Security and privacy of data is top most priority of every organization

We believe that product needs to be smart and intelligent about delivering right level of security
without compromising user’s productivity

Use case to differentiated access based on users, device, location and sensitive of data

Security, Usability and data sensitivity

Ex. If user is trying to access a document that contains critical intellectual property data of organization,
it make sense to ask them to provide additional form of authentication or even block access from
unmanaged device

On the other hand if user trying to access low sensitive data may be personal itinerary, it no make sense
to block the access

Security should be real time and point of access depending upon Who you are, what is your level of
access

How are you trying to access- are you using managed device, or unmanaged devices? May be managed
apps or browser or kiosk

Where are you coming from – trusted network, corporate network, expected location or unexpected
location?

What is sensitivity of the data are you trying to access

Security of SharePoint, OneDrive, teams needs to smart to understand the all of these aspect

Use case

1, User at home using personal iPhone which is not managed by organization to access data stored on
OneDrive business. Even through if device is not managed by organization but app can be managed by
organization by putting security

Q- How to managed OneDrive, SharePoint, Teams Mobile apps

Solution – this can be protected using MAM policy

 Intune Admin Portal- App policy (Android/iOS policy)- we can users groups for which the policy
is assigned, targets apps and settings
 Restrict cut, copy/paste with other Apps
 Require Simple Pin for access Yes/No
 Recheck the access requirement - timeout every One minute

User login to OneDrive business app from mobile, it prompts message to users that “Your IT department
protects company data in this app”

Now it will ask for Pin to access the data

2. User trying to copy the content from files and sending mails by pasting content which is restricted

User can only able to share the files using OneDrive app by using invite people option within
organization

3. If user trying to send sensitive document using share option it is prevented

Q – How to setup differentiated policy based on the sensitive of data within OneDrive, SharePoint

Solution – we can protect using o365 Admin portal (protection.office.com) – Click on security – Security
Policies- data loss prevention
AT Work location using work device which is fully managed ie Laptop

User open the OneDrvie if document is marked as sensivity which means it restricted to send with
external collaboration

In other scenario, user trying to send a mail a document by attaching document an d user do not know
whether its sensitive or not and when user hit send, if the document is sensitive user will not able to
send the document organization policy

Users are prevented to send sensitivity information

Prevent external email Id to sharing data thorough OneDrives

To view the Audit and logs to see all the activity happened on the tenant

You can filter to check activity happens too sensitive data and performed by users

Another use cases- Remotely Terminated the session for a user

User reported that she lost her laptop she left in the texi. As a Admin you can terminate all of active
session on her laptop

Solution – start the SharePoint PowerShell by single command “Revoke-SPOUserSession User

sara@sharepoint.onmicrosot.com ”

Security recommendation for MS Teams, SharePoint and OneDrive apps

Teams Setting

Guest Access -Calling

Guest Access
Make Private Call

External Acccess

Recommendation

1. Disable Guest Access service for MS Teams which is ON by default

Office 365 Cloud App Security!

Take advantage of features such as:

 Behavioral analytics (UEBA) - Detect, investigate, and remediate advanced threats such as

compromised users, insider threats, exfiltration, and ransomware using best-of-class machine

learning algorithms

 Productivity app discovery - Identify Shadow IT and gain instant visibility into how Office 365 and

other productivity cloud services are used in your organization

 OAuth apps - Detect malicious apps, identify overprivileged apps, investigate and control

suspicious apps in your Office 365 environment

 Conditional Access App Control - Get real-time session monitoring and control for your Office

365 apps

Advanced Threat Protection (ATP) — This feature that detects and blocks user access to malicious
content in Teams. ATP also wards off malicious files in SharePoint and OneDrive for Business, the
platforms that power the file-storage and file-sharing services in Teams. Make sure that you turn on ATP
for SharePoint, OneDrive and Teams.
 Automated information labeling — To ensure that your DLP policy actions are applied correctly, you
need to accurately classify and label the data shared in Teams, which requires an automated data
discovery and classification solution that ensures high precision in classification.

Can activity in Microsoft Teams be monitored?

