Documente Academic
Documente Profesional
Documente Cultură
Protection for
Three levels is a good starting point if your Some information protection capabilities You can use Secure Score to learn more
Microsoft provides the most complete set of capabilities to protect your corporate assets. This model helps organization doesn t already have defined apply broadly and can be used to set a about capabilities recommended for your
organizations take a methodical approach to information protection. standards. higher minimum standard for protecting all Office 365 environment.
data. Other capabilities can be targeted to Introducing the Office 365 Secure Score
Office 365
specific data sets for protecting sensitive
data and HVAs.
Example
Establish information The first step of protecting information is identifying what to protect. Develop
A clear, simple, and well-communicated guidelines to identify, protect, and monitor
protection priorities the most important data assets anywhere they reside.
Level 1 Level 2 Level 3
Capability grid
Use this grid of information protection capabilities to plan your
strategy for protecting data. Capabilities are categorized by protect
scenario (row). Capabilities increase in control and protection as you
move to the right. Start here Capabilities increase in control and protection as you move to the right.
More control & protection
Use Intune to protect data on Configure Azure AD risk-based Configure Azure AD conditional
Disable identities in Azure Active Enable self-service password reset in Use Group-based Licensing to Configure Multi-Factor Configure single sign-on to other Enable Windows Hello for Business Use device health attestation Enable Azure AD Identity Protection Migrate your external accounts to
Product key Directory that are not active Azure Active Directory assign licenses to users Authentication (MFA) SaaS apps in your environment
mobile devices, desktop computers,
and in applications
conditional access for greater
protection
access to configure rules for access
to applications
on all Windows 10 PCs features with Windows 10 devices Policies for your users Azure AD B2B collaboration
active. For example, you can identify Enable users to reset their Multi-Factor Authentication Office 365 plans include up to 10 Business. Configure secure access Administrators can set policies that require multi-factor authentication is tied to a device and uses a Microsoft that reports what security have enabled it for some time, we Azure AD B2B Collaboration enables
Azure AD passwords Group-based licensing basics in documentation
Exchange Online mailboxes that have SaaS apps per user. Azure Active with certificates, Wi-Fi, VPN and trigger specific controls based on per application or only when users biometric or PIN. features are enabled on the device. recommend you activate Identity secure collaborate between business-
Office 365 Enterprise not been accessed for at least the last Whitepaper: Microsoft Password
Azure Active Directory
Compare MFA features: Office 365
Directory Premium is not limited. email profiles. various levels of risk. Actions can are not at work. Or you can block
Windows Hello for Business
Protection policies. For example, to-business partners. Any accounts
30 days and then disable these include block, enforce MFA, or access to specific applications when require MFA on sign in when the risk that are needed for SaaS application
E3 Plan accounts in Azure Active Directory.
Guidance Big Updates to Office 365 Identity vs. Azure AD Premium Configure your favorite SaaS cloud Microsoft Intune Overview password reset for the user. users are not at work.
Control the health of Windows 10-
based devices of a login is medium or higher. Or, access or SharePoint Online
(licensing and how to try group-
Manage inactive mailboxes in application on Azure Active Directory reset a user s password if the user s collaboration can be moved to Azure
based licensing)
Office 365 Enterprise E5 Exchange Online for single sign-on and easier user
account management
Azure Active Directory risk events Working with conditional access risk is marked as high. AD B2B.
