Using Azure Information Protection Scanner to Classify and Protect Your Data

Company data breaches are becoming more common every day.  Social engineering is an age-old practice that malicious hackers use to exploit the weakest link in an organization:  human psychology.  Social engineering hacks are an organizations biggest fear and for good reason.  Using Azure Information Protection (AIP) organizations can employ a set of classification and protection standards for all of their data no matter where it lives.  AIP can help organizations implement the necessary security and classification policies which are forever tied to the data.  No matter where the data lives or who gets their hands on it, companies can be assured that their data is safe and compliant.

Azure AIP How.jpg

Azure Information Protection labeling

One of the biggest challenges with becoming data compliant is implementing a data classification and protection process that considers each individual piece of data’s sensitivity, storage and distribution needs.  With the amount of data exponentially growing every day this task feels like a huge uphill battle.  Discover, classify, label and protect your data with Azure Information Protection.  AIP is a cloud-based solution that can be used to classify, label and protect documents and emails.  AIP protects all file types whether it’s at rest, in use, or in-motion.  AIP has tight integration with Office files and PDFs and provides the best end-user experience.  AIP can also protect emails and data stored inside and outside of the Microsoft Cloud and with non-Microsoft cloud and SaaS apps.  Using labels AIP can be configured for two types of policies: protection and retention.  Labels are used to classify and protect your data across workloads no matter where the files are stored.  Additionally, retention policies can be configured for each label that is created to meet your organizations data compliance requirements. 

Azure Information Protection can help companies in their journey to GDPR compliance by discovering sensitive data within the organization.  AIP has the capability to automatically scan, classify and protect sensitive files that are discovered throughout the scanning process.  New files that are currently being used can be manually labeled but what about the large number of files that are sitting in SharePoint or on an on-premises file share?  This is where the AIP scanner tool comes to the rescue.  The AIP scanner is a tool that can be used to discover, label and protect many files at once automatically.

Let’s say for example you have a large file share in your on-premises environment.  This file share includes a plethora of different files and file types.  You can configure the AIP scanner to begin scanning this file share and labeling your data according to content that matches a pre-defined condition.  The AIP scanner will label and protect your files in an automated fashion.  Labels apply classification, and optionally, apply or remove protection.  These labels can be used by the AIP scanner tool to automatically classify sensitive data.  For example, if a file contains credit card numbers or employee social security numbers the scanner will recognize the sensitive data and apply protection and optionally a retention policy according to the AIP label that gets applied.  Sensitive information updates are being added all the time.  Just this week Microsoft added some additional types to help address classification needs around GDPR as you can read here:  New GDPR sensitive information types help you manage and protect personal data

AIP labels are a classification capability provided by the AIP service which can be used to identify and classify the different types of data that exists within your organization.  These labels are what the AIP scanner will use when applying them to discovered files.  Labels can be categorized by sensitivity levels that range from non-business to highly confidential.  Labels will define what type of protection and retention get applied to your files.

The labels can include visual markings such as a header, footer, or watermark. Metadata is added to files and email headers in clear text. The clear text ensures that other services, such as data loss prevention solutions, can identify the classification and take appropriate action.  This is great for companies that are moving to the cloud and want to make sure their data is classified and protected before the migration from on-premises.

AIP Scanner Overview

The AIP scanner runs as a service on a Windows Server that is a part of your on-premises network.  The scanner currently supports the following data stores for discovery:

  • Local folders on the Windows Server computer that runs the AIP scanner
  • UNC paths for network shares that use the Server Message Block (SMB) protocol
  • Sites and libraries for SharePoint Server 2016 and SharePoint Server 2013
  • Cloud repositories that use Cloud App Security

The AIP scanner is locally configured on the Windows member server and maintains a secure connection to your O365 tenancy.  The tool is constantly monitoring the automatic labeling requirements which are setup in the Azure Information Protection policies within the Azure portal.  The AIP scanner can inspect any file that Windows can index by using iFilters to open the different file types. 

