Difference between revisions of "Pluralsight"
Jump to navigation
Jump to search
| Line 122: | Line 122: | ||
*Protection stays with the documents | *Protection stays with the documents | ||
*Full featured logging and reporting | *Full featured logging and reporting | ||
| + | |||
| + | ==User Workflow== | ||
| + | *User logs into Azure Active Directory | ||
| + | *Azure RMS template applied | ||
| + | *User sends file to recipient | ||
| + | *Recipient opens document | ||
| + | *Rights are enforced | ||
| + | |||
| + | ==Benefits== | ||
| + | *Data us always protected and encrypted | ||
| + | *Cloud-based | ||
| + | *Integrated end user experience | ||
| + | *Security outside corporate network | ||
| + | *Centrally managed | ||
| + | *Part of O365 | ||
| + | |||
| + | ==User Roles== | ||
| + | *Global Administrator | ||
| + | *Super User | ||
| + | **Not Enabled by Default | ||
| + | *Enable-AadrmSuperUserFeature | ||
| + | *Add-AadrmSuperUser | ||
| + | *Get-AadrmSuperUser | ||
| + | |||
| + | ===Template Refresh=== | ||
| + | *%localappdata%\Microsoft\MSIPC\Templates | ||
| + | *Template refresh is every 7 days | ||
| + | HKEY_CURRENT_USER\Software\Classes\LocalSettings\Software\Microsoft\MSIPC\TemplateUpdateFrequency | ||
| + | *You can also force refresh through deleting the Templates folder and LastUpdateTime key from: | ||
| + | HKEY_CURRENT_USER\Software\Classes\LocalSettings\Software\Microsoft\MSIPC\<Server Name>\Template | ||
| + | *https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates#BKMK_RefreshingTemplates | ||
| + | |||
| + | ===Logging=== | ||
| + | *Logs actions from users, administrators and Microsoft support | ||
| + | *Writes logs in W3C extended format into Azure storage account | ||
| + | *Log data available within 15 minutes of action | ||
| + | |||
| + | ===Reporting=== | ||
| + | *Usage | ||
| + | *Active users | ||
| + | *Types of devices | ||
| + | *Types of applications | ||
| + | *portal.azure.com or manage.windowsazure.com (Old Portal) | ||
| + | |||
| + | =RMS Pre-Requisites/Supported Clients)= | ||
| + | Overview: [https://docs.microsoft.com/en-us/information-protection/get-started/requirements Requirements for Azure Information Protection] | ||
| + | #RMS Application for Windows: [https://docs.microsoft.com/en-us/information-protection/rms-client/sharing-app-windows Rights Management Sharing Application for Windows] | ||
| + | ##Being deprecated on Jan 31st, 2019 with: [https://docs.microsoft.com/en-us/information-protection/rms-client/aip-client Azure Information Protection client for Windows] | ||
| + | [https://docs.microsoft.com/en-us/information-protection/rms-client/client-classify-protect#safely-share-a-file-with-people-outside-your-organization User Guide: Classify and protect a file or email by using Azure Information Protection] | ||
Revision as of 16:54, 21 December 2017
Getting Started with EMS
What is it?
- Azure AD
- SSO and identity platform for cloud and on-premises apps
- Microsoft Intune
- Cloud-based mobile device management platform
- Azure Rights Management
- Encryption and authorization polices for corporate data
Why do you care?
- Provides users with SSO with self service password reset and MFA
- Manage all user devices from a single pane using MDM and MAM solutions
- Protect corporate data outside your organization through encryption, authorization and identity policies
Benefits of EMS
- Short Term
- Authentication for mobile workforce. Data leakage. Ability to scale up and down dramatically.
- Long Term
- Lower TCO (Total Cost of Ownership). Walled garden security approach. SSO.
In Short
- Rise of Cloud Computing
- BYOD!
- Security Gaps
- Microsoft Enterprise Mobility Suite
What's Included with Microsoft Azure AD Premium?
