Difference between revisions of "Pluralsight"

From Max's Wiki
Jump to navigation Jump to search
(Created page with "=Getting Started with EMS= ==What is it?== ===Azure AD=== SSO and identity platform for cloud and on-premises apps ===Microsoft Intune=== Cloud-based mobile device manageme...")
 
 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
=Getting Started with EMS=
 
=Getting Started with EMS=
 
==What is it?==
 
==What is it?==
===Azure AD===
+
*Azure AD
SSO and identity platform for cloud and on-premises apps
+
**SSO and identity platform for cloud and on-premises apps
  
===Microsoft Intune===
+
*Microsoft Intune
Cloud-based mobile device management platform
+
**Cloud-based mobile device management platform
  
===Azure Rights Management===
+
*Azure Rights Management
  Encryption and authorization polices for corporate data
+
**Encryption and authorization polices for corporate data
 +
 
 +
==Why do you care?==
 +
*Provides users with SSO with self service password reset and MFA
 +
*Manage all user devices from a single pane using MDM and MAM solutions
 +
*Protect corporate data outside your organization through encryption, authorization and identity policies
 +
 
 +
==Benefits of EMS==
 +
*Short Term
 +
**Authentication for mobile workforce. Data leakage. Ability to scale up and down dramatically.
 +
 
 +
*Long Term
 +
**Lower TCO (Total Cost of Ownership). Walled garden security approach. SSO.
 +
 
 +
==In Short==
 +
*Rise of Cloud Computing
 +
*BYOD!
 +
*Security Gaps
 +
*Microsoft Enterprise Mobility Suite
 +
 
 +
=What's Included with Microsoft Azure AD Premium?=
 +
 
 +
==Single Identity with write-back integration to on-premises AD==
 +
*Self-service password reset
 +
**Including on-premises users
 +
*Branding (Outlook on the web)
 +
*Multi-factor authentication
 +
**Including on-premises users
 +
*SSO for SaaS applications
 +
*Azure AD Application Proxy
 +
*Compliance reporting and auditing
 +
*Dynamic Groups
 +
 
 +
===Self-service password reset===
 +
*Azure AD -> DMZ -> On-premises (AADConnect and AD DS)
 +
 
 +
===Branding (Outlook on the web)===
 +
*Self-explanatory
 +
**Change login picture upon login, and add custom text to bottom of page
 +
 
 +
===Multi-factor authentication===
 +
*Second layer of security
 +
*Something you know, have or are
 +
*Various methods available
 +
**Phone call
 +
**SMS
 +
**Mobile app notification
 +
**Mobile app verification
 +
**OATH tokens
 +
 
 +
===SSO for SaaS applications===
 +
*Company application (Facebook/Twitter) is managed through SaaS, and can be reset using user's AD SSO
 +
 
 +
===Azure AD Application Proxy===
 +
*Securely publish on-premises applications to the cloud
 +
*Remote Access as a Service
 +
*Uses a connector installed on-premises
 +
*Incoming web traffic hits Azure AD
 +
 
 +
===Compliance reporting and auditing===
 +
*Reports anomalous activity and more
 +
 
 +
===Dynamic Groups===
 +
*Auto add users to different groups/memberships (I.E. Auto-add to Marketing/Sales)
 +
 
 +
=Securing Devices Using Microsoft Intune=
 +
 
 +
Microsoft Intune Features:
 +
*MDM
 +
*Application Deployment
 +
**Store/Developed
 +
*Wi-Fi & VPN Profiles
 +
*Conditional Access
 +
*Microsoft Mobile Application Management
 +
 
 +
Microsoft Intune Benefits:
 +
*Device choice
 +
*Management of Office mobile apps
 +
*Data protection
 +
*No on-premises infrastructure
 +
*Enterprise integration
 +
*Licensing options such as EMS
 +
 
 +
More info can be found here: https://www.microsoft.com/en-us/cloud-platform/roadmap
 +
 
 +
==Taking a closer look into the Intune Architecture==
 +
===Intune Architecture===
 +
*Cloud
 +
**Verifiable domain name
 +
**Intune subscription
 +
**Devices to manage
 +
 
 +
===Intune Hybrid with SCCM===
 +
*Connector
 +
**One-way encrypted conversation to Intune
 +
*Extensions
 +
**Add new features in SCCM
 +
*New extensions are rolled into SP's
 +
**The old extensions will disappear
 +
 