The scanner uses the Office 365 built-in data loss prevention sensitivity information types and pattern detection.  This provides AIP with the ability to recognize the data inside of the file, label and protect it automatically.  Additionally, the AIP scanner can be run in discovery mode.  In this mode reports are created to provide a picture of the potential labeling changes that would be made to your data without actually applying the labels.  This mode is especially useful when you want to see the potential impact of applying different labels across your data.  The scanner will systematically crawl the data stores that have been configured.  The scanner can be configured to run on a schedule so as new files get added to the data stores these files will be labeled and protected automatically.  For the first scan cycle of the datastore the scanner will perform a full crawl of each file.  Subsequent scan cycles will only include new and modified files.

The following file types can be automatically labelled according to the pre-defined conditions:

  • Word:  docx, docm, dotm, dotx
  • Excel:  xls, xlt, xlsx, xltx, xltm, xlsm, xlsb
  • PowerPoint:  ppt, pps, pot, pptx, ppsx, pptm, ppsm, potx, potm
  • Project:  mmp, mpt
  • PDF:  pdf

There are many use cases where labeling all your files automatically is not the best approach.  Applying labels haphazardly will only cause confusion to end users who will undoubtedly complain and lose faith in AIP.  It is a best practice to use the AIP “recommendation classification” option to start when configuring your AIP labels.  This classification option will allow the user to accept or reject the recommended classification and protection from AIP.  Labels which are configured to be applied when certain conditions are met will trigger the AIP client to recommend a label to the user as shown below:

AIP Office Toolbar.png

If the user decides to dismiss this recommendation they will be prompted for justification of the change as shown here:

AIP Office Classification.png

Recommended classification applies to Word, Excel, and PowerPoint.  When the file is saved the user will be prompted as shown in the above screenshots.  Unfortunately, the recommendation classification feature does not currently work with Outlook.

AIP Scanner Licensing

The AIP scanner is an Azure Information Protection P2/EMS E5 feature.  The AIP P2/EMS E5 license is required to enable automatic labeling using custom labels that are pre-defined.  This license enables the use of custom labels that can be applied automatically by the AIP scanner.  This includes creating pre-defined conditions for sensitive data that will trigger AIP to apply a label and optionally protection.  With that said, currently AIP P1/EMS E3 licenses can use the AIP scanner tool which will only allow the use of one default policy.  The good news for organizations with a E3/AIP P1 license is that they can set the default label for each specific datastore (think folder in a file share or document library in SharePoint) to automatically classify their files.  Going back to the file share example above, let’s say there was an HR and Legal folder in the file share.  You can configure the AIP scanner to use a different default label (one for HR and another for Legal).  Yes, this process is going to be more manual then if you had a P2 license but it’s not a bad workaround if you ask me!

Hosting the AIP scanner configuration requires the use of a SQL Server instance.  Here are some of the key points when planning the SQL Server  

  • The AIP scanner installation requires a SQL Server instance to store the scanner configuration
  • SQL Server 2012 is the minimum supported version
  • The AIP scanner supports the use of a SQL Server Express license

There are two levels of AIP Premium licensing.  P1 & P2, the biggest difference between them is that P2 includes the automated and recommended data classification capabilities.  Here is a link to the official breakdown of each of the different AIP pricing plans:  here.  The AIP scanner can be downloaded and installed as a part of the Microsoft AIP client download found here.  Make sure that you download the full client in order to be able to install the AIP scanner.  Once the AIP client is downloaded and installed, the AIP scanner can be configured using PowerShell.

Conclusion

Azure Information Protection provides a cloud-based solution for classifying, labeling and protecting your data.  Organizations can leverage this solution to apply a consistent classification and protection policy to files throughout the lifecycle of their data.  The AIP scanner adds additional value by allowing organizations with large amounts of data to automate the labeling and protection of their data.  For organizations looking to not only classify their data but also protect it no matter where the content is stored or how it is moved, I would highly recommend looking into the Azure Information Protection product.      

calltoaction-paas.png

Leverage Azure Information Protection

How to Get Started with Nintex

As an active Nintex partner, we frequently work with organizations to get started using the Nintex platforms for SharePoint Server, Office 365 and the Nintex Workflow Cloud.  We help these customers through their trial period, or after the sales get started so that they can make the most from their technology investment.  Our interests here are less on selling software and more about evangelizing Workflow & Content Automation concepts and practices so that people can improve their work life. We are regularly asked “How should we get started?” so this post is our standard answer to that question. 

sharepoint_Nintex_bandrsolutions.jpg

Getting Started with Nintex

 

Getting Started with Nintex 101

This section is going to be short and sweet.  The team at Nintex has done a fantastic job building relevant content through their Community site.  If you haven’t registered already and are at all interested in Nintex, please register now. 

