Azure Active Directory Premium Features – Why You Want It

Azure Active Directory provides a cloud-based solution for user account and identity management. While the free and basic editions may meet the requirements of organizations that only need Azure AD to maintain user accounts, most of the time, businesses need more from their account and identity management solution and as a result, turn to the Azure AD premium editions (known as Premium P1 and Premium P2).

There are a few features that both the premium and basic editions share that you can’t get with the free edition:

Service Level Agreement

The SLA guarantees a minimum amount of uptime and provides a framework for holding Microsoft accountable for any outages. It makes sense that this wouldn’t be available with the free service as you can’t refund a service cost if there isn’t one to start with. The SLA is calculated based on how many minutes of downtime occur and the number of users impacted.

Branding

The ability to use your organization’s branding on logon pages and access panels. This is a nice touch because it creates a more uniform and polished look across applications, and also provides an identifiable interface for your end users. It can be confusing as an end user seeing a generic logon page and wonder whether you are in the right place.

Password Self Service

One of the most useful (and heavily used features), is the self-service password reset for cloud accounts. This allows users to reset their password whenever they need to without having to contact their help desk or IT department. Depending on the business, password resets can be as much as a 50% drain on the helpdesk’s bandwidth. Adding this feature to the available offerings could immediately provide an ROI just through saved alone.

While the basic edition includes all of the features listed above and those are enough to satisfy the needs of most smaller organizations, they fall short of providing a truly seamless transition between all applications, both on-premises and cloud-based. This is because the free and basic editions limit the number of applications that have an SSO experience to 10 per user, whereas premium has no limit. Additionally, the two premium editions have the following features that provide a seamless user experience between on-premises and the cloud:

  • Self-service group and app management / Self-service application additions / Dynamic groups
  • Self-service password reset / change / unlock with write-back to the on-premises Active Directory
  • Device objects two-way synchronization between on-premises directories and Azure AD (Device write-back)
  • Multi-Factor Authentication (Cloud and on-premises (MFA Server))

With the premium editions, changes to accounts and groups only need to be made in one place because everything is automatically synchronized. For example, whether a user is trying to logon to their on-premises SharePoint environment or trying to login to their mail using mail.office365.com, if the multifactor authentication feature is enabled, the user will be presented with the same prompt. To the user, it feels like a unified system.

Another premium feature that can be very useful is the availability of dynamic groups and conditional access based on group, location, and device state. An AD administrator can end up spending a lot of time managing group memberships. Most applications with complex security structures like SharePoint can have hundreds if not thousands of groups and usually a handful of Active Directory administrators are the only one who can add and remove users from these groups. This leads to the AD admins becoming inundated with requests to change the group memberships. With conditional access and dynamic groups, administrators only needs to setup rules based on user information. For example, all users from Germany will see “X” folder or all users in the Sales department can contribute to “Y” site. This saves the admins from having to update group membership altogether and can instead focus on making sure that users’ account attributes are up to date.

As security concerns keep mounting and data breaches keep occurring all too often, companies are struggling to do more to ensure all sensitive data stays protected. Multi-factor authentication, another premium feature, provides an extra layer of protection by requiring a secondary authentication method (such as a phone call, text message, or mobile app verification) when users attempt to login.

If you’re looking to take things a step further, then you will want to look at the identity protection features of the Premium P2 edition. With this edition, Azure AD uses machine learning to alert you to suspicious activities and detect events that are out of the ordinary and also provides reporting against its findings. Going even further, you can develop risk-based policies that will automatically respond when certain alerts have been triggered, ensuring that the system ‘always has your back’. These features go well above and beyond the capabilities of traditional AD running on your on-premises services. By leveraging the Microsoft Cloud’s AI and Machine Learning capabilities you have access to advanced threat protection.

While this article just scratches the surface of Azure AD and its features, Microsoft has put together the following table to help you understand all of the various features and differences between the different versions: https://azure.microsoft.com/en-us/pricing/details/active-directory/

The Azure Active Directory feature offerings can be overwhelming and can be configured in several different ways depending on business requirements. If you’re considering Azure AD Premium, let B&R Business Solutions make sure all of the features that you are paying for and care about are fully leveraged and configured correctly the first time. Contact us today by completing our contact us form.

cloud-network-concept_CTA.jpg

B&R can help you evaluate 

and plan for implementing Azure!

Protecting and Classifying Your Data using Azure Information Protection

The Azure Information Protection (AIP) client is a much-welcomed improvement from the previous Azure RMS Sharing application.  The AIP client can be downloaded for free and its supported-on Windows 7++ and MacOS10.8++.  The AIP app also supports mobile devices running IOS or Android.  The AIP app replaces the RMS sharing app on both platforms. 