 +
==Things to consider before configuring Intune==
 +
*Check here before starting: https://docs.microsoft.com/en-us/intune/setup-steps
 +
 
 +
==Configuring Client Enrollment==
 +
*End-User: Downloads Microsoft Intune Company Portal app and sign-in to account
 +
**Upon downloading/installing, signing into your company account, it'll add the appropriate profile to the device
 +
*Intune supports DEP (deploy.apple.com)
 +
 
 +
=Azure Rights Management Service (RMS)=
 +
*Cloud service
 +
*Suite of technology to protect and encrypt
 +
*Polices allow identity, encryption and authorization
 +
*Protection stays with the documents
 +
*Full featured logging and reporting
 +
 
 +
==User Workflow==
 +
*User logs into Azure Active Directory
 +
*Azure RMS template applied
 +
*User sends file to recipient
 +
*Recipient opens document
 +
*Rights are enforced
 +
 
 +
==Benefits==
 +
*Data us always protected and encrypted
 +
*Cloud-based
 +
*Integrated end user experience
 +
*Security outside corporate network
 +
*Centrally managed
 +
*Part of O365
 +
 
 +
==User Roles==
 +
*Global Administrator
 +
*Super User
 +
**Not Enabled by Default
 +
*Enable-AadrmSuperUserFeature
 +
*Add-AadrmSuperUser
 +
*Get-AadrmSuperUser
 +
 
 +
===Template Refresh===
 +
*%localappdata%\Microsoft\MSIPC\Templates
 +
*Template refresh is every 7 days
 +
  HKEY_CURRENT_USER\Software\Classes\LocalSettings\Software\Microsoft\MSIPC\TemplateUpdateFrequency
 +
*You can also force refresh through deleting the Templates folder and LastUpdateTime key from:
 +
HKEY_CURRENT_USER\Software\Classes\LocalSettings\Software\Microsoft\MSIPC\<Server Name>\Template
 +
*https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates#BKMK_RefreshingTemplates
 +
 
 +
===Logging===
 +
*Logs actions from users, administrators and Microsoft support
 +
*Writes logs in W3C extended format into Azure storage account
 +
*Log data available within 15 minutes of action
 +
 
 +
===Reporting===
 +
*Usage
 +
*Active users
 +
*Types of devices
 +
*Types of applications
 +
*portal.azure.com or manage.windowsazure.com (Old Portal)
 +
 
 +
=RMS Pre-Requisites/Supported Clients)=
 +
Overview: [https://docs.microsoft.com/en-us/information-protection/get-started/requirements Requirements for Azure Information Protection]
 +
#RMS Application for Windows: [https://docs.microsoft.com/en-us/information-protection/rms-client/sharing-app-windows Rights Management Sharing Application for Windows]
 +
##Being deprecated on Jan 31st, 2019 with: [https://docs.microsoft.com/en-us/information-protection/rms-client/aip-client Azure Information Protection client for Windows]
 +
[https://docs.microsoft.com/en-us/information-protection/rms-client/client-classify-protect#safely-share-a-file-with-people-outside-your-organization User Guide: Classify and protect a file or email by using Azure Information Protection]

Latest revision as of 16:55, 21 December 2017

Getting Started with EMS

What is it?

  • Azure AD
    • SSO and identity platform for cloud and on-premises apps
  • Microsoft Intune
    • Cloud-based mobile device management platform
  • Azure Rights Management
    • Encryption and authorization polices for corporate data

Why do you care?

  • Provides users with SSO with self service password reset and MFA
  • Manage all user devices from a single pane using MDM and MAM solutions
  • Protect corporate data outside your organization through encryption, authorization and identity policies

Benefits of EMS

  • Short Term
    • Authentication for mobile workforce. Data leakage. Ability to scale up and down dramatically.
  • Long Term
    • Lower TCO (Total Cost of Ownership). Walled garden security approach. SSO.

In Short

  • Rise of Cloud Computing
  • BYOD!
  • Security Gaps
  • Microsoft Enterprise Mobility Suite

What's Included with Microsoft Azure AD Premium?

