• Home
  • Blog
  • Technical
  • Protecting extra-sensitive accounts and data sets in Microsoft 365, Part 1: Identity

Protecting extra-sensitive accounts and data sets in Microsoft 365, Part 1: Identity

Back to Blog
20Aug2019

Protecting extra-sensitive accounts and data sets in Microsoft 365, Part 1: Identity

As I have previously pointed out on this blog before, all of the best security products, like Microsoft Cloud App Security or Microsoft Defender Advanced Threat Protection, are held hostage in E5 plans. But there is a really big cost delta in the SMB space between the Business plan and Enterprise E5. And in fact, it is a fairly significant delta even moving from Enterprise E3 to E5.

I have two pieces of advice for you here:

  1. Maximize what you can do within the subscription that you already have first (that’s already a lot)
  2. Realize that you only need to license specific users for the “extra” features that are most important to you after that

For example, if any of your user base deals with really sensitive or even “toxic” data–the kind that would be very damaging to have exposed in a breach event–then there are some other things we could recommend adding to your bundle to help protect these special accounts and the digital assets those users work with. But you’d only have to license those users specifically for the add-ons that they need.

Licensing

In this post I’m going to highlight the security features that are normally locked up in E5, which could be bought separately and added to other subscriptions. However, my overall favorite combo for the SMB is:

Microsoft 365 Business (20.00 USD): Add Enterprise Mobility + Security E5 (14.80 USD) = 34.80 USD total

The idea is to create the best bundle which will contain the Cadillac of security features from the E5 plan, while remaining much more affordable. And again, you only have to apply it to those precious few accounts you care most about protecting. So it’s a nice middle ground.

NOTE: For E3 plans, you might consider looking at Microsoft 365 E5 Security and Microsoft 365 E5 Compliance; these plans are technically not compatible with Microsoft 365 Business, for example MDATP is not supported for use with the Business SKU at this time.

Before you start, identify the users who most need the extra protection. Be sure these users get licensed appropriately so they have all the necessary products enabled on their account. You will also want to create a security group for the purposes of applying additional features and policies.

Identity protection

Identity protection is a feature of Azure AD Premium P2 (9.00 USD / user / month), and uses risk-based conditional access to take action against login attempts that are deemed to be “riskier” than others. To determine risk level, Microsoft leverages signals from the Intelligent Security Graph in real time, and calculates whether the login behavior is safe and recognized, or unusual and likely to be an impostor.

You may need to add the Azure AD Identity Protection app to your Azure portal, first, if you don’t have it yet. Just go to the marketplace and search for it, then click Create to get started.

There are several “value-added” policies here that you can use to enhance the typical user protections, such as MFA, which are available in other subscriptions.

Be sure you check out each of the configurable policies, as well as the alerts and digest

MFA registration policy – Require users to register for MFA, before actually issuing MFA challenges; when users are prompted to register, they can choose to bypass the registration for up to 14 days, but eventually they must complete the security info registration process. This will help ease people into the transition and let them accomplish registration at a time that is more convenient to them.

User risk policy – Probably the most important policy to configure, it can either block or require the targeted users to complete a self-service password reset whenever the user account is elevated to a certain risk level (MS recommends Medium risk as the threshold for most orgs to strike a balance between usability and security). Risk level can be elevated by risky sign-in activity, or other evidence (e.g. darkweb) that indicate the account could have been compromised.

NOTE: Similar protection is also provided now via a baseline Conditional access policy which is included with all subscriptions (however at this time it is not possible to make exceptions in that policy).

Sign-in risk policy – Stuff like impossible travel, unusual sign-in time, location or device, etc. can elevate risk level of any given sign-in attempt, and here you can choose to challenge sign-ins that are above your selected threshold with MFA; I personally don’t see as much value here and generally recommend simply requiring MFA at all times if the account is highly sensitive. Otherwise I would set this to Low risk and above.

Alerts and Weekly Digest – Get email notifications when suspicious looking stuff is happening in your tenant, right under your nose. You can also see who is being impacted by the risk policies you have in place.

Privileged Identity Management

Another Azure AD Premium P2 feature. You can find PIM under Azure AD > Identity Governance, but you may want to add a handy shortcut for it to your Azure portal view from “All services.”