The AIP client provides enhanced usability for the everyday user to protect and classify files in a simple and straight forward manner.  The AIP client can protect most file types out of the box.  Users can easily protect other files types such as images, PDFs, music, and videos all through the AIP client.    The user can also use the AIP client to protect sensitive emails.  In this article, I am going to explain how users can protect and classify files by using the AIP client within Microsoft Office Word, Excel and PowerPoint 2016.  We will then touch on the configuring Azure Information Protection labels and policies within the Azure portal.

Azure Information Protection Requirements

Let’s use a real-world business use case as the foundation for this walkthrough.  This will provide a real example that can be replicated throughout your own organization if desired.  Here is a bulleted breakdown of the requirements:

  • All Office files and emails created by the Finance Management group must be automatically classified as confidential
  • The AIP policy should be scoped to the Azure AD group BR Management Team and should not affect all users in the organization
  • When a user that belongs to the BR Management Team group creates a new email the email should be automatically classified as confidential and protected
  • Emails that are classified as confidential cannot be forwarded
  • Users can override the recommended label classification but should be warned when doing so
  • A watermark should be applied to all files and emails classified as confidential in the footer
  • Protected data should be accessible offline

Now that we have gone through the requirements for the use case lets jump into how we can accommodate all of them in our final solution.  It is worth mentioning that there are some prerequisites for using the AIP client that I will not be covering in this article.  Please find that information in the getting started with AIP article found here.

Let’s begin with what the user sees within Office 20016 when AIP has been activated and installed.  As you can see in the screenshot below from Word the AIP client is an add-on to Office 2016.  Once installed you will see the protect button in the ribbon.

aip-1.png

If you click on the show bar option you will notice the sensitivity settings bar as shown below in the screenshot.  The sensitivity labels can be manually set by an end-user.  Labels can also be set automatically based on the file/email content though.  Labels belong to a default AIP global policy which includes all users within your organizations Azure AD.  The different default sensitivity labels are also shown in the screenshot below.  These labels can be customized and new labels can be created through the Azure Information Protection resource in the Azure Portal.

aip-2.png

Additionally, AIP administrators have the ability in the Azure portal to create scoped policies.  These scoped policies can be created for specific groups of users and edge cases where customized labels and protection is required. All users in a specific department such as finance management require a stricter set of standards for labeling and classification because of the sensitivity of the files and emails they deal with daily.

Configuring AIP Policies

Below I have created a new scoped policy called Finance Management Confidential.  I have selected the appropriate management team group.  This is important to note because this is the group of users who will get the Finance Management Confidential AIP policy.  When we customize this policy, we are customizing what the group of users we have selected will see in their sensitivity bars throughout all of the Office 2016.  Additional labels and sub-labels can be created specifically for the selected group of users.

aip-3.png

As you can see in the image above I have created a new sub-label under the Confidential label.  Sub-labels provide a further level of classification that can be scoped to a subset of users within your organization. 

In the sub-label configuration image below, I have configured the footer text to show the text “confidential”.  This is also where you can setup Azure protection for the specific AIP label that you are creating.

aip-4.png

Once you have selected Azure RMS under the protection heading you can then begin to configure the different Azure RMS permissions.  In here we will make sure that data that is classified with this sub-label cannot be printed or forwarded.  Now that we have configured the protection for our sub-label we can now save this sub-label.  This sub-label is officially configured with AIP and all files that are classified with this sub-label will be automatically protected with the permissions that were setup in the previous step.  Once you have saved the sub-label to the policy make sure that you publish your scope policy. 

aip-5.png

Using AIP in Office 2016

Once the policy has been published it will be pushed to the users detailed in the policy.  Users who belong to this policy will see that all files they create or open will have the recommended sub-label that was created in the previous steps.  If the user hovers over the recommended labeling the tool tip description will pop up which provides valuable information to the users when they are deciding the classification of the document.  It’s important to be concise and spend some extra time on the description of your organizational labels.  These will help guide users in making the right decision when classifying new files. 

aip-6.png

Of course, you can always force the classification and labeling of files and emails instead of recommending a label.  This is useful when using conditions with your policy.  You can force the label of a document or email if for example the condition detects that there is sensitive data such as social security numbers or credit card numbers.  Forcing could potentially erroneously label a file causing additional administrative overhead.  In most cases providing a recommendation and specifying in the policy that the user be warned when reclassifying files that have less restrictive protection.  Such as reclassifying a file recommended as confidential to public.  This would require an auditable action that the user in fact acknowledged that they were reclassifying the file.