Yes. You can use the following out-of-the-box features to monitor activity and usage in
Teams:

 Supervision policies
 Analytics & reports in the Microsoft Teams admin center
 Reports > Usage in the Microsoft 365 admin center
 Microsoft 365 usage analytics in Power BI

On MS Teams, OneDrive and share points stores critical data, the corporates device ie Windows users
should get full access. But from unmanaged device like, mobile or personal laptop and users access
theses app without hitting users productive, we should providing the access by limiting the access or
restriction action copy/paste, user should not be able to download the data. We can prevent Data
exfiltration

Defender for endpoint/ MCAS

These are the points that needs to be make out

Differentiate between corporate owned or personal devices

By this way we will be securing your corporate device ie windows machine and we will be restricting
access to access the resources using the personally owned devices without hitting users productivity
because we are letting users to access the resources through browser but limiting the action copy paste
downloading content

Office 365
Windows endpoint
EMS

MCAS is not comes in E5, OCAS comes in E3 license

OCAs limited to office365

E3 – OCAS, Conditional access

 Assessment of customer’s environment to find the loophole

Onprem enviroment – azure ATp/Defender for Identity to protect domain controller

Cloud environment – Azure Identity protection and MCAS
Defender for O365 – safe attachment/ Safe link, Anti phishing

Probing comes first before providing solution

Who are guest users in Microsoft 365?

A guest is any external user who has been granted permission by the owner of a
Microsoft 365 group to participate in group conversations, calendar invitations, file
sharing and notebook activities. Microsoft 365 guest users are the same as Office 365
guest users.

What is external sharing in Microsoft 365?

External sharing refers to the ability of SharePoint Online and OneDrive users to share
access links to files and folders with external users. SharePoint site owners can also share
site access with external users.

How do I get a list of guest users in my Microsoft 365 tenant?

You can either:

 Visit the Guests page in the Microsoft 365 admin center.

 Use PowerShell for Azure AD and run a script that systematically uses the Get-
AzureADuser cmdlet and outputs the list of guest users to a CSV file.
How do I find out which external users have access to SharePoint Online?

Download the SharePoint Search Query Tool and follow the process described in

this Microsoft support article to get a list of all the resources external users have access
to.

Can I limit external sharing of files in Microsoft 365?

Yes, you can turn off external sharing completely for your organization. There are also
ways to limit external sharing. For example, you can:
 Only share to Azure AD guests who provide valid authentication credentials
 Configure file-sharing links with view-only permissions
 Block users in specific network domains from receiving sharing invitations
How do I manage external sharing in Microsoft 365?

As a global admin or SharePoint admin, you can manage external sharing using
PowerShell or any of the following portals:

 SharePoint admin center

 Microsoft 365 admin center
 OneDrive admin center
 Azure Portal

Minimum Azure AD Premium1 license required

Privilege Identity management and Identity protection comes under Azure AD P2 licenses

Use Cases

Retail employees working on hourly basis. Requirement is that when users leave on work or off on work
they should not able to access MS teams or data. When employee back to work they should able to
access data in MS teams. This requirement will apply to all platform – windows, mobile, Mac. Web
browsers

Based on the requirement and understanding of the capabilities of conditional access they come up
following design and configuration.

Design Note

-All employees’ part of security group and conditional access will be applied to security group
- the policy will apply to only MS teams apps append will include all platform
-The policy will apply to any location (Ip Address) but location with trusted Ips will be excluded
- the policy will apply to browser, mobile apps, and desktop clients
-signin risk will not be configured
- Access control will be set to block. Require MfA authentication, device compliance etc will not be
configured
-Session control will not be configured
-Employee will connect to Guest Wi-Fi network while in the store

Solution –

Let deploy these solution

 1. First assign License to users and add to security group
2. Launch Azure AD Admin center aad.portal.azure.com and click on Azure AD > Azure Active
Directory
3. Next, Find Security Category > click Conditional Access to create conditional access policy
4. Give the policy name > then click user and group Under the Include tab under select the radio
button and Select users and group. If any user should be

Exempted then Click on exclude and add users

5. Cloud Apps - Search and select MS Teams app and click Done
6. Conation – Click Device platform > Select All platforms
7. Conations blade. Click Locations > Click Configure Yes > In Include tab Click Any location and in
Exclude tab Check All trusted IPs

Note- You should configure IP subnet for trusted location to access MS Teams app. By adding the
subnet, this tell conditional access to exclude any authentication attempts coming from this subnet

8. Client app – Select browser, and Mobile and Desktop Client

9. Access Control – Click Grant > click radio button for Block the access and then bottom click
Select Require all the selected controls
10. Click ON to enable the policy and then click Create
11.