In a previous blog post, I demystified Office 365 security licensing, illustrating that it is incredibly expensive and you get only a small subset of what a real Cloud Access Security Broker (CASB) provides. But let’s say you decide go down the path of using Microsoft’s built-in security functions for Office 365 - all of the features are from the same platform, so it should be a snap to get up-and-running, correct? Not! Get ready for a dizzying array of powershells, consoles, configuration guides, policies and confusion. Here are the steps required to get a basic set of Office 365 security settings in place if you decide to go that route.
Spoiler alert: there’s a simpler route.
- Configure Azure AD
- Download and install Azure AD connect MSI
- Choose user sign-in method (password sync, pass through, AD FS federation)
- Connect directories
- Setup domain, OU, user filtering and mapping
- Choose attributes to sync
- Sign-in to Azure classic portal
- Complete the “Add Domain” wizard
- Sign-in to Domain Name Registrar
- Update the DNS zone file
- Verify the domain name on Azure AD
- Sign-in to Azure AD portal
- Select users to assign AD Premium and/or Enterprise Mobility Suite licenses to
- Configure Azure AD administrator accounts
- Configure Intune
- Sign-up for InTune account (could take hours to provision, check back often)
- Setup InTune administrator roles and users
- Login to Office 365 portal as administrator
- Manually select each user account that you want to assign an InTune license to and select either InTune or Enterprise Mobility Suite
- Login to InTune as administrator
- Create device group(s)
- Add device(s) to device group(s)
- Create user group(s)
- Add user(s) to user group(s)
- Configure device policies for iOS
- Configure device policies for Android
- Configure device policies for Windows
- Add Apps to InTune
- Deploy Apps to Devices
- Customize InTune user portal
- Enable device enrollment
- Setup iOS and Mac management
- Generate a Certificate Signing Request
- Login to the Apple Push Certificates portal
- Download a certificate for Third Party Servers
- Return to InTune Admin Portal and Upload the APN certificate
- Setup Android Management
- Configure Android for Work Binding
- Login to Google as admin
- Provide organization details and choose InTune as MDM provider
- Setup Android for Work Enrollment settings
- Setup Windows 10 and Windows 10 Mobile Management
- Login to Azure portal
- Configure automatic MDM enrollment
- Create CNAMEs for Autodiscover service in your company DNS
- Notify users to enroll devices in InTune
- Educate your users about InTune and privacy concerns
- iOS Device enrollment
- Install InTune App and Sign-in
- Agree to enrolling your device
- Agree to privacy policy
- Enter PIN code and install profile
- Agree to installation warning
- “Trust” remote management control by InTune
- Open company portal app
- Complete company access setup
- Repeat for all iOS devices in the organization
- Mac device enrollment
- Login to company portal website
- Navigate to device enrollment
- Agree to IT control over device
- Install management profile
- Enter Mac user credentials
- Verify that you are okay with management control over device
- Repeat for all Mac OS X devices in the organization
- Azure AD Identity Protection
- Login to Azure as Global Administrator
- Navigate to Azure Marketplace
- Create Azure AD Identity Protection blade
- Configure O365 DLP policies in Security & Compliance Center
- Login to O365 as admin and go to Admin center
- Navigate to Security and Compliance Center permissions and add user(s) to role groups
- Login to Security and Compliance Center
- Create and name a DLP policy from a template (custom policies will require additional configuration).
- Choose which Office 365 location(s) to apply the policy to (Exchange, Sharepoint, etc)
- Create conditions and actions for DLP policy matches
- Test DLP policies
- Configure Exchange Online Mail Flow/Transport (DLP) rules
- Login to Exchange Online Admin Center
- Go to Mail Flow > Rules and Create a new rule
- Configure conditions for which to apply the new rule
- Configure actions taken on rule match
- Specify how rule match data is displayed in DLP reports and transport rule reports
- Set the enforcement mode for the rule
- Configure rule exceptions
- Configure Device Access Rules to limit unmanaged device access
- Login to Office 365 Security & Compliance Center
- Go to Security Policies > Device security policies and create a new rule
- Configure requirements for device access (PIN, encryption, etc)
- Decide whether to allow or block non-compliant devices
- Apply device access rules to one or more security groups
- Verify policy
- Block Activesync access from devices not managed by InTune (note that you can’t do this for other MDM platforms)
- Create and manage security group exception lists
- Take a 2 week vacation - you need it!
- Return from vacation
- Configure Cloud App Security
- Login to Cloud App Security Portal
- Customize Cloud App Security Portal
- Personalize portal
- Configure Managed domains
- Add additional Cloud App Security Admins
- Customize admin settings
- Set IP ranges for corporate locations
- Configure Single Sign-on with Azure AD (not available for more common IDaaS platforms)
- Import user groups from Azure AD or Office 365
- Configure Cloud Discovery
- Deploy VMWare or Hyper-V virtual machine
- Configure Log Collector for device source(s) (Firewalls, Proxies, etc)
- Manually compare sample data to device log format to ensure a match. If no match, create custom format
- Download configured log collector to virtual machine
- Install collector on virtual machine
- SSH into machine and configure network and other configuration settings
- Configure firewalls and/or proxies to export Syslog data to log collector
- Check connectivity in Cloud App Security Portal
- Connect apps to be monitored via API
- Login to each app as admin and whitelist Cloud App Security IP Addresses
- In Connected Apps, add Office 365
- Repeat for additional cloud application(s) as desired
- Control cloud usage via policies
- Create activity policies
- Create anomaly detection policies
- Create file policies
- Configure which connected apps will trigger the policy
- Select folder(s) to which policy applies
- Use Regex engine or policy templates to configure DLP match criteria (note: these are entirely separate from Security & Compliance Center DLP policies configured earlier)
- Select content inspection/DLP methods
- Configure governance actions to take on DLP match (note: the only action you can typically take is to suspend the user’s account entirely on DLP match. This is a non-starter for most organizations)
- If you make it this far, Microsoft will put your name on a plaque in their HQ
- Configure Anti-malware policies
- Login to Exchange Admin Center
- Create new anti-malware policy
- Configure Malware Detection Response actions
- Choose file types on which to apply Malware Detection
- Configure notification settings
- Choose users/groups for which to apply malware scanning
- Optional additional configurations:
Wanna get away? Try Bitglass.