Once the file is labeled it will inherit all the classification and protection rules that were applied while editing the policy in the Azure portal.  This includes any protection that was setup for the labels by administrators.  The image below shows a Word document that has been classified by the sub-label Finance Management that was created earlier in this article.  Notice the classification in the left-hand corner of the image below and the footer text which was automatically applied after selecting the recommended label.

aip-7.png

Using the AIP client, the user can decide to downgrade a classification if needed.  Users will be prompted with the image below to set a lower classification label.  This will deter users from simply declassifying files that may be sensitive.  The user acknowledgement is an auditable action.

aip-8.png

Users can manually setup custom Azure RMS permissions if needed by selecting the AIP protect button in the ribbon within their favorite Office 2016 application. 

aip-9.png

The one disadvantage with using this method is users will only be able to configure permissions for one level of rights.  To clarify, if you want to provide two groups of users with two different levels of permissions for example, read only and edit, you will need to use the protect document button within Office 2016.  To do this first select File then Info, then select the Protect button as shown in the image below.  You will notice that our custom confidential AIP sub-label that we configured is also showing up in the restricted access context menu. 

aip-10.png

A user could easily select a label if they wanted to from here.  To get around the issue with applying multi-level custom permissions users can select the restricted access menu item.  Using the permissions dialog box that pops up users can now assign multiple levels of permissions to users and groups.

aip-11.png

Now let’s open up Outlook as a user who belongs to the finance management group.  As you can see in the image below the policy is automatically recommended on all new emails.  The behavior for classification in the Outlook 2016 client for email classification is similar to the rest of the AIP supported Office applications (Word/Excel/PowerPoint).  Once the label is selected all policies are applied to that email.

aip-12.png

Conclusion

The Azure Information Protection client provides the easiest way to classify and protect files and emails when creating or editing them from within the Office desktop applications.  The client is just one piece to the entire puzzle that is AIP.  The real key is in the planning and creation of meaningful labels and classification policies for your users.  This helps to drive users to begin using these classification policies with ease.  I must say from past experience the less the users have to think about the better.  If the classification labels are clear and help guide the user than the users are more likely to engage.  Additionally, forcing users to classify files and emails isn’t always the answer except in specific highly sensitive scenarios.  The AIP client is constantly being improved and added to.  In fact, there was a new version with new capabilities pushed out just this week and can be downloaded here.

 
calltoaction-paas.png

B&R can help you leverage Azure Information Protection

Nintex Workflow Best Practices

Nintex is becoming ubiquitous in the global IT landscape as adoption increases in their cloud offerings building on top of their highly successful on-premises solutions. Because of this, knowledge of good workflow design and development practices specific to Nintex is paramount.

We have developed the following short list of key tips to help optimize performance and maintainability of your solutions. 

Tip #1 - Use Workflow Constants

One of the best features with Nintex on-premises is their ability to store credentials for a service account as a workflow constant. When a credential has been created, you can use those credentials without having to know the name and password of the account. The credentials are stored in the Nintex Workflow configuration database and are encrypted with DES encryption. Workflow constants can be created at the Site, Site Collection, or Farm level. You can see how it gets setup in the image below.

nwbp-1.png

To use a stored credential, simply click on the 'Select credentials' lock icon and select the credential constant from the lookup dialog box. More details can be found here.

Tip #2 - Processing and Load

With SharePoint Server (on-premises), a consideration that is often overlooked is the effect on performance of different actions within the workflow which can slow down its execution affecting performance. 'Execute SQL' or 'Query LDAP', for example, require more processing while 'Log to history list' and 'Build dynamic string' require much less. Nintex recommends breaking actions with a heavier load out to their own separate sub workflows.  

Any updates to the list, start/stop workflows, or update XML actions do not get processed immediately and are not necessarily executed in the order of the workflow. These actions will be batched up and executed according to what type of actions they are – Nintex or Microsoft. For example, this:

nwbp-2.png

will actually execute as this:

nwbp-3.png

This is happening due to the Nintex actions getting batched together and executing before the Microsoft "Update List Item" action. Another wrench in this puzzle is that although the Nintex batch may start first, it may not complete execution prior to the Microsoft action. You might think to put a 'Commit pending changes' action after the Microsoft action but that is still not a guarantee. The permissions action, for example, takes longer to complete and can possibly end after the 'Update List Item' action. It is better to use 'Pause for Duration' and set it to at least 30 seconds to make sure all the actions have completed before continuing. Alternatively, you can also use 'Wait for Field Change in Current Item' if that works for you. If you are on Office 365, Nintex for Office 365 does not have 'Commit pending changes' so you should replace it with a 'Pause for Duration' or 'Wait for Field Change in Current Item' action.