Single Identity with write-back integration to on-premises AD

  • Self-service password reset
    • Including on-premises users
  • Branding (Outlook on the web)
  • Multi-factor authentication
    • Including on-premises users
  • SSO for SaaS applications
  • Azure AD Application Proxy
  • Compliance reporting and auditing
  • Dynamic Groups

Self-service password reset

  • Azure AD -> DMZ -> On-premises (AADConnect and AD DS)

Branding (Outlook on the web)

  • Self-explanatory
    • Change login picture upon login, and add custom text to bottom of page

Multi-factor authentication

  • Second layer of security
  • Something you know, have or are
  • Various methods available
    • Phone call
    • SMS
    • Mobile app notification
    • Mobile app verification
    • OATH tokens

SSO for SaaS applications

  • Company application (Facebook/Twitter) is managed through SaaS, and can be reset using user's AD SSO

Azure AD Application Proxy

  • Securely publish on-premises applications to the cloud
  • Remote Access as a Service
  • Uses a connector installed on-premises
  • Incoming web traffic hits Azure AD

Compliance reporting and auditing

  • Reports anomalous activity and more

Dynamic Groups

  • Auto add users to different groups/memberships (I.E. Auto-add to Marketing/Sales)

Securing Devices Using Microsoft Intune

Microsoft Intune Features:

  • MDM
  • Application Deployment
    • Store/Developed
  • Wi-Fi & VPN Profiles
  • Conditional Access
  • Microsoft Mobile Application Management

Microsoft Intune Benefits:

  • Device choice
  • Management of Office mobile apps
  • Data protection
  • No on-premises infrastructure
  • Enterprise integration
  • Licensing options such as EMS

More info can be found here: https://www.microsoft.com/en-us/cloud-platform/roadmap

Taking a closer look into the Intune Architecture

Intune Architecture

  • Cloud
    • Verifiable domain name
    • Intune subscription
    • Devices to manage

Intune Hybrid with SCCM

  • Connector
    • One-way encrypted conversation to Intune
  • Extensions
    • Add new features in SCCM
  • New extensions are rolled into SP's
    • The old extensions will disappear

Things to consider before configuring Intune

Configuring Client Enrollment

  • End-User: Downloads Microsoft Intune Company Portal app and sign-in to account
    • Upon downloading/installing, signing into your company account, it'll add the appropriate profile to the device
  • Intune supports DEP (deploy.apple.com)

Azure Rights Management Service (RMS)

  • Cloud service
  • Suite of technology to protect and encrypt
  • Polices allow identity, encryption and authorization
  • Protection stays with the documents
  • Full featured logging and reporting

User Workflow

  • User logs into Azure Active Directory
  • Azure RMS template applied
  • User sends file to recipient
  • Recipient opens document
  • Rights are enforced

Benefits

  • Data us always protected and encrypted
  • Cloud-based
  • Integrated end user experience
  • Security outside corporate network
  • Centrally managed
  • Part of O365

User Roles

  • Global Administrator
  • Super User
    • Not Enabled by Default
  • Enable-AadrmSuperUserFeature
  • Add-AadrmSuperUser
  • Get-AadrmSuperUser

Template Refresh

  • %localappdata%\Microsoft\MSIPC\Templates
  • Template refresh is every 7 days
HKEY_CURRENT_USER\Software\Classes\LocalSettings\Software\Microsoft\MSIPC\TemplateUpdateFrequency
  • You can also force refresh through deleting the Templates folder and LastUpdateTime key from:
HKEY_CURRENT_USER\Software\Classes\LocalSettings\Software\Microsoft\MSIPC\<Server Name>\Template

Logging

  • Logs actions from users, administrators and Microsoft support
  • Writes logs in W3C extended format into Azure storage account
  • Log data available within 15 minutes of action

Reporting

  • Usage
  • Active users
  • Types of devices
  • Types of applications
  • portal.azure.com or manage.windowsazure.com (Old Portal)

RMS Pre-Requisites/Supported Clients)

Overview: Requirements for Azure Information Protection

  1. RMS Application for Windows: Rights Management Sharing Application for Windows
    1. Being deprecated on Jan 31st, 2019 with: Azure Information Protection client for Windows

User Guide: Classify and protect a file or email by using Azure Information Protection

Retrieved from "http://manaiakalani.info/wiki/index.php?title=Pluralsight&oldid=10002"