Secondly, they provide many great sections to address the specifics such as:

Once the software is installed and configured, you really need to get your hands on it and start working through creating a solution.  There are some step-by-step guides to support you there and it is a good place to start. 

Hands-On Workshops

Depending on the number of people you want to train and what the participants hope to gain we offer a few hands-on workshop options. 

2-3 Day Quick Start Workshop

If there are only a few people that need training and the customer is focused on a specific solution, B&R will typically start with a 2-3 day Quick Start Workshop.  This workshop is used to get the team going with their first solution as we work to rough out the major areas of the form and workflow.  We focus on the foundation of the solution first and then focus on some of the more difficult problems or features so that we can pass along the wisdom of why certain decisions were made, as well as the technical details about how to address the requirements.  This is a hands-on session and upon completion of the workshop, the team should have a good start to the solution with actionable steps to take to complete the project. 

1 Day Workshop

For groups that either have more people to train, or in cases where the organization is looking to enable users outside of IT, we position a 1 Day Workshop that acts as an immersion experience introducing people to both the process concepts as well as the technology.  One of the great things about Nintex is that it really is a tool anyone can use to build solutions.  However, everyone typically needs some orientation before they can create useful solutions.  The 1 Day Workshop will orient participants and enable them to create their first end-to-end Nintex solution!

Our standard agenda for the 1 Day Workshop is below:

  • Nintex Overview:  Forms, Workflow, Mobile, Doc Gen, Hawkeye (45 minutes)
  • Process Mapping Overview (45 minutes)
  • Technical Overview (60 minutes)
    • Form Concepts
    • Workflow Concepts and Key Actions
  • Build a Form (90 minutes)
  • Build a Workflow (2.5 hours)
  • Wrap-up and Next Steps

Alternatively, for users that are either familiar with workflow tools or modern development, we can provide a tailored Workshop that supports more advanced topics such as:

  • Integrating your solution with other content platforms (Salesforce, Dynamics, Box)
  • Xtending the Nintex Platform with REST Services
  • Integrating Hawkeye for deeper insights into your process portfolio
  • Advanced scenarios for external start of workflows

Ad-Hoc Developer Support

B&R can support its customers in a variety of ways, but one way many of our customers take advantage of is through standing support agreements that can cover ad-hoc or as-needed work.  Under this scenario, we can facilitate a design kickoff where B&R consultants will review your form and workflow requirements and discuss approaches for implementing them.  The advantage here is that the overall project decisions should be better informed and the solution will be delivered significantly faster.  Secondly, we can provide as-needed developer support when your developers are stuck on a problem.  While the Nintex Community, also can provide great support options; sometimes what you really need is to get somebody on a screen share session to talk through the hurdle and the possible solutions. 

Ready to Get Started with Nintex?

Can B&R help you get more out of your Nintex investment?  Reach out today to setup a consultation to discuss how these options can help improve your team’s ability to deliver world-class solutions!

calltoaction-nintex.png

B&R can help you get the most from your Nintex investment

Azure Active Directory Premium Features – Why You Want It

Azure Active Directory provides a cloud-based solution for user account and identity management. While the free and basic editions may meet the requirements of organizations that only need Azure AD to maintain user accounts, most of the time, businesses need more from their account and identity management solution and as a result, turn to the Azure AD premium editions (known as Premium P1 and Premium P2).

There are a few features that both the premium and basic editions share that you can’t get with the free edition:

Service Level Agreement

The SLA guarantees a minimum amount of uptime and provides a framework for holding Microsoft accountable for any outages. It makes sense that this wouldn’t be available with the free service as you can’t refund a service cost if there isn’t one to start with. The SLA is calculated based on how many minutes of downtime occur and the number of users impacted.