What is PIM? Specifically useful for controlling access to “superuser” administrative roles, this technology will allow you to discover and then convert accounts that presently have administrative privileges, into accounts that are merely “eligible” for privileges.

By rescinding the admin rights up front, you are then able to setup an approval workflow, whereby an admin would request and be granted or denied access to privileged roles (only when necessary for making administrative changes). You should also setup email notifications so that you are alerted when these things are happening in the environment.

All that having been said, I know most of my SMB readers out there will have difficulty seeing how this applies to them. But in customer environments that are very sensitive to change and who put a big emphasis on security, this could be a very attractive offer: “Look, you will hold the keys to the kingdom–and we can only come in and flip settings around when you specifically ask for it, or approve our requests to change something in advance. And that also means attackers who gain unauthorized access will be similarly limited.

Of course, this implies that you would want at least a couple of customer-enabled accounts who could approve requests for privilege elevation.

Next time

I only have one other article in this series planned at this time–so next we’ll talk about data and app protections that are available from the world of E5, and what it would take to add them to a down-level SKU like Microsoft 365 Business or E3. See you next time!

Technical , , , , , , 0 Comments
Share:

Leave a Reply

Back to Blog

Related Posts

GDAP in M365 Lighthouse
01Apr

Reviewing the GDAP Wizard in Lighthouse

Hey folks! In today’s article, we will be taking a closer look at Granular Delegated Admin Permissions or GDAP.  You can think of this feature as providing similar functionality to Privileged Identity Management (PIM), including “Just-in-Time” (JIT) access, but specifically with regard to your partner... read more
15Jan

Tutorial: Enabling the “new” Office 365 Email Encryption

Previously we have covered Office 365 Message Encryption, as well as what used to be called Azure Rights Management (now Azure Information Protection).  The name changes weren't confusing enough for us, right? Well, awhile back they announced this big change to the email encryption experience.... read more
08Dec

Hyper-V Failover Cluster Best Practices (footnotes)

Some of you may be familiar with this handy best practices checklist, published by Microsoft. Actually it comes in three varieties currently (I haven't seen an updated one for 2016 yet): 2012 Hyper-V Best Practices and 2012 R2 Hyper-V Best Practices 2008 R2 Hyper-V Best Practices It's a... read more
28Sep

Prepare for the Upgrade from Skype for Business to Microsoft Teams

As you may or may not have heard, Microsoft is encouraging organizations to begin the upgrade path toward Teams, as they have now reached "feature parity" between the two products (they will no longer be actively developing Skype for Business Online). In fact, new customers... read more
30Aug

(Mis)Adventures with Conditional Access in Azure Active Directory Premium (P1)

I have been playing with Azure Active Directory Premium (P1) features a lot lately. And I love to try as hard as I can to break things. Turns out, it isn't that hard to do with Conditional Access. But, having brushed up against a few... read more
11May

How to change your Network type from Public to Private in Windows 10 (the easy way)

In Windows 10 (and earlier versions had this too), there is a difference between Private and Public networks (there is also a third type--Domain--for when you are connected on your corporate-owned device to your corporate network). The problem is, if your computer or tablet is on... read more
20Jun

Migrating Companyweb from SBS to Office 365 SharePoint Online

Microsoft Windows Small Business Server comes with a watered-down implementation of SharePoint called Companyweb (or WSS). Whether you are migrating from a full-blown SharePoint environment on-premises or the basic Windows Server-included Windows SharePoint Services, you are going to have to come to terms with one major migration hurdle: Microsoft... read more
14Jan

Exchange Hybrid Licensing

I have mentioned previously on this site that hybrid Exchange is the best way to migrate to Office 365. Hybrid enables rich co-existence between your on-premises Exchange server and Office 365 / Exchange Online in the cloud. Hybrid is emphatically NOT a "special" version of Exchange Server,... read more
18May

5 Tips to Help Tighten your Security Using BIOS/UEFI

In the olden days of PC's, BIOS or "Basic Input-Output System" was something only the nerdy computer geeks were aware of, and the typical user never really went in there, or ran any kind of updates for it, unless explicitly instructed to by a support... read more
20Jun

A framework for implementing device-based Conditional access with Microsoft Intune

I recently shared a set of scripts to help make deployment of Intune a bit quicker. Today I just want to cover a framework which can be used for deploying device-based conditional access in conjunction with your baseline policy set. The main crux of the... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me