Professional Documents
Culture Documents
We believe that product needs to be smart and intelligent about delivering right level of security
without compromising user’s productivity
Use case to differentiated access based on users, device, location and sensitive of data
Ex. If user is trying to access a document that contains critical intellectual property data of organization,
it make sense to ask them to provide additional form of authentication or even block access from
unmanaged device
On the other hand if user trying to access low sensitive data may be personal itinerary, it no make sense
to block the access
Security should be real time and point of access depending upon Who you are, what is your level of
access
How are you trying to access- are you using managed device, or unmanaged devices? May be managed
apps or browser or kiosk
Where are you coming from – trusted network, corporate network, expected location or unexpected
location?
Security of SharePoint, OneDrive, teams needs to smart to understand the all of these aspect
Use case
1, User at home using personal iPhone which is not managed by organization to access data stored on
OneDrive business. Even through if device is not managed by organization but app can be managed by
organization by putting security
Intune Admin Portal- App policy (Android/iOS policy)- we can users groups for which the policy
is assigned, targets apps and settings
Restrict cut, copy/paste with other Apps
Require Simple Pin for access Yes/No
Recheck the access requirement - timeout every One minute
User login to OneDrive business app from mobile, it prompts message to users that “Your IT department
protects company data in this app”
User can only able to share the files using OneDrive app by using invite people option within
organization
Q – How to setup differentiated policy based on the sensitive of data within OneDrive, SharePoint
Solution – we can protect using o365 Admin portal (protection.office.com) – Click on security – Security
Policies- data loss prevention
AT Work location using work device which is fully managed ie Laptop
User open the OneDrvie if document is marked as sensivity which means it restricted to send with
external collaboration
In other scenario, user trying to send a mail a document by attaching document an d user do not know
whether its sensitive or not and when user hit send, if the document is sensitive user will not able to
send the document organization policy
You can filter to check activity happens too sensitive data and performed by users
User reported that she lost her laptop she left in the texi. As a Admin you can terminate all of active
session on her laptop
Guest Access
Make Private Call
External Acccess
Recommendation
Behavioral analytics (UEBA) - Detect, investigate, and remediate advanced threats such as
compromised users, insider threats, exfiltration, and ransomware using best-of-class machine
learning algorithms
Productivity app discovery - Identify Shadow IT and gain instant visibility into how Office 365 and
OAuth apps - Detect malicious apps, identify overprivileged apps, investigate and control
Conditional Access App Control - Get real-time session monitoring and control for your Office
365 apps
Advanced Threat Protection (ATP) — This feature that detects and blocks user access to malicious
content in Teams. ATP also wards off malicious files in SharePoint and OneDrive for Business, the
platforms that power the file-storage and file-sharing services in Teams. Make sure that you turn on ATP
for SharePoint, OneDrive and Teams.
Automated information labeling — To ensure that your DLP policy actions are applied correctly, you
need to accurately classify and label the data shared in Teams, which requires an automated data
discovery and classification solution that ensures high precision in classification.
Yes. You can use the following out-of-the-box features to monitor activity and usage in
Teams:
Supervision policies
Analytics & reports in the Microsoft Teams admin center
Reports > Usage in the Microsoft 365 admin center
Microsoft 365 usage analytics in Power BI
On MS Teams, OneDrive and share points stores critical data, the corporates device ie Windows users
should get full access. But from unmanaged device like, mobile or personal laptop and users access
theses app without hitting users productive, we should providing the access by limiting the access or
restriction action copy/paste, user should not be able to download the data. We can prevent Data
exfiltration
By this way we will be securing your corporate device ie windows machine and we will be restricting
access to access the resources using the personally owned devices without hitting users productivity
because we are letting users to access the resources through browser but limiting the action copy paste
downloading content
Office 365
Windows endpoint
EMS
A guest is any external user who has been granted permission by the owner of a
Microsoft 365 group to participate in group conversations, calendar invitations, file
sharing and notebook activities. Microsoft 365 guest users are the same as Office 365
guest users.
External sharing refers to the ability of SharePoint Online and OneDrive users to share
access links to files and folders with external users. SharePoint site owners can also share
site access with external users.
Yes, you can turn off external sharing completely for your organization. There are also
ways to limit external sharing. For example, you can:
Only share to Azure AD guests who provide valid authentication credentials
Configure file-sharing links with view-only permissions
Block users in specific network domains from receiving sharing invitations
How do I manage external sharing in Microsoft 365?
As a global admin or SharePoint admin, you can manage external sharing using
PowerShell or any of the following portals:
Privilege Identity management and Identity protection comes under Azure AD P2 licenses
Use Cases
Retail employees working on hourly basis. Requirement is that when users leave on work or off on work
they should not able to access MS teams or data. When employee back to work they should able to
access data in MS teams. This requirement will apply to all platform – windows, mobile, Mac. Web
browsers
Based on the requirement and understanding of the capabilities of conditional access they come up
following design and configuration.
Design Note
-All employees’ part of security group and conditional access will be applied to security group
- the policy will apply to only MS teams apps append will include all platform
-The policy will apply to any location (Ip Address) but location with trusted Ips will be excluded
- the policy will apply to browser, mobile apps, and desktop clients
-signin risk will not be configured
- Access control will be set to block. Require MfA authentication, device compliance etc will not be
configured
-Session control will not be configured
-Employee will connect to Guest Wi-Fi network while in the store
Solution –
5. Cloud Apps - Search and select MS Teams app and click Done
6. Conation – Click Device platform > Select All platforms
7. Conations blade. Click Locations > Click Configure Yes > In Include tab Click Any location and in
Exclude tab Check All trusted IPs
Note- You should configure IP subnet for trusted location to access MS Teams app. By adding the
subnet, this tell conditional access to exclude any authentication attempts coming from this subnet