Branding

The ability to use your organization’s branding on logon pages and access panels. This is a nice touch because it creates a more uniform and polished look across applications, and also provides an identifiable interface for your end users. It can be confusing as an end user seeing a generic logon page and wonder whether you are in the right place.

Password Self Service

One of the most useful (and heavily used features), is the self-service password reset for cloud accounts. This allows users to reset their password whenever they need to without having to contact their help desk or IT department. Depending on the business, password resets can be as much as a 50% drain on the helpdesk’s bandwidth. Adding this feature to the available offerings could immediately provide an ROI just through saved alone.

While the basic edition includes all of the features listed above and those are enough to satisfy the needs of most smaller organizations, they fall short of providing a truly seamless transition between all applications, both on-premises and cloud-based. This is because the free and basic editions limit the number of applications that have an SSO experience to 10 per user, whereas premium has no limit. Additionally, the two premium editions have the following features that provide a seamless user experience between on-premises and the cloud:

  • Self-service group and app management / Self-service application additions / Dynamic groups
  • Self-service password reset / change / unlock with write-back to the on-premises Active Directory
  • Device objects two-way synchronization between on-premises directories and Azure AD (Device write-back)
  • Multi-Factor Authentication (Cloud and on-premises (MFA Server))

With the premium editions, changes to accounts and groups only need to be made in one place because everything is automatically synchronized. For example, whether a user is trying to logon to their on-premises SharePoint environment or trying to login to their mail using mail.office365.com, if the multifactor authentication feature is enabled, the user will be presented with the same prompt. To the user, it feels like a unified system.

Another premium feature that can be very useful is the availability of dynamic groups and conditional access based on group, location, and device state. An AD administrator can end up spending a lot of time managing group memberships. Most applications with complex security structures like SharePoint can have hundreds if not thousands of groups and usually a handful of Active Directory administrators are the only one who can add and remove users from these groups. This leads to the AD admins becoming inundated with requests to change the group memberships. With conditional access and dynamic groups, administrators only needs to setup rules based on user information. For example, all users from Germany will see “X” folder or all users in the Sales department can contribute to “Y” site. This saves the admins from having to update group membership altogether and can instead focus on making sure that users’ account attributes are up to date.

As security concerns keep mounting and data breaches keep occurring all too often, companies are struggling to do more to ensure all sensitive data stays protected. Multi-factor authentication, another premium feature, provides an extra layer of protection by requiring a secondary authentication method (such as a phone call, text message, or mobile app verification) when users attempt to login.

If you’re looking to take things a step further, then you will want to look at the identity protection features of the Premium P2 edition. With this edition, Azure AD uses machine learning to alert you to suspicious activities and detect events that are out of the ordinary and also provides reporting against its findings. Going even further, you can develop risk-based policies that will automatically respond when certain alerts have been triggered, ensuring that the system ‘always has your back’. These features go well above and beyond the capabilities of traditional AD running on your on-premises services. By leveraging the Microsoft Cloud’s AI and Machine Learning capabilities you have access to advanced threat protection.

While this article just scratches the surface of Azure AD and its features, Microsoft has put together the following table to help you understand all of the various features and differences between the different versions: https://azure.microsoft.com/en-us/pricing/details/active-directory/

The Azure Active Directory feature offerings can be overwhelming and can be configured in several different ways depending on business requirements. If you’re considering Azure AD Premium, let B&R Business Solutions make sure all of the features that you are paying for and care about are fully leveraged and configured correctly the first time. Contact us today by completing our contact us form.

cloud-network-concept_CTA.jpg

B&R can help you evaluate 

and plan for implementing Azure!

Protecting and Classifying Your Data using Azure Information Protection

The Azure Information Protection (AIP) client is a much-welcomed improvement from the previous Azure RMS Sharing application.  The AIP client can be downloaded for free and its supported-on Windows 7++ and MacOS10.8++.  The AIP app also supports mobile devices running IOS or Android.  The AIP app replaces the RMS sharing app on both platforms. 

