Microsoft Security Tools You SHould HAVE EnableD
Many Microsoft customers are unaware of the tools that are included with their licensing. The following list goes through many of the security applications that you might not know exist in your plan. For a glance at what tools you could be paying for, but do not have enabled, take a look at the following charts available for download on GlitHub: Find out what subscription your organization has and what tools you are entitled to.
As you see in the charts in the link above, depending on your licensing plan with Microsoft, there are dozens of security tools to leverage from the Microsoft suite. Simply owning them will not automatically have them enabled in your tenant. There are steps to take to activate and configure them for your organization. Additionally, if you have unique requirements beyond what Microsoft’s security applications can meet, there are thousands of security products available in the Microsoft marketplace that integrate your tenant with popular third-party applications as well as custom solutions created by well-established Microsoft partners like us.
If you have any questions about what the tools are capable of or would like assistance enabling them, feel free to reach out to MDS.
MDS Complimentary Security Assessment
Single sign-on means a user doesn’t have to sign in to every application they use. The user logs in once and that credential is used for a number of other applications. You can find your apps at https://myapps.microsoft.com. Allowing users to securely log in with one single set of credentials, such as name and password can provide for greater security and convenience in your organization.
With Azure AD, end users who have been assigned access to SaaS apps can get unlimited SSO access to cloud apps. On-premises applications require Azure AD Application Proxy or secure hybrid partnerships integrations available with Azure AD P1 and P2.
With Microsoft Azure, users sign in once with one account to access domain-joined devices, company resources, software as a service (SaaS) applications, and web applications. After signing in, the user can launch applications from the Office 365 portal or My Apps. Administrators can centralize user account management, and automatically add or remove user access to applications based on group membership.
If you have any additional questions around configuring Azure AD and Single Sign-On uses the following form to ask us anything related to the topic.
Your passwords can be easily compromised. MFA immediately increases your account security by requiring multiple forms of verification to prove your identity when signing into an application.
The prevents hackers from logging into your business applications from simply obtaining a password. Many users repeat their passwords across multiple platforms, and if a company they have given their password to has been compromised (and chances are high that they have) then this password might be lurking in the dark web waiting to be exploited by a hacker. To give an idea of the scale of companies that have had their data breached you can check for yourself if any of your other accounts have been compromised using the following tool: Have I Been Pwned: Check if your email has been compromised in a data breach.
Basic multi-factor authentication features are available to Microsoft 365 and Azure Active Directory (Azure AD) administrators for no extra cost. If you want to enable multi-factor authentication to the rest of your users, you can do so by using Azure Multi-Factor Authentication in several ways. MDS can also easily assist in this process with any questions you might have. With MFA you can approve sign-ins from a mobile app using push notifications, biometrics, or one-time passcodes, and augment or replace passwords with two-step verification and boost the security of your accounts from your mobile phone
Identity Protection is an identity admins toolbox to prevent, detect, and remediate identity risk in their organization. With identity protection IT admins are able to:
- Automate the detection and remediation of identity-based risks
- Investigate risks using data in the admin portal
- Export risk detection data to third-party utilities for further analysis.
Microsoft Azure AD Identity Protection monitors every login that occurs and analyzes which logins might be risky using numerous detections. If a risky user or risky sign-in is detected, the program will challenge the sign-in and send a report to your IT admin. You can also look at all recent sign-ins and apply policies based on recommendations from Microsoft. This gives you the advantage to see when a hacker might be attempting to break into your system. After a few failed attempts identity protection could take numerous measures to alert an admin, require additional security verifications from the user, or simply lock the user out until an admin unlocks the account. There are many ways to configure identity protection, if you would like to learn more about the different configurations please don’t hesitate to reach out to one of our security experts to guide you through the process.
Speak to one of our security experts today
Privileged Access Management
When it comes to accounts with the most privileges that can access many resources and data, it is important to make sure those accounts are secured. Privileged identity management allows granular access control over privileged admin tasks by enforcing Just In Time and Just Enough Access for these accounts. Privileged Access Management can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management complements other data and access feature protections within the Microsoft 365 security architecture. Including privileged access management as part of an integrated and layered approach to security provides a security model that maximizes protection of sensitive information and Microsoft 365 configuration settings.
Privileged access management builds on the protection provided with native encryption of Microsoft 365 data and the role-based access control security model of Microsoft 365 services. When used with Azure AD Privileged Identity Management, these two features provide access control with just-in-time access at different scopes.