Plan or standalone add-on Blog: Office 365 How to Azure Active Directory Identity
Protection
Azure Active Directory B2B
collaboration
Handle Departed Users
Windows 10 Configure permissions for Configure external sharing policies Configure device access policies for Configure Data Loss Prevention Use Windows 10 BitLocker and Use the Intune App Wrapping Tool Configure Office 365 service For trade-secret or classified files, Use Azure Key Vault for line of Use SQL Server Always Encrypted
Use labels to implement Use Intune to manage applications
SharePoint and OneDrive for to support your collaboration and SharePoint Online and OneDrive for (DLP) across Office 365 services and Windows Information Protection to apply policies to line-of-business encryption with Customer Key implement BYOK or HYOK business solutions that interact with for partner solutions using a SQL
classification-based protection on mobile devices
Business libraries and documents file protection objectives Business applications (WIP) applications (coming soon) encryption and protection Office 365 database
and prevent
permissions. These are not related to Microsoft Office 365 subscription. classified and labeled, protection can that they are about to violate a policy. cut, paste, and save as, to only apps helps prevent accidental data leaks to Configure and deploy mobile level offers an added layer of encryption solution. that your keys stay within the HSM and never reveal the encryption keys to
(EMS) E5 Plan Office 365 groups. Encourage users External sharing policies apply to Control access from unmanaged be applied automatically on that Set up policies for SharePoint Online managed by Intune. Enable secure web
browsing using the Intune Managed
non-business documents, application management policies in protection for files in SharePoint boundary. Microsoft does not see or the Database Engine (SQL Database or
to apply permissions to documents in both SharePoint Online and OneDrive devices basis. and OneDrive for Business that unauthorized apps, and unapproved the Microsoft Intune console Online and OneDrive for Business File Protection Solutions in Office 365 extract your keys. Monitor and audit SQL Server). This provides separation
Browser App. Enforce PIN and
leaks
their OneDrive for Business libraries. for Business. File Protection Solutions in Office 365 automatically apply to Word, Excel, and locations. and for Exchange Online mailboxes. (coming soon) key use. Use Azure Key Vault for between those who own the data (and
EMS plans include Azure AD Premium, PowerPoint 2016 applications.
encryption requirements, offline access
Customer Key is applied tenant-wide workloads both on premises and can view it) and those who manage the
Manage external sharing for your (coming soon) time, and other policy settings. Bitlocker overview
Intune, and Azure Rights Management Understanding permission levels in
Overview of data loss prevention
for all files in SharePoint Online and cloud hosted. data (but should have no access).
SharePoint SharePoint Online environment What is Azure Information Protection? Configure and deploy mobile Protect your enterprise data using OneDrive for Business.
policies application management policies Azure Key Vault Always Encrypted (Database Engine)
Understanding SharePoint groups Share sites or documents with people Blog Windows Information Protection (WIP)
outside your organization Data loss prevention in Blog: SQL Server 2016 includes new
Intune application partners
Exchange Online advances that keep data safer
Test lab environments Add Exchange Online Advanced Use Office 365 Advanced Security
Use Microsoft Edge for browsing Keep Windows Defender enabled on
Use Device Guard to ensure only Use Windows Defender Advanced
Implement Azure AD Connect
Implement Advanced Threat
Use Intune to keep client software
Threat Protection for your Management or Microsoft Cloud trusted software is run on Windows Threat Protection (ATP) to protect Analytics (ATA) on premises to
Windows 10 computers Health up to date
organization App Security 10 Enterprise your network monitor your network.
You can create your own dev/test
environment with Office 365 Enterprise 3 Stop external Protect your environment against
advanced threats, including malicious
Use Office 365 Advanced Security
Management to evaluate risk, to alert
Use Microsoft Edge when browsing
the Internet. It helps block known
Ask Cortana or type Windows
Defender in the task bar search box.
Device Guard is a combination of
enterprise-related hardware and
Use Windows Defender ATP service
to help detect, investigate, and
Monitor and gain insights into your
on-premises identity infrastructure
Identify suspicious user and device
activity. Build an Organizational
Keep managed computers secure by
ensuring the latest patches and
threats links, unsafe attachments, and on suspicious activity, and to software security features that, when respond to advanced and targeted with the Azure AD Connect tool used Security Graph and detect advanced software updates are quickly
E5, EMS, and Azure trial subscriptions. malware campaigns. Gain insights automatically take action. Requires
support scam sites using Windows If you see a PC status: Protected
configured together, will lock a attacks on your networks. with Office 365. attacks in near real time. installed.
Defender SmartScreen. Microsoft message, you re good to go. If
with reporting and URL trace Office 365 E5 plan. Or, use Microsoft device down so that it can only run
Look for the test lab guide (TLG) icon in the Edge also helps stop pop-up Windows Defender is turned off, Windows Defender ATP User Guide
capabilities. Configure settings for Cloud App Security to obtain deeper trusted applications. Device Guard Monitor your on-premises identity Microsoft Advanced Threat Keep Windows PCs up to date with
dialogue loops used by these sites. uninstall other antivirus solutions and
grid for capabilities that can be tested within your organization s objectives. visibility even after access is granted, prevents tampering by users or (TechNet) infrastructure and synchronization Analytics (TechNet) software updates in Microsoft Intune
comprehensive controls, and improved check again. Windows 10 will enable
these environments. Here s the current set: Microsoft Edge Deployment Guide for
Windows Defender automatically. malware that are running with services in the cloud
Blog: Microsoft Advanced Threat
Exchange Online Advanced Threat protection for all your cloud IT Pros (TechNet) administrative privileges.
