In a previous blog post, I demystified Office 365 security licensing, illustrating that it is incredibly expensive and you get only a small subset of what a real Cloud Access Security Broker (CASB) provides. But let’s say you decide go down the path of using Microsoft’s built-in security functions for Office 365 - all of the features are from the same platform, so it should be a snap to get up-and-running, correct? Not! Get ready for a dizzying array of powershells, consoles, configuration guides, policies and confusion. Here are the steps required to get a basic set of Office 365 security settings in place if you decide to go that route.

Spoiler alert: there’s a simpler route.  

1. Configure Azure AD
1. Download and install Azure AD connect MSI
2. Choose user sign-in method (password sync, pass through, AD FS federation)
3. Connect directories
4. Setup domain, OU, user filtering and mapping
5. Choose attributes to sync
6. Sign-in to Azure classic portal
7. Complete the “Add Domain” wizard
8. Sign-in to Domain Name Registrar
9. Update the DNS zone file
10. Verify the domain name on Azure AD
11. Sign-in to Azure AD portal
12. Select users to assign AD Premium and/or Enterprise Mobility Suite licenses to
13. Configure Azure AD administrator accounts
2. Configure Intune
1. Sign-up for InTune account (could take hours to provision, check back often)
2. Setup InTune administrator roles and users
3. Login to Office 365 portal as administrator
4. Manually select each user account that you want to assign an InTune license to and select either InTune or Enterprise Mobility Suite
5. Login to InTune as administrator
6. Create device group(s)
7. Add device(s) to device group(s)
8. Create user group(s)
9. Add user(s) to user group(s)
10. Configure device policies for iOS
11. Configure device policies for Android
12. Configure device policies for Windows
13. Add Apps to InTune
14. Deploy Apps to Devices
15. Customize InTune user portal
16. Enable device enrollment
17. Setup iOS and Mac management
1. Generate a Certificate Signing Request
2. Login to the Apple Push Certificates portal
3. Download a certificate for Third Party Servers
4. Return to InTune Admin Portal and Upload the APN certificate
18. Setup Android Management
1. Configure Android for Work Binding
2. Login to Google as admin
3. Provide organization details and choose InTune as MDM provider
4. Setup Android for Work Enrollment settings
19. Setup Windows 10 and Windows 10 Mobile Management
1. Login to Azure portal
2. Configure automatic MDM enrollment
3. Create CNAMEs for Autodiscover service in your company DNS
20. Notify users to enroll devices in InTune
1. Educate your users about InTune and privacy concerns
2. iOS Device enrollment
1. Install InTune App and Sign-in
2. Agree to enrolling your device
3. Agree to privacy policy
4. Enter PIN code and install profile
5. Agree to installation warning
6. “Trust” remote management control by InTune
7. Open company portal app
8. Complete company access setup
9. Repeat for all iOS devices in the organization
3. Mac device enrollment
1. Login to company portal website
2. Navigate to device enrollment
3. Agree to IT control over device
4. Install management profile
5. Enter Mac user credentials
6. Verify that you are okay with management control over device
7. Repeat for all Mac OS X devices in the organization
3. Azure AD Identity Protection
1. Login to Azure as Global Administrator
2. Navigate to Azure Marketplace
3. Create Azure AD Identity Protection blade
4. Configure O365 DLP policies in Security & Compliance Center
1. Login to O365 as admin and go to Admin center
2. Navigate to Security and Compliance Center permissions and add user(s) to role groups
3. Login to Security and Compliance Center
4. Create and name a DLP policy from a template (custom policies will require additional configuration).
5. Choose which Office 365 location(s) to apply the policy to (Exchange, Sharepoint, etc)
6. Create conditions and actions for DLP policy matches
7. Test DLP policies
5. Configure Exchange Online Mail Flow/Transport (DLP) rules
1. Login to Exchange Online Admin Center
2. Go to Mail Flow > Rules and Create a new rule
3. Configure conditions for which to apply the new rule
4. Configure actions taken on rule match
5. Specify how rule match data is displayed in DLP reports and transport rule reports
6. Set the enforcement mode for the rule
7. Configure rule exceptions
6. Configure Device Access Rules to limit unmanaged device access
1. Login to Office 365 Security & Compliance Center
2. Go to Security Policies > Device security policies and create a new rule
3. Configure requirements for device access (PIN, encryption, etc)
4. Decide whether to allow or block non-compliant devices
5. Apply device access rules to one or more security groups
6. Verify policy
7. Block Activesync access from devices not managed by InTune (note that you can’t do this for other MDM platforms)
8. Create and manage security group exception lists
7. Take a 2 week vacation - you need it!
8. Return from vacation
9. Configure Cloud App Security
1. Login to Cloud App Security Portal
2. Customize Cloud App Security Portal
1. Personalize portal
2. Configure Managed domains
3. Add additional Cloud App Security Admins
4. Customize admin settings
5. Set IP ranges for corporate locations
6. Configure Single Sign-on with Azure AD (not available for more common IDaaS platforms)
3. Import user groups from Azure AD or Office 365
4. Configure Cloud Discovery
1. Deploy VMWare or Hyper-V virtual machine
2. Configure Log Collector for device source(s) (Firewalls, Proxies, etc)
3. Manually compare sample data to device log format to ensure a match. If no match, create custom format
4. Download configured log collector to virtual machine
5. Install collector on virtual machine
6. SSH into machine and configure network and other configuration settings
7. Configure firewalls and/or proxies to export Syslog data to log collector
8. Check connectivity in Cloud App Security Portal
5. Connect apps to be monitored via API
1. Login to each app as admin and whitelist Cloud App Security IP Addresses
2. In Connected Apps, add Office 365
3. Repeat for additional cloud application(s) as desired
6. Control cloud usage via policies
1. Create activity policies
1. Configure activity filters
2. Configure activity match parameters
3. Configure actions and alerts
2. Create anomaly detection policies
1. Configure whether to apply to all or selected activities
2. Configure risk factors
3. Create file policies
1. Configure which connected apps will trigger the policy
2. Select folder(s) to which policy applies
3. Use Regex engine or policy templates to configure DLP match criteria (note: these are entirely separate from Security & Compliance Center DLP policies configured earlier)
4. Select content inspection/DLP methods
5. Configure governance actions to take on DLP match (note: the only action you can typically take is to suspend the user’s account entirely on DLP match. This is a non-starter for most organizations)
10. If you make it this far, Microsoft will put your name on a plaque in their HQ
11. Configure Anti-malware policies
1. Login to Exchange Admin Center
2. Create new anti-malware policy
3. Configure Malware Detection Response actions
4. Choose file types on which to apply Malware Detection
5. Configure notification settings
6. Choose users/groups for which to apply malware scanning
12. Optional additional configurations:
1. Integrate Azure Information Protection
2. Integrate with premises SIEM

Wanna get away? Try Bitglass.