Pluralsight

From Max's Wiki
Jump to navigation Jump to search

Getting Started with EMS

What is it?

  • Azure AD
    • SSO and identity platform for cloud and on-premises apps
  • Microsoft Intune
    • Cloud-based mobile device management platform
  • Azure Rights Management
    • Encryption and authorization polices for corporate data

Why do you care?

  • Provides users with SSO with self service password reset and MFA
  • Manage all user devices from a single pane using MDM and MAM solutions
  • Protect corporate data outside your organization through encryption, authorization and identity policies

Benefits of EMS

  • Short Term
    • Authentication for mobile workforce. Data leakage. Ability to scale up and down dramatically.
  • Long Term
    • Lower TCO (Total Cost of Ownership). Walled garden security approach. SSO.

In Short

  • Rise of Cloud Computing
  • BYOD!
  • Security Gaps
  • Microsoft Enterprise Mobility Suite

What's Included with Microsoft Azure AD Premium?

Single Identity with write-back integration to on-premises AD

  • Self-service password reset
    • Including on-premises users
  • Branding (Outlook on the web)
  • Multi-factor authentication
    • Including on-premises users
  • SSO for SaaS applications
  • Azure AD Application Proxy
  • Compliance reporting and auditing
  • Dynamic Groups

Self-service password reset

  • Azure AD -> DMZ -> On-premises (AADConnect and AD DS)

Branding (Outlook on the web)

  • Self-explanatory
    • Change login picture upon login, and add custom text to bottom of page

Multi-factor authentication

  • Second layer of security
  • Something you know, have or are
  • Various methods available
    • Phone call
    • SMS
    • Mobile app notification
    • Mobile app verification
    • OATH tokens

SSO for SaaS applications

  • Company application (Facebook/Twitter) is managed through SaaS, and can be reset using user's AD SSO

Azure AD Application Proxy

  • Securely publish on-premises applications to the cloud
  • Remote Access as a Service
  • Uses a connector installed on-premises
  • Incoming web traffic hits Azure AD

Compliance reporting and auditing

  • Reports anomalous activity and more

Dynamic Groups

  • Auto add users to different groups/memberships (I.E. Auto-add to Marketing/Sales)

Securing Devices Using Microsoft Intune

Microsoft Intune Features:

  • MDM
  • Application Deployment
    • Store/Developed
  • Wi-Fi & VPN Profiles
  • Conditional Access
  • Microsoft Mobile Application Management

Microsoft Intune Benefits:

  • Device choice
  • Management of Office mobile apps
  • Data protection
  • No on-premises infrastructure
  • Enterprise integration
  • Licensing options such as EMS

More info can be found here: https://www.microsoft.com/en-us/cloud-platform/roadmap

Taking a closer look into the Intune Architecture

Intune Architecture

  • Cloud
    • Verifiable domain name
    • Intune subscription
    • Devices to manage

Intune Hybrid with SCCM

  • Connector
    • One-way encrypted conversation to Intune
  • Extensions
    • Add new features in SCCM
  • New extensions are rolled into SP's
    • The old extensions will disappear

Things to consider before configuring Intune

Configuring Client Enrollment

  • End-User: Downloads Microsoft Intune Company Portal app and sign-in to account
    • Upon downloading/installing, signing into your company account, it'll add the appropriate profile to the device
  • Intune supports DEP (deploy.apple.com)

Azure Rights Management Service (RMS)

  • Cloud service
  • Suite of technology to protect and encrypt
  • Polices allow identity, encryption and authorization
  • Protection stays with the documents
  • Full featured logging and reporting

User Workflow

  • User logs into Azure Active Directory
  • Azure RMS template applied
  • User sends file to recipient
  • Recipient opens document
  • Rights are enforced

Benefits

  • Data us always protected and encrypted
  • Cloud-based
  • Integrated end user experience
  • Security outside corporate network
  • Centrally managed
  • Part of O365

User Roles

  • Global Administrator
  • Super User
    • Not Enabled by Default
  • Enable-AadrmSuperUserFeature
  • Add-AadrmSuperUser
  • Get-AadrmSuperUser

Template Refresh

  • %localappdata%\Microsoft\MSIPC\Templates
  • Template refresh is every 7 days
HKEY_CURRENT_USER\Software\Classes\LocalSettings\Software\Microsoft\MSIPC\TemplateUpdateFrequency
  • You can also force refresh through deleting the Templates folder and LastUpdateTime key from:
HKEY_CURRENT_USER\Software\Classes\LocalSettings\Software\Microsoft\MSIPC\<Server Name>\Template

Logging

  • Logs actions from users, administrators and Microsoft support
  • Writes logs in W3C extended format into Azure storage account
  • Log data available within 15 minutes of action

Reporting

  • Usage
  • Active users
  • Types of devices
  • Types of applications
  • portal.azure.com or manage.windowsazure.com (Old Portal)

RMS Pre-Requisites/Supported Clients)

Overview: Requirements for Azure Information Protection

  1. RMS Application for Windows: Rights Management Sharing Application for Windows
    1. Being deprecated on Jan 31st, 2019 with: Azure Information Protection client for Windows

User Guide: Classify and protect a file or email by using Azure Information Protection

Retrieved from "http://manaiakalani.info/wiki/index.php?title=Pluralsight&oldid=10002"