves to the cloud?

What are the administrative roles in Office 365?



SHIFTING ROLE OF ITShifting From Managing Servers to Managing Services

4

• Old Focus: Managing Servers,

Security Patches, Perpetual

Upgrades…

• New Focus

• Managing Services

• People Focus

• Driving Service Adoption

• Change Management

• Communication and Readiness

Frameworks

• Shift to More Frequent Updates of

Capabilities to End Users

• Consider impacts to Roles &

Responsibilities in How You Govern

IT Solutions

DEMONSTRATIONOFFICE 365 MESSAGE CENTER, FIRST RELEASE,

CHANNEL RELEASES & ROADMAP

Features to Help Manage Change



2. SECURITY CONTROLS

In all cloud environments, security in a cloud environment is a shared responsibility!

• Understand the built-in security controls

• Understand which security controls are available to you

• Understand which licenses you need to access the security controls that you require

• Understand your security responsibilities in the cloud

6

Does Office 365 solve my security issues?

What security controls should I use?

How secure is my data in Office 365?



IN THE CLOUD – SECURITY IS A SHARED RESPONSIBILITY

7

• Understand Cloud Provider Responsibilities

• Understand Your Responsibilities

• Understanding how your responsibilities are managed requires

strong Information Governance policies & procedures

In all cloud environments, security and information

protection must be a Shared Responsibility

SAAS = Office 365

PAAS = Azure Web Services, Azure Functions, etc.

IAAS = Azure VMs



OFFICE 365 SECURITY CONTROLSFeatures & Capabilities

8

• SharePoint Permissions

• Information Rights Management/RMS

• External Sharing Controls

• OneDrive for Business Sharing Controls

• Encrypted Communication (TLS)

• Encrypted Data at Rest

• Multi-Factor Authentication

• Modern Authentication (ADAL)

• Retention Policies

• Site Classification

• Office 365 Trust Center

• Office 365 Secure Score

• Customer Lockbox

• Security and Compliance Center

Security Roles & Permissions

Activity Monitoring/Audit Log Search

Automatic Alerts

Advanced Security Management

Classification Labels & Label Policies

Data Loss Prevention

eDiscovery

Mail Filtering/Anti-Malware/DKIM

Advanced Threat Protection

Compliance Reports/Trust Documents

• Exchange Online Protection

• Exchange Mailbox Auditing

• Threat Intelligence

• Advanced Data Governance

• Active Directory Federation Services

• AD Pass Through Authentication

• AD Seamless Single Sign On

• Azure B2B

• Azure Information Protection

• Azure Conditional Access

• Azure Identity Protection

• Azure Privileged Identity Management

• Advanced Threat Analytics

• Microsoft Intune MDM

• Cloud App Security

• Azure Security Center

• Azure Key Vault/Bring your Own Key (BYOK)



ENTERPRISE MOBILITY + SECURITY PLANSUpgrade to an Enterprise Mobility + Security Plan for Advanced Security Controls

9



3. ADMINISTRATOR ACCESS CONTROL

Understanding Microsoft Administrator access and tracking your own administrators is a key aspect of

governing your cloud solutions!

• Microsoft administrators have no standing access to Office 365 tenants

• Microsoft administrators must request access to tenants, specifying the purpose & specific activities they will perform

• All end user AND administrator activities are logged in the unified audit log – log entries cannot be deleted

10

What about Microsoft system administrators?

Can they access my data in Office 365?

Can I audit my administrators?



OFFICE 365 CUSTOMER LOCKBOX

• Microsoft Administrators/Support have zero standing access to the Office 365 servers

• To gain access to a customer’s data, Microsoft support must go through an internal process called “Lockbox”:

• Customer administrator logs a support request

• Microsoft engineer must submit a “Lockbox” request to access a Customer tenant

• Microsoft IT manager must validate access request and duration (will lower duration) and approve request (max 4 hrs)

• Customer must approve access request, before Microsoft engineer gets any access to Customer tenant

• Microsoft support may then access the Customer tenant to investigate issue

Customers can control whether Microsoft Office 365 engineers may have access to their tenant.

11

DEMONSTRATIONOFFICE 365 SECURITY & COMPLIANCE CENTER

OFFICE 365 AUDIT LOGS

Features to Help Secure and Monitor Your Environment



4. ROADMAP YOUR JOURNEY TO OFFICE 365

Creating an Office 365 roadmap allows you to plan your journey to the cloud!