applications, including Office 365. Analytics
Base configuration dev/test environment Protection (Features)
Requires EMS E5 plan. Blog: Evolving Microsoft SmartScreen Windows Defender in Windows 10 Device Guard overview (TechNet)
Simplified intranet in Azure IaaS to simulate an Service Description (TechNet) to protect you from drive-by attacks (TechNet)
enterprise configuration Overview of Advanced Security Blog: What is Windows 10
How it works (TechNet) Management in Office 365 Blog: Mitigating arbitrary native code Keep your PC safe with Windows Device Guard?
Office 365 dev/test environment execution in Microsoft Edge Defender
Microsoft Cloud App Security
Create and Office 365 E5 trial subscription
Multi-factor authentication for your Use Message records management Use Office 365 Advanced Data
Use retention policies in SharePoint Apply security restrictions in Exchange Use Advanced eDiscovery to speed Audit user and administrator actions Retain inactive mailboxes in
(MRM) in Exchange Online to manage Governance to classify, retain, and Conduct eDiscovery in Office 365 Use data spillage features in Office 365
Office 365 dev/test environment email lifecycle and reduce legal risk
and OneDrive for sites and documents Online to protect messages
take action on your data
up the document review process in Office 365 for compliance Exchange Online
Stay compliant
Demonstrate MFA with a verification code sent to
your smart phone
Advanced Security Management for your
4 Keep messages needed to comply
with company policy, government
Compliance officers can apply
policies that define when sites or
Require encryption, digitally sign
messages, and monitor or restrict
Meet your organizational compliance
requirements by leveraging machine
Identify, preserve, search, analyze, and
export email, documents, messages,
Perform analysis on discovered data
by applying the text analytics,
Search and remove leaked data in
mailboxes, SharePoint Online sites,
Use the Office 365 Security &
Compliance Center to search the
Preserve former employees email
after they leave your organization. A
regulations, or legal needs, and documents are retained, expire, close, forwarding. Create partner connectors assisted insights to help you import, and other types of content to machine learning, and Relevance/ and OneDrive for Business. unified audit log to view user and mailbox becomes inactive when a
Office 365 dev/test environment remove content that has no legal or or are deleted. to apply a set of restrictions to find, classify, set policies, and take investigate and meet legal obligations. predictive coding capabilities of administrator activity in your Office Litigation Hold or an In-Place Hold is
Create policies and monitor your environment business value. messages exchanged with a partner action on the data that is most Advanced eDiscovery. These eDiscovery in Office 365 365 organization. placed on the mailbox before the
Retention in the Office 365 organization or service provider. important to your organization. High- Compliance Search in the Office 365 capabilities help organizations quickly corresponding Office 365 user
Advanced Threat Protection for your Message records management Compliance Center value content across Exchange Compliance Center reduce the data set of items that are Search the audit log in the Office account is deleted. The contents of
Encryption in Office 365 Online, SharePoint Online, OneDrive most likely relevant to a specific case. 365 Security & Compliance Center an inactive mailbox are preserved for
Office 365 dev/test environment
for Business, and Skype for Business the duration of the hold that was
Keep malware out of your email Set up connectors for secure mail Office 365 Advanced eDiscovery
is efficiently protected for as long as placed on the mailbox before it was
flow with a partner organization
you need it to be. made inactive.
Advanced eDiscovery for your Office 365
Set-RemoteDomain Blog: New Office 365 capabilities to
dev/test environment Manage inactive mailboxes in
manage security and compliance risk Exchange Online
Add example data and demonstrate these
capabilities Capabilities vary by plan
Office 365 and EMS dev/test Use dedicated administrative Separate duties of administrators by Use Azure AD Privileged Identity Use Exchange Online auditing Use Customer Lockbox for Office
environment Validate and monitor your security Create pure online administration Review the Office 365 administrator
workstations and accounts for Secure privileged access role SharePoint Online, Exchange Management to control and capabilities to search administrator 365 to require mandatory approval
configuration accounts audit logs
Add an EMS trial subscription to your Office 365 managing cloud services Online, and Skype for Business Online monitor your privileged identities audit logs for service engineer work
trial environment
March 2017 2017 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.