The AIP client provides enhanced usability for the everyday user to protect and classify files in a simple and straight forward manner.  The AIP client can protect most file types out of the box.  Users can easily protect other files types such as images, PDFs, music, and videos all through the AIP client.    The user can also use the AIP client to protect sensitive emails.  In this article, I am going to explain how users can protect and classify files by using the AIP client within Microsoft Office Word, Excel and PowerPoint 2016.  We will then touch on the configuring Azure Information Protection labels and policies within the Azure portal.

Azure Information Protection Requirements

Let’s use a real-world business use case as the foundation for this walkthrough.  This will provide a real example that can be replicated throughout your own organization if desired.  Here is a bulleted breakdown of the requirements:

  • All Office files and emails created by the Finance Management group must be automatically classified as confidential
  • The AIP policy should be scoped to the Azure AD group BR Management Team and should not affect all users in the organization
  • When a user that belongs to the BR Management Team group creates a new email the email should be automatically classified as confidential and protected
  • Emails that are classified as confidential cannot be forwarded
  • Users can override the recommended label classification but should be warned when doing so
  • A watermark should be applied to all files and emails classified as confidential in the footer
  • Protected data should be accessible offline

Now that we have gone through the requirements for the use case lets jump into how we can accommodate all of them in our final solution.  It is worth mentioning that there are some prerequisites for using the AIP client that I will not be covering in this article.  Please find that information in the getting started with AIP article found here.

Let’s begin with what the user sees within Office 20016 when AIP has been activated and installed.  As you can see in the screenshot below from Word the AIP client is an add-on to Office 2016.  Once installed you will see the protect button in the ribbon.

aip-1.png

If you click on the show bar option you will notice the sensitivity settings bar as shown below in the screenshot.  The sensitivity labels can be manually set by an end-user.  Labels can also be set automatically based on the file/email content though.  Labels belong to a default AIP global policy which includes all users within your organizations Azure AD.  The different default sensitivity labels are also shown in the screenshot below.  These labels can be customized and new labels can be created through the Azure Information Protection resource in the Azure Portal.

aip-2.png

Additionally, AIP administrators have the ability in the Azure portal to create scoped policies.  These scoped policies can be created for specific groups of users and edge cases where customized labels and protection is required. All users in a specific department such as finance management require a stricter set of standards for labeling and classification because of the sensitivity of the files and emails they deal with daily.

Configuring AIP Policies

Below I have created a new scoped policy called Finance Management Confidential.  I have selected the appropriate management team group.  This is important to note because this is the group of users who will get the Finance Management Confidential AIP policy.  When we customize this policy, we are customizing what the group of users we have selected will see in their sensitivity bars throughout all of the Office 2016.  Additional labels and sub-labels can be created specifically for the selected group of users.

aip-3.png

As you can see in the image above I have created a new sub-label under the Confidential label.  Sub-labels provide a further level of classification that can be scoped to a subset of users within your organization. 

In the sub-label configuration image below, I have configured the footer text to show the text “confidential”.  This is also where you can setup Azure protection for the specific AIP label that you are creating.

aip-4.png

Once you have selected Azure RMS under the protection heading you can then begin to configure the different Azure RMS permissions.  In here we will make sure that data that is classified with this sub-label cannot be printed or forwarded.  Now that we have configured the protection for our sub-label we can now save this sub-label.  This sub-label is officially configured with AIP and all files that are classified with this sub-label will be automatically protected with the permissions that were setup in the previous step.  Once you have saved the sub-label to the policy make sure that you publish your scope policy. 

aip-5.png

Using AIP in Office 2016

Once the policy has been published it will be pushed to the users detailed in the policy.  Users who belong to this policy will see that all files they create or open will have the recommended sub-label that was created in the previous steps.  If the user hovers over the recommended labeling the tool tip description will pop up which provides valuable information to the users when they are deciding the classification of the document.  It’s important to be concise and spend some extra time on the description of your organizational labels.  These will help guide users in making the right decision when classifying new files. 

aip-6.png

Of course, you can always force the classification and labeling of files and emails instead of recommending a label.  This is useful when using conditions with your policy.  You can force the label of a document or email if for example the condition detects that there is sensitive data such as social security numbers or credit card numbers.  Forcing could potentially erroneously label a file causing additional administrative overhead.  In most cases providing a recommendation and specifying in the policy that the user be warned when reclassifying files that have less restrictive protection.  Such as reclassifying a file recommended as confidential to public.  This would require an auditable action that the user in fact acknowledged that they were reclassifying the file.