Single Identity with write-back integration to on-premises AD
- Self-service password reset
- Including on-premises users
- Branding (Outlook on the web)
- Multi-factor authentication
- Including on-premises users
- SSO for SaaS applications
- Azure AD Application Proxy
- Compliance reporting and auditing
- Dynamic Groups
Self-service password reset
- Azure AD -> DMZ -> On-premises (AADConnect and AD DS)
Branding (Outlook on the web)
- Self-explanatory
- Change login picture upon login, and add custom text to bottom of page
Multi-factor authentication
- Second layer of security
- Something you know, have or are
- Various methods available
- Phone call
- SMS
- Mobile app notification
- Mobile app verification
- OATH tokens
SSO for SaaS applications
- Company application (Facebook/Twitter) is managed through SaaS, and can be reset using user's AD SSO
Azure AD Application Proxy
- Securely publish on-premises applications to the cloud
- Remote Access as a Service
- Uses a connector installed on-premises
- Incoming web traffic hits Azure AD
Compliance reporting and auditing
- Reports anomalous activity and more
Dynamic Groups
- Auto add users to different groups/memberships (I.E. Auto-add to Marketing/Sales)
Securing Devices Using Microsoft Intune
Microsoft Intune Features:
- MDM
- Application Deployment
- Store/Developed
- Wi-Fi * VPN Profiles
- Conditional Access
- Microsoft Mobile Application Management
Microsoft Intune Benefits:
- Device choice
- Management of Office mobile apps
- Data protection
- No on-premises infrastructure
- Enterprise integration
- Licensing options such as EMS
More info can be found here: https://www.microsoft.com/en-us/cloud-platform/roadmap
Taking a closer look into the Intune Architecture
Intune Architecture
- Cloud
- Verifiable domain name
- Intune subscription
- Devices to manage
Intune Hybrid with SCCM
- Connector
- One-way encrypted conversation to Intune
- Extensions
- Add new features in SCCM
- New extensions are rolled into SP's
- The old extensions will disappear
Things to consider before configuring Intune
- Check here before starting: https://docs.microsoft.com/en-us/intune/setup-steps
Configuring Client Enrollment
- End-User: Downloads Microsoft Intune Company Portal app and sign-in to account
- Upon downloading/installing, signing into your company account, it'll add the appropriate profile to the device
- Intune supports DEP (deploy.apple.com)
Azure Rights Management Service (RMS)
- Cloud service
- Suite of technology to protect and encrypt
- Polices allow identity, encryption and authorization
- Protection stays with the documents
- Full featured logging and reporting
User Workflow
- User logs into Azure Active Directory
- Azure RMS template applied
- User sends file to recipient
- Recipient opens document
- Rights are enforced
Benefits
- Data us always protected and encrypted
- Cloud-based
- Integrated end user experience
- Security outside corporate network
- Centrally managed
- Part of O365
User Roles
- Global Administrator
- Super User
- Not Enabled by Default
- Enable-AadrmSuperUserFeature
- Add-AadrmSuperUser
- Get-AadrmSuperUser
Template Refresh
- %localappdata%\Microsoft\MSIPC\Templates
- Template refresh is every 7 days
HKEY_CURRENT_USER\Software\Classes\LocalSettings\Software\Microsoft\MSIPC\TemplateUpdateFrequency
- You can also force refresh through deleting the Templates folder and LastUpdateTime key from:
HKEY_CURRENT_USER\Software\Classes\LocalSettings\Software\Microsoft\MSIPC\<Server Name>\Template
Logging
- Logs actions from users, administrators and Microsoft support
- Writes logs in W3C extended format into Azure storage account
- Log data available within 15 minutes of action
Reporting
- Usage
- Active users
- Types of devices
- Types of applications
- portal.azure.com or manage.windowsazure.com (Old Portal)
RMS Pre-Requisites/Supported Clients)
Overview: Requirements for Azure Information Protection
- RMS Application for Windows: Rights Management Sharing Application for Windows
- Being deprecated on Jan 31st, 2019 with: Azure Information Protection client for Windows
User Guide: Classify and protect a file or email by using Azure Information Protection