Tip #3 - Build Your Content

When designing your workflow, in O365 or on-premises, it is ideal to have a workflow that has the smallest number of actions. The benefits are in reduced server load, speed of execution, and reduced complexity. One of the recommended techniques used in developing workflows is building your content by adding relevant information to a variable as it becomes available.

For example, email body content often has to be formatted using basic HTML to display tables and other formatting. This can be built in a variable as the data is collected. Using a "Set Workflow Variable" action, you can set the variable to itself plus the additional formatting and data. So a var_EmailBody variable would have a value of "{Variable:var_EmailBody}<TR><TD>my new data</TD></TR>" when adding new data.

 The results of this method are very apparent. Workflows that previously looked like this:

nwbp-4.png

Can now start to resemble this:

nwbp-5.png

Resulting in less actions, faster execution, and a better workflow overall.

We hope that these three tips can help you improve the workflows that you are writing.  We will be publishing additional tips in the series soon.

calltoaction-general.png

Need help improving and scaling your workflow processes?

Information Management Policies and Complex Workflows

One of the key Enterprise Content Management (ECM) features provided by Microsoft in SharePoint Server is the Information Management Policy feature.  These policies can be used to establish multi-stage retention policies, but the scheduled nature of this feature opens it up for so much more. 

Note:  If you are not familiar with the information management policies and would like a general overview, see Plan for information management policy in SharePoint Server 2013.

For our purposes, I chose to leverage these features to support the multi-stage activity which supports scheduling each stage, defining an action to execute, and a recurrence schedule if applicable.  Using these retention schedules, we can execute scheduled activities to support business processes such as content retention, disposition, or to build a contract management solution.

Scheduling a Stage Date

The ability to schedule the start of the stage is both simple, and powerful.  You simply select one of the document’s date fields, which can be either a system field such as Created or Modified or can be a custom field as in the example below.

20170913-1.png

Action

Next, we focus on the action to take within this stage.  The configuration comes with the following actions:

  • Move to Recycle Bin:  Moves to the recycle bin for orderly removal
  • Permanent Delete:  Bypasses recycle bin and is immediately deleted
  • Transfer to another location:  Move to another site such as an archival or records site
  • Start a workflow:  Start a workflow that is associated with the content type
  • Skip to next stage:  Move directly to the next stage
  • Declare record:  Declare the item as a record in the system (in place records management)
  • Delete previous drafts:  Cleanup previous draft, minor version copies
  • Delete all previous versions:  Cleanup all previous versions

While these actions can be helpful, this is where most people start hitting the brakes.  If you have an important legal agreement or contract, you probably don’t want to just delete it or move it to a recycle bin when it is scheduled to expire.  You probably want somebody to review it and make sure it is actually no longer needed or does not need to be renewed.  For those that are familiar with the power of workflows the “Start a Workflow” action sounds great until you click that list and see an empty list of available workflows.  This is the single biggest hurdle for most people, and the point where many turn back.  Do not worry, we will come back to this shortly. 

Retention

The recurrence settings are also straight forward allowing you to repeat a stage based on a number of days, months, or years as the image below illustrates. 

20170913-2.png

Complex Workflow!

As I mentioned earlier, the “Start a workflow” action list is blank by default.  This is where our ability to implement complex workflows comes to the rescue.  These workflows can be developed using SharePoint Designer, Visual Studio, or our preferred tool Nintex Workflow.  The trick is that whatever path we choose, we need to be able to associate the workflow with the specific content type(s) for it to be available in the list of workflows within the “Start a workflow” action. 

To create a workflow that can be associated with a content type in SharePoint Server, navigate through Site Actions menu, select Nintex Workflow (2013/2016), and then Create Reusable Workflow Template as illustrated below.

20170913-3.png

We then define our workflow name, description, and associate it with a content type.

20170913-4.png

Here is an example of a Contract Review workflow we created for demo purposes.

20170913-5.png

Once our workflow is saved, we can now visit the Site Content Type Information page (Site Settings-> Site content types -> select our content type) and click the Workflow settings action under settings.

20170913-6.png

Next, we can select our workflow template and provide a unique name for the process.  For workflows that are triggered by the Info Mgt Policies, you can set the start options to enable “Allow this workflow to be manually started” and disable the new and edit options. 

20170913-7.png

Now that the workflow is associated with the content type, we can configure our Retention Policy.  From the Site Content Type Information page, select the Information management policy settings action. 

20170913-8.png

Select the “Enable Retention” option to enable the retention options and then click the “Add a retention stage” action to load the stage configuration form. 