Data Loss Prevention
Microsoft DLP helps to discover and protect sensitive information across many locations, such as Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams. The key to Microsoft’s approach is to provide this protection without impacting your productivity. For example, on the right you can see that DLP was able to block sensitive information from being shared via chat, the credit card number was blocked using DLP. The sensitive content was detected before it was shared or transferred, and you as an admin can determine the actions to be taken to prevent data loss. The DLP policies prevent the accidental sharing of sensitive information, Monitor and protect sensitive information in the desktop versions of applications as well as cloud applications.
Recently Microsoft has extended DLP to devices outside of the office to help people that are using their personal devices more and more, especially with the increased work remote lifestyle. With Windows devices and the new Edge browser, you can detect sensitive data as it is being transferred.
You can also block files from being shared with unapproved third-party applications. If a user is trying to upload a file to a third-party website (such as Dropbox or Gmail) you can block these uploads from taking place using DLP, or set a policy that requires them to receive approval from an admin. You can even apply these policies at a file system level to prevent documents from being uploaded to a USB drive or another drive located on the desktop.
Protect your sensitive information by speaking to DLP expert
Microsoft uses encryption to safeguard customer data and help you maintain control over it.
Encryption is an integral part of your file protection and information protection strategy. There are several encryption management options that can help meet your business needs and compliance obligations.
BitLocker can be used on client machines, such as Windows computers and tablets, it offers volume-level encryption by encrypting the physical disk containing customer data incase the physical disk is stolen or lost.
Microsoft managed keys is a service that manages the keys and removes the burden of provisioning and managing the keys for the customer. Customer managed keys are for when the customer generates and imports keys and stores them in a customer-owned Azure key vault to be used by Office 365 services. The root keys never leave their azure vault boundary. These are used to encrypt files and mailboxes in office 365. If the customer chooses to leave/purge their data they can revoke the key and remove all access to the data.
Office 365 Message Encryption with Azure Rights Management, S/MIME, and TLS for an email in transit
Teams use TLS and MTLS to encrypt instant messages. You can prevent users from forwarding confidential emails externally. You can even send encrypted emails to users that use Gmail or Yahoo once they are authenticated.
Enable Microsoft Encryption
Microsoft Information Protection (MIP) to help you discover, classify and protect sensitive information wherever it lives or travels. MIP capabilities are included with Microsoft 365 Compliance and give you the tools to know your data, protect your data, and prevent data loss across devices, apps, cloud services, and on-premises.
Azure Information Protection (AIP) is a cloud-based solution that enables organizations to discover, classify, and protect documents and emails by applying labels to content.
AIP is part of the Microsoft Information Protection (MIP) solution and extends the labeling and classification functionality provided by Microsoft 365.
MIP and AIP allows you to utilize many of the tools discussed in this article to protect sensitive information such as
Encryption of documents and email messages and prevention of sharing this information to outside applications or even internally to unauthorized users.
Prevention of sensitive data within documents or conversations such as social security numbers or password/login credentials. and much more, for a full overview of all the protections included you can speak with an expert on any of the features included in MIP and AIP by contacting us.
Cloud Access Security Broker
Moving to the cloud increases flexibility for employees and IT teams. However, it also introduces new challenges and complexities for keeping your organization secure. To get the full benefit of cloud apps and services, an IT team must find the right balance of supporting access while protecting critical data.
Microsoft Cloud App Security adds safeguards to your organization’s use of cloud services by enforcing security policies acting as a gatekeeper to broker access in real time between your enterprise users and cloud resources they use, wherever your users are located and regardless of the device they are using.
Microsoft’s CASB helps to discover and provide visibility into Shadow IT and app use, monitoring user activities for anomalous behaviors, controlling access to your resources, providing the ability to classify and prevent sensitive information leak, protecting against malicious actors, and assessing the compliance of cloud services.
CASBs address security gaps in an organization’s use of cloud services by providing granular visibility into and control over user activities and sensitive data. CASB coverage scope applies broadly across SaaS, PaaS, and IaaS. For SaaS coverage, CASBs commonly work with the most popular content collaboration platforms (CCP), CRM systems, HR systems, Enterprise resource planning (ERP) solutions, service desks, office productivity suites, and enterprise social networking sites. For IaaS and PaaS coverage, several CASBs govern the API-based usage of popular cloud service providers (CSP) and extend visibility and governance to applications running in these clouds.