Once the file is labeled it will inherit all the classification and protection rules that were applied while editing the policy in the Azure portal.  This includes any protection that was setup for the labels by administrators.  The image below shows a Word document that has been classified by the sub-label Finance Management that was created earlier in this article.  Notice the classification in the left-hand corner of the image below and the footer text which was automatically applied after selecting the recommended label.

aip-7.png

Using the AIP client, the user can decide to downgrade a classification if needed.  Users will be prompted with the image below to set a lower classification label.  This will deter users from simply declassifying files that may be sensitive.  The user acknowledgement is an auditable action.

aip-8.png

Users can manually setup custom Azure RMS permissions if needed by selecting the AIP protect button in the ribbon within their favorite Office 2016 application. 

aip-9.png

The one disadvantage with using this method is users will only be able to configure permissions for one level of rights.  To clarify, if you want to provide two groups of users with two different levels of permissions for example, read only and edit, you will need to use the protect document button within Office 2016.  To do this first select File then Info, then select the Protect button as shown in the image below.  You will notice that our custom confidential AIP sub-label that we configured is also showing up in the restricted access context menu. 

aip-10.png

A user could easily select a label if they wanted to from here.  To get around the issue with applying multi-level custom permissions users can select the restricted access menu item.  Using the permissions dialog box that pops up users can now assign multiple levels of permissions to users and groups.

aip-11.png

Now let’s open up Outlook as a user who belongs to the finance management group.  As you can see in the image below the policy is automatically recommended on all new emails.  The behavior for classification in the Outlook 2016 client for email classification is similar to the rest of the AIP supported Office applications (Word/Excel/PowerPoint).  Once the label is selected all policies are applied to that email.

aip-12.png

Conclusion

The Azure Information Protection client provides the easiest way to classify and protect files and emails when creating or editing them from within the Office desktop applications.  The client is just one piece to the entire puzzle that is AIP.  The real key is in the planning and creation of meaningful labels and classification policies for your users.  This helps to drive users to begin using these classification policies with ease.  I must say from past experience the less the users have to think about the better.  If the classification labels are clear and help guide the user than the users are more likely to engage.  Additionally, forcing users to classify files and emails isn’t always the answer except in specific highly sensitive scenarios.  The AIP client is constantly being improved and added to.  In fact, there was a new version with new capabilities pushed out just this week and can be downloaded here.

 
calltoaction-paas.png

B&R can help you leverage Azure Information Protection

Planning for Hybrid Integration with O365

This article is a continuation of Planning for Hybrid Cloud Deployments.

Working through provisioning of a new Office 365 tenant doesn’t take much effort. The real effort is in the planning of the key components of your O365 tenancy. In this blog series, we are going to cover the important items to take into consideration when planning your O365 tenancy, particularly when it comes to hybrid environments. We will briefly cover hybrid O365 scenarios and what components to be aware of. Late in the series, I will dive a bit deeper into specific hybrid scenarios. As usual, along the way I will be sure to highlight the lessons learned and pitfalls to be aware of.

In most cases, it’s safe to say that organizations will not need more than one O365 tenant. There are some special cases where this is a requirement. This article will not cover multi-tenant O365 scenarios. If multiple O365 tenants are required, there will need to be some additional planning around domains, synchronizing users into multiple tenancies, and the impact on other O365 services. The TechNet article found here covers the pros and cons of single and multiple tenant O365 deployments.