20170913-9.png

The retention stage configuration form options were explained previously.  Define an appropriate stage schedule based on a date comparison with a date field.  The comparison can be based on days, months, or years. 

20170913-10.png

Next, select the “Start a workflow” option from the Action list and select the workflow you previously configured for the given content type. 

If applicable, configure an appropriate recurrence schedule. 

Then, click the Ok button to save your changes and continue. 

If needed, you can configure multiple stages.  For this example, you can see for the given contract content type, there is an initial stage for review.  After it progresses through the “review” stage, the second stage was configured to have a contract disposition workflow one year after expiration if the contract was not renewed as illustrated in the image below. 

20170913-11.png

Once the changes are fully saved, the document will be reviewed based on the internal process schedule and the workflow initiated. 

Single versus Multiple Stages (Multiple Workflows)

While it is possible to design and implement a single workflow that can handle the logic from the individual stages, there are some advantages to breaking the workflows down into the individual workflows for each stage.  It certainly makes the workflow easier to manage within the designer, but it also gives you more granular tracking for executions leading to clearer insights and reporting without having to build in a lot of extra actions within the workflow to break out and report on the individual stages.  Ultimately, the requirements can be fulfilled either way, but we find it easier to maintain and support with individual workflows for each stage.

 
calltoaction-general.png

Need assistance with retention and disposition workflows?

Overcoming Upload & Approval Challenges with Records Management

When we first embarked on the journey of creating Record Center, we knew there were several major pain points in the lifecycle of records management that we wanted to address. Creating a platform that would ease the burden on record managers and record approvers was one of our top priorities, and the challenges of content ingress and record approval were some of the main issues we wanted to address. 

To understand the pain of loading and approving content into a records management solution is to realize that content comes from a seemingly endless number of sources. Those sources could include other business systems or raw scans of physical documents, and could comprise any type of document an organization handles—contracts, invoices, employment agreements, non-disclosure agreements, tax documents, etc. Each of those unique document types could very well contain different metadata, different required fields, or different document formats further complicating the notion of a centralized ingress and approval process. 

Upload Content (Ingress) 

Record Center’s model of “Document Types” allows for an organization to define criteria for each type of record to be loaded into the system. Each of these document types contains its own distinct metadata requirements, approval requirements, retention plans, and disposition processes. This model allows for all records—regardless of their type—to be submitted to the same central Pending Records library, using the same process, while still ensuring that a unified record submission and approval flow may be used. 

Required Fields 

Critical to being able to easily and accurately find records is the notion of applying metadata to records. Record Center’s unique in-line preview mode allows a user submitting a record to easily see their document alongside the document’s required and optional metadata fields. This view allows them to quickly determine what fields must be completed for a given document type, and if necessary, navigate through the document in question to determine the values of those required fields. 

Approval Models 

Document Approvers and Record Managers are frequently faced with the challenge of having to approve large quantities of records. To cope with these challenges, Record Center offers several features integral to streamlining this otherwise time-consuming process. 

Unique Document Type Approvers

Each unique document type may contain its own distinct record approvers, allowing for a first stage approval by a user belonging to that document’s work center or area of expertise. This process helps to ensure that misclassified records or those with incorrect metadata are caught before entering the Record Manager’s approval queue. 

Inline Document Preview

Utilizing inline preview, a document approver and/or Record Manager can easily review a document alongside its metadata to ensure the metadata entered is accurate, and all required fields have been completed. 

Approve and View Next

As a document approver or Record Manager moves through their approval queue, they would historically have to open the document to be approved, approve that document, close it, open the next document, approve that, close it, and so on. To streamline this click-heavy process, Record Center contains a “Approve and View Next” feature, which allows the user to review, approve and open the next document in their queue with a single click. 

Bulk Approval

In the case of a bulk import where a record’s data has already been validated, Record Center includes a bulk approval option that allows a document approver or Record Manager to select multiple records at once and approve them all with a single click. 

Auto Approval

In some cases, an organization may wish to automatically approve records. The likely scenario for this is when a records management team is small, and perhaps the same people would do the content ingress as well as the approval. In this scenario, records can be configured to automatically approve after they’ve been pending approval for a set amount of time. 

 

About Record Center 

Record Center is your turnkey solution for enterprise-class record management. An extension of Microsoft SharePoint, Record Center arms your users and record managers with a feature-packed, intuitive solution to manage the entire life-cycle of your records. Configure, Approve and Search for records faster and easier than ever with Record Center. 

 
calltoaction-recordcenter.jpg

Interested in learning more about Record Center?