Information Governance (MIG)
Microsoft Information Governance (MIG) helps you establish an intelligent information governance approach for your data in Microsoft 365 and beyond for compliance or regulatory purposes.
MIG helps with understanding your internal and external data in your organization, central management of policies that trigger automatic data retention and deletion. the ability to use AI through trainable classifiers to automatically find the data so that policies can be applied at scale, and how you can evolve your policies and processes.
To meet all your governance needs Microsoft designed the M365 compliance center to give you a centralized management plane for all of your data compliance needs. In this portal under the solution catalog, there is a dedicated information governance solution.
With MIG you will:
1. Find your data
2. Set policies for your data. (retention or deletion)
3. Apply labels to your files (manually or intelligently automated)
MIG helps you with data classification as well as showing you the activity of your data all from a single portal to help you better understand where your data lives and who is accessing it so that you can take appropriate actions.
MIG is also making it easier to bring in data outside your organization by using a growing number of data connectors to help view data that exists across multiple platforms. Once this data is instantly connected, it becomes discoverable and policies can now be applied to this data.
Mobile Application Management
Intune mobile application management refers to the suite of Intune management features that lets you publish, push, configure, secure, monitor, and update mobile apps for your users.
MAM allows you to manage and protects your organization’s data within an application. With MAM without enrollment (MAM-WE), a work or school-related app that contains sensitive data can be managed on almost any device, including personal devices in bring-your-own-device (BYOD) scenarios.
Intune MAM supports two configurations
1. Intune MDM + MAM: IT administrators can only manage apps using MAM and app protection policies on devices that are enrolled with Intune mobile device management (MDM). To manage apps using MDM + MAM, customers should use Intune in the Microsoft Endpoint Manager admin center.
2. MAM without device enrollment: MAM without device enrollment, or MAM-WE, allows IT administrators to manage apps using MAM and app protection policies on devices not enrolled with Intune MDM. This means apps can be managed by Intune on devices enrolled with third-party EMM providers. To manage apps using MAM-WE, customers should use Intune in the Microsoft Endpoint Manager admin center. Also, apps can be managed by Intune on devices enrolled with third-party Enterprise Mobility Management (EMM) providers or not enrolled with an MDM at all. For more information about BYOD and Microsoft’s EMS, see Technology decisions for enabling BYOD with Microsoft Enterprise Mobility + Security (EMS).
Secure Email Gateway
Email is the most prolific attack vector that we see today, from ransomware, malware, phishing attacks, and many many more it is imperative that you are always monitoring the email traffic to and from your users. The increasing sophistication of these attacks can quickly outdate the protections you have in place.
Microsoft’s Exchange Online Protection (EOP) is the cloud-based filtering service that helps protect your organization against spam and malware by scanning all incoming email attachments from all emails sent inside and outside of your organization. There are multiple policies you can set, such as blocking specific file extensions from being sent. For more information on the best practices and policies please don’t hesitate to reach out to a member of our security team. EOP is included in all Microsoft 365 organizations with Exchange Online mailboxes.
Office 365 Advanced Threat Protection (ATP) safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools. M365 ATP is designed to give you built-in proactive protections that extend to your collaboration services and email to mitigate malicious content as well as intelligent and continuously evolving threat detection so you can stay ahead of new and emerging threats. ATP has the ability to moderate activities in real-time to give the ability to respond to threats along with controls that you set to harden your environment.
Endpoint Detection and Response
Microsoft Defender ATP is a comprehensive endpoint security solution for protection, detection and response that focuses on two key areas:
Threat and Vulnerability Management provides you with real-time actionable information that can help mitigate threats and vulnerabilities in your environment to profoundly reduce your overall exposure.
Attack Surface Reduction allows you to eliminate risk by reducing the surface area of attack with hardware-based isolation, exploit and network protection, and application control.
Microsoft Defender ATP continuously monitors behaviors to protect against the latest and most dangerous threats. This includes Advanced Hunting with fine-grained access over all the data in your tenant allowing you to pivot and quickly narrow down suspicious activity. When it comes to security incidents Microsoft uses Auto Investigation and Remediation to discover complex threats and mimic the ideal steps analysts would take freeing up the time of your talented security professionals to focus on more strategic issues. Our threat experts provide your security operation team with deep knowledge, expert-level threat monitoring. You can reach out to us directly to get technical consultation on relevant detections and best practices for configuring Microsoft Defender ATP.