The first step in planning your O365 deployment is to perform some discovery around your current IT infrastructure and enterprise applications. For example, you will want to identify all on-premises applications such as Exchange, SharePoint, and Skype for Business that may have integration points into some of the other O365 services. These integration points could potentially have an impact on the deployment of your O365 tenant. Pay special attention to the authentication approach that is selected for users. User authentication is one of those early planning decision items that needs to consider some of the integration points with other on-premises applications mentioned above. Take inventory and make sure that if you are integrating your on-premises environment with O365 that you meet the O365 requirements for each of the following:

  • Active Directory
  • Network architecture and DNS domains
  • Mail routing
  • Authentication solutions
  • Mail archiving and compliance
  • Network bandwidth
  • Certificates
  • Hardware and software for Azure AD Connect and possibly ADFS deployment
  • Mail archiving and compliance

Here is a great O365 deployment checklist which adds much more detail to the inventory which should be taken of the current environment. The table in the checklist includes inventory tasks and overall questions that should be discussed prior to your organization’s deployment. This is particularly true with organizations who want to leverage on-premises investments in a hybrid scenario.

Organizations who want to continue to leverage their existing on-premises technologies and leverage O365 will require hybrid configuration. One of the single most important decisions to be made early with any hybrid configuration is around identity model authentication. Will users be required to enter their credentials when using any of the O365 services when they are connected to the internal network? Unfortunately, there isn’t a universal answer to this question. The answer to this question depends on your organizational requirements will dictate which Azure AD sign-in option that is chosen.

O365 sign-in options

Choosing an identity model is the foundation for your organization’s O365 implementation. Azure AD is the underpinning directory service used by Office 365 to provide access to services. An Azure AD tenant is attached to a single Office 365 tenant. Here are a couple questions that should be asked when planning your O365 identity implementation:

  1. Will existing users be migrated into Azure AD?
  2. If the organization is currently using Active Directory on-premises will users be synced using Azure AD Connect?
  3. Will new users be created directly in O365 or created in the local AD and synced to O365?
  4. What kind of sign-in experience do we want for users accessing O365 services?
  5. Is single sign on (SSO) required when authenticating to O365 services?

Identity Models

Below is a list of the different identity models that are available for configuration using Azure AD connect. Seamless SSO can be used with the password synchronization and pass-through authentication options below. Seamless SSO automatically signs users in when they are using corporate devices connected to your internal corporate network.

Password synchronization

Hashes of user passwords are synchronized from on-premises AD to Azure AD. Passwords are never sent or stored in Azure AD in clear text. Users accessing Azure AD resources (O365 services) will be able to use their corporate account to access these services.

Pass-through authentication (PTA)

User passwords are not stored in Azure AD in any form. This model uses an agent that is installed on an on-premises domain-joined machine. The agent performs all the heavy lifting and does not require any inbound ports to be open to the internet. You can enable seamless SSO on corporate domain-joined machines on the corporate network.

Federated SSO with Active Directory Federation Services (ADFS)

This option requires ADFS infrastructure for more complex environments with multiple domains authenticating to Azure AD. Users accessing O365 services from the corporate network will not have to enter passwords when switching between applications.

Each identity model has its own benefits and limitations. Pass-through authentication is somewhat of a new capability which provides organizations who do not want to store user passwords in the cloud an option. I am not going to cover how PTA works in-depth but a quick search on your favorite search engine will return some great resources and documentation.

If an organization already has invested in an ADFS infrastructure, federated SSO with ADFS is the way to go. The other two options do not require any additional, potentially redundant infrastructure. Azure AD

Connect can be installed on a domain-joined server in your current on-premises environment. Once the installation has completed the Azure AD Connect tool can be used to configure seamless SSO and user sign-in authentication. Azure AD Connect is also used to connect to Azure AD and synchronize on-premises AD directories.

Once users begin synchronizing to Azure AD and the authentication option has been chosen, the next big planning item is identifying what hybrid capabilities your organization would like to use. For example, a common question that should be asked is: “What applications will be kept and used on-premises and which workloads and applications will be migrated to the cloud?” This blog series will focus on the hybrid SharePoint capabilities with O365 and the questions and decisions that need to be made around the hybrid implementation. In the next article in this series we will dive into the different hybrid deployment options for SharePoint 2013/2016 on-premises. Such topics as authentication topology, hybrid taxonomy, hybrid auditing, and cloud hybrid sites and search.

If you are interested in deploying a hybrid system, but do not know where to start, engage B&R's Architects to help provide a detailed analysis and design supporting your deployment requirements.

 
calltoaction-dps.png

Let us help you develop a design that meets your needs