Switching to Office 365 is just the beginning
To make everything work as you want it to, you need to think about what you expect from the service at the beginning of the implementation.
Minimum Baseline – Office 365
Microsoft 365 is based on office applications that almost everyone knows – Outlook, Word, Excel, Powerpoint, OneNote, Sharepoint, OneDrive or Teams. Most companies start with those.
Therefore, the first and most difficult step in implementing Microsoft 365 is to switch from an existing email solution (usually an Exchange server) to Microsoft 365 mail in the cloud. The most common method is the so-called hybrid migration, where the Exchange server in the internal network is connected to Microsoft 365 and then the email boxes are gradually moved to the cloud.
Integration between cloud and corporate on-premise
The next step in implementing Microsoft 365 is to move data from the on-premises Active Directory directory service to the cloud Azure Active Directory . Once complete, you can pull all user information from the cloud directory service, such as name, password, permissions, or the devices users use to access corporate data. For the actual data migration, you’ll use the Azure AD connector – a tool you install on your internal network that syncs users to Microsoft 365.
There are two possible solutions to this integration:
- Synchronise all user information, including domain password hashes, and authenticate users to the Microsoft website when logging in (called user validation).
- Federated authentication(federated authentication), where the user is not authenticated on Microsoft servers, but is redirected to an Identity Provider (Active Directory Federation Services or another third-party solution, such as Okta) after entering an email, and identity verification is performed there.
After the integration, selected company data (user mailboxes, shared files) is stored in the Microsoft 365 cloud environment and the end user can log in to their account from any device.
Setting conditions for data access
This freedom, where a user can access corporate data from virtually anywhere in the world, brings another challenge – that of securing the data and the devices themselves. That’s why Microsoft has actively entered the Enterprise Mobility&Security area, which aims to ensure that a user can only access Microsoft 365 services, and therefore corporate data, under predefined security conditions.
This is done by using Azure Active Directory Conditional Access, which, for example, checks who, when, from what device, or from where they are accessing services. You can think of the tool as a smart firewall, where you define the users you want to allow access to specific applications and set access conditions For example, from what device, at what time, or from what location a user can log in.
Azure Active Directory Conditional Access then allows you to assess risk. You can see from which location or network the user is logging in. If a user tries to log in from another continent or at an unusual time, this may indicate a threat of attack. In such cases, you can force an additional authentication factor (for example, SMS), and if access is assessed as risky, you can, for example, set the password to reset and block access until the situation is resolved.
Mobile device management and security
You use Microsoft Endpoint Manager (formerly Microsoft Intune) to identify the device from which the user is accessing the Microsoft environment. This tool is used to manage and secure mobile devices(Mobile Device Management (MDM) or standalone applications on devices(Mobile Application Management (MAM)). It is compatible with all common operating systems (iOS, Android, Windows10, macOS).
The information that Microsoft Endpoint Manager collects from mobile devices forms a crucial security parameter, the so-called Compliance Flag. Each device has a required level of security, and if it meets that level when accessing the cloud, Microsoft Endpoint Manager writes a flag to Azure Active Directory. You can then check these flags in Azure AD Conditional Access to ensure that users are only logging in from authenticated and secure devices.
However, third-party MDM systems (MobileIron, VMware Workspace ONE, and others) can also write the Compliance Flag to Azure Active Directory. Therefore, you do not necessarily need to switch to Microsoft Endpoint Manager if you are used to using other MDM solutions. The only requirement in this case is an Azure Active Directory P1 license.
If you would like to migrate to Microsoft MDM solutions, this migration can be solved elegantly with the IDOT application from System4u. This app makes it so easy to migrate from your existing MDM solution to Microsoft Endpoint Manager that you can do it yourself from your own mobile device. The app guides you through the whole process step by step and everything happens automatically, you just have to click. At the same time, the administrator has an overview of the ongoing migration in his console – he can see who has already migrated, who is about to migrate, or who needs help.
Securing the applications and documents themselves
As part of its tools and services, Microsoft also addresses security at the level of the applications themselves (Word, Excel and others). For example, you can set the user to not be able to copy data from an app and send it via private email, or you can force a PIN to access each app. Even on devices without a Microsoft Endpoint Manager registration.
In a situation where you already have all your company data in the Microsoft 365 cloud, all company devices are secured using Microsoft Endpoint Manager (or other MDM technology) and everything is connected to Azure Active Directory, you can also secure specific company documents containing sensitive data.
Microsoft Azure Information Protection has two basic functions.
- It allows you to automatically mark documents with sensitive data (e.g. bank card numbers, birth numbers) and when the user wants to send such a document by email, it blocks the sending or displays a notification “do you really want to send a document containing sensitive data?”
- If such a document must already leave the company, it can be encrypted so that only the recipient can read it, otherwise the document remains protected during transmission and afterwards. If the recipient of the document does not use Microsoft 365 services, they can access the document by registering their email address in the Microsoft 365 environment (free account). Even documents sent in this way can be checked and invalidated after a set period of time.
In this article, we’ve covered secure migration and logging into Microsoft 365, protecting your devices, and protecting your documents. As much as Microsoft tries to make everything as intuitive as possible, it is often difficult for companies (including those with their own IT department) to deploy and set up services correctly.
That’s why you should contact a reliable partner for implementation, we at System4u will be happy to help you with everything.