• Don’t try to move all your workloads into Office 365 at once

• Plan out and prioritize the workloads you need to migrate to Office 365

• Ensure you have business buy-in to migrate each workload to Office 365

• Plan adoption strategies as you build out your Office 365 roadmap

13

Do I need to move all my IT services at once to

Office 365? Which workloads do I move first?

How do I figure out which Office 365 services or

plans are right for us?



OFFICE 365 ROADMAP EXAMPLE

14

Create Office

365 Tenant +

Initial Config

Register

Domains

Sync AD +

Setup Auth

Exchange

Cutover (MX Record)

Initialize

OD4B

Plan

OD4B

Migration

Active

Directory

AD Clean up

& Prep

Phase 1: Tenant Phase 2: Active Directory Phase 3: Email Phase 4: OneDrive for Business

Deploy

AD Connect

Deploy/Config

SSO

Setup Modern

Auth

Setup MFA

Initialize

Exchange

Free/Busy

Status

Shared

Address List

Mailbox

Inventory

Plan

Exchange

Migration

Migrate

Exchange

Mailboxes

Content

Inventory

(file shares)

Identify + Fix

Problem Files

Migrate

File

Shares

Mailbox

Migration

Contacts

Pre-Stage

Mailboxes

Validation

+

Mailbox

Cutover

Calendar

File Share

Migration

Validation +

Incremental

Migration

Content Cleanup

Make

File Share

Read Only

Migrate

File Share

Data

ODFB

Training

Licensing

Pre-create

OD4B Site

Re-Direct

MyDocuments

Eval. 3rd Party

Tools

Licensing

(pre-create

mailboxes)

Eval. 3rd Party

Tools

Security Controls Implementation

Office 365 Adoption Program…



5. INFORMATION GOVERNANCE POLICIES & TOOLS

Information governance policies, procedures and tools require updating as you move workloads to the cloud!

• How do roles and responsibilities change when moving to the could?

• What types of sensitive data you have and can they live in the cloud?

• Will you permit external sharing, from SharePoint Online or from OneDrive?

• How is new hire provisioning and employee de-provisioning impacted?

• Do you have data residency requirements and what is the impact?

• Consider your regulatory compliance obligations - how are you audit programs or assessments impacted?

15

How does moving to the cloud affect our

information governance policies?



ADMINISTRATIVE ROLES & RESPONSIBILITIES IN OFFICE 365Office 365 has 12 administrative roles with specific responsibilities

16

Global Administrator

Billing Administrator

Exchange Administrator

SharePoint Administrator

Skype for Business Administrator

Password Administrator

Security & Compliance Administrator

Service Administrator

User Management Administrator

Dynamics 365 Administrator

Dynamics 365 Service Administrator

Power BI Administrator

*Other administrative roles can be configured within Permissions in the Security & Compliance center – for example: eDiscovery Manager



COMPLIANCE IN THE MICROSOFT CLOUD

17

Microsoft has the deepest and most comprehensive compliance coverage in the industry



RESOURCES & NEXT STEPS

YOUR JOURNEY TO THE CLOUD

18

Next Steps

• Develop an Office 365/Cloud Roadmap to begin your Digital Transformation

• Plan how IT Roles will shift in your organization as you move to the Cloud

• Understand your security responsibilities and Learn about the security

controls available in Office 365

• Ensure your governance policies & tools evolve as you move to the Cloud

References

• Microsoft Whitepaper on Shifting IT Roles:

https://www.microsoft.com/itshowcase/Article/Content/958/From-systems-to-

people-rethinking-service-management

• Microsoft reference on Office 365 Administrative Roles:

https://support.office.com/en-us/article/About-Office-365-admin-roles-

da585eea-f576-4f55-a1e0-87090b6aaa9d

• Office 365 Compliance Offerings: https://www.microsoft.com/en-

us/trustcenter/compliance/complianceofferings

https://www.microsoft.com/itshowcase/Article/Content/958/From-systems-to-people-rethinking-service-management

https://support.office.com/en-us/article/About-Office-365-admin-roles-da585eea-f576-4f55-a1e0-87090b6aaa9d

https://www.microsoft.com/en-us/trustcenter/compliance/complianceofferings

© 2017 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed

or registered as a public accounting firm and does not issue opinions on financial statements or

offer attestation services. All registered trademarks are the property